OpenVPN: two clients in a gateway group
-
Thanks. I will setup another vpn client to a different vpn provider server. I am planning to use one LAN port for both vpn clients. That is ok ? Right?
-
I am planning to use one LAN port for both vpn clients.
I'm not sure what you mean by this? VPN Gateways will work over your WAN port as they are gateways to the internet. You don't need 1:1 physical port to VPN Client if that's what you mean?
-
Thanks for clearing it up. I was mistaken for talking about lan. It should have been wan instead.
I guess you could have number of VPN clients connected to different VPN server, and then gateway grouped to maximize performance.
Thanks
-
Yeah, you can have one physical wAN port connected from pfSense to modem, and have 1, 2, 5, etc VPN clients configured into a gateway group acting over that one WAN port.
The usual reason to use multiple VPN clients in a gateway group is to utilize multiple cores. So it's probably not worthwhile to have more clients than you have CPU cores.
-
Assign your clients interfaces and enable them. I am not sure I did this.
Two VPN clients are enabled/connected to two different VPN servers.How do I configure the next step? No new interfaces show up.
Go to System / Routing / Gateway Groups.
Add a new Gateway Group and select all of the clients you want to use as
gateways as Tier 1, make sure any gateways you do not want to use are set to Never. -
Interfaces / Interface Assignments: Next to "Available network ports:" select your VPN client from the dropdown, click "+ ADD" Repeat for all clients
Click your new VPN interfaces, click "Enable Interface", Save & Apply, Repeat for all clients
Then try to setup a gateway group again, you should see your new interfaces.
-
i just did this very thing. (except i used 4 VPNs and the WAN in a group, with the VPNs as tier1 and the WAN as tier5).
i think that should allow me to RR all my traffic between four different VPN vendors, plus fall back to WAN in the case of them all being offline.
-
I'm glad it worked out for you!
Keep in mind that if you are using VPNs for anonymity then in this setup you will broadcast your real IP if your VPNs go down, which is not desirable. If you don't care about anonymity then that's fine.
FWIW the only time all of my VPN clients (or even two of them) have gone down was when my WAN port got a lot of packet loss for a few hours.
-
is it any or all of the VPNs going down? that part was not entirely clear.
but yeah, this is sort of a hedge against ISP targeted marketing and sticking crap into packets/web pages. i actually only shuffle traffic from certain systems out the VPNs, so things like Xbox and PS work with as little drama as possible. (DNS, http, https, and a few other non-basic protocols)
-
Tiers in gateway groups require all gateways in a tier to go down before it will use a gateway in the next tier.
Ex:
GW1: Tier 1
GW2: Tier 1
GW3: Tier 2
GW4: Tier 3If none are down Tier 1 is used
If one is down Tier 1 is used
If two is down Tier 1 is used
If one and two are down Tier 2 is used
If one and three are down Tier 1 is used
If one two and three are down Tier 3 is used -
OK, that is how i read it and it is correct. I have 4 VPNs at Tier1 and the naked WAN at Tier5. This passes the wife test as failing safe. Thanks!
-
I have been using this link as a guide : https://nguvu.org/pfsense/pfsense-multi-vpn-wan/
I was sending everything through WAN_DHCP(default) and then added VPN1_WAN and VPN2_WAN as new gateways. VPN1_WAN and VPN2_WAN are in gateway group called VPN_Group_packet_loss. In here, I also set WAN_DHCP to never.
How do I set the the firewall settings properly?
-
Set the monitor IPs on your VPN gateways to something public like 8.8.8.8 and 8.8.4.4
I didn't read that guide but I don't know what the port forwards are for? I don't use any port forwarding for VPN?
Use Hybrid Outbound NAT rules, that way you keep all of the auto rules and your manual rules.
-
Much better. I am online now. Thank you. I removed the port forwarding and add the suggested IP monitor of 8.8.8.8 and 8.8.4.4
I did the the hybrid nat. See below.
In firewall/nat/outbound, do I still need those four OpenVpn interfaces?