Multiwan with force push openvpn traffic over the group



  • Ive been trying to get a multiwan upand running then push all ovpn traffic via the grouped gw, strange enough the traffic gets pusshed noemally via a single wan with no problem, but with a grouped wultiwan, I couldnt make it happen, is this possible after all?


  • Rebel Alliance Developer Netgate

    You can use multi-WAN with OpenVPN client traffic, you just need to:

    a. Make sure the clients can connect to both WANs – if they connect to WAN1 and you take down WAN1, they will not be able to get out
    b. Make sure to use the gateway group on rules on the OpenVPN tab for Internet-bound traffic. Keep in mind you'll need a separate pass rule above those without a gateway set if they need to reach LAN or other local networks.



  • thanks alot,
    so just to get this right.
    I will write down the steps.
    1. make sure the vpn is created as interface.
    2. DONT include the vpn interface within the multinwan group (keep it separate)
    3. create a firewall rule for the (OVPN interface) not the OVPN that is created by default and make sure the rules are like this:
    Src: OVPN Iface
    Dest: LAN Iface
    GW: default
    then create a rule for:
    Src: OVPN Iface
    Dest: Any
    GW: OVPN Iface.
    is this correct?


  • Rebel Alliance Developer Netgate

    Unless I've misunderstood your original request, no, you don't need anything like that.

    This is assuming you're talking about having remote access OpenVPN clients connect to both your WANs and use Multi-WAN for their Internet-bound traffic coming across the VPN:

    a: Make sure clients can connect to both WANs:
    1. Set the Interface for the VPN to Localhost
    2. Add port forwards to both WANs to forward your OpenVPN port for this server to localhost (127.0.0.1) on the same port

    b: Use gateway groups on OpenVPN rules:
    1. Firewall > Rules, OpenVPN tab
    2. Add a rule at the top of the list to match from a source of this server's tunnel network, destination is your local LAN, without a gateway set
    3. Add a rule just under the previous rule to match from a source of this server's tunnel network, destination is "any", using your existing gateway group.