"Backup" VPN Client server settings possible in pfsense?



  • My pfSense setup uses one "Clear", so to speak, network and one network where the pfSense is setup as a OpenVPN clinet, so that every device connected to that Network is routed though my VPN provider.

    The current VPN provider I use, has multiple servers in one country and uses has a clustered "resolver", meaning that, although you can connect to a server directly, you can also connect to the country resolver (for instance de.myvpnprovider.net), it will redirect you to one of the German, in my example, servers that are online.

    Normally, connecting directly to a specific (for instance de02.myvpnprovider.net) is not an issue at all. The problem arises if that server disconnects.
    For my setup, using the resolver, it's not a problem, because pfSense reconnects to the resolver, and it will route me to a different server, sensing that de02 is down.
    Since I am using pfSense, and not a Provider specific VPN software, the resolver setup will only work (I think) if all servers in that cluster has the same CA and certificate, which my current provider has.

    However, the provider I am looking at changing to has different CA and Certificate for all servers, and do not use a clustered resolver in the same way. All servers are standalone.

    Therefore, when using pfSense, I will have to connect to a specific server. So if in turn that server goes down, my pfSense will hammer away at the same server until it is back online, causing my network to be without connection.

    So my question is this, is there a feature or possibility of having a "backup" server in the pfSense configuration with a different set of CA and Certificates but following the same local firewall rules, so that if no connection to the primary can be established, it uses the backup?

    If don't know if this feature is already present, and has a more appropriate name attached to it, but I'm a network and pfSense novice at best, and this was my best attempt at describing my problem :)

    Thanks for your help!


  • LAYER 8 Netgate

    I don't know of a way to have one pfSense instance use a different set of credentials for different remotes.

    You might look at creating two different instances and putting them in a failover gateway group like a regular multi-WAN and policy routing to the group instead.

    If that sort of redundancy is what you are after, you might consider a different VPN provider. One with different IP addresses/FQDNs for the server locations but the same set of certificates / credentials on each. Then you can just add another "remote" to the advanced config. Like this: https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN#Configure_Clients



  • Yeah ^^^

    And to add, OpenVPN supports <connection>…</connection> blocks.


  • LAYER 8 Netgate

    I don't know that that is possible with the current gui. I would be surprised if the advanced option field would allow < >



  • Good point, didn`t think about that.



  • Thank you for your reply's.

    Trouble is that most of the better VPN providers setup their servers with different CA and Certificates. They have sort of a resolver function, but that is usually included in their proprietary software, and not for "generic" setups like pfSense or connecting from Linux even.

    Derelict,
    This failover gateway group that you mentioned. Is there some more information on this other than;
    https://doc.pfsense.org/index.php/Multi-WAN#Failover
    that is more related to my issue? I could not find anything.


  • LAYER 8 Netgate

    I doubt it. Your situation seems new to me.

    All of the walkthroughs that cover routing traffic out public VPN providers should apply. You will just be doing everything twice, making a gateway group of the two VPN endpoints, and routing to that gateway group instead of the single gateway.


Log in to reply