OpenVPN Failover Site-to-Site MultiWAN (CARP, VIP, Gatewaygroup)



  • Hello,

    i did a lot of research, but haven't found a clear answer.

    Setup:
    Two Pfsense Boxes as CARP Cluster
    WAN Failover at both with CARP WAN IP
    Default Firewallrule and added Failover Gatewaygroup as Gateway

    We have one headquater and three outposts (which only have 1 WAN connection), which should connect to our headquater.

    I created the OpenVPN Server with following settings:

    Interface: Listen to localhost
    Server Mode: Peer to Peer (SSL/TLS)
    Client Specific overrides for each client / cert
    tun

    OpenVPN Clients:
    WAN 1 VIP as Server
    WAN 2 VIP with remote statement in advanced config (remote x.x.x.x 1194 udp)

    Test Connection with one outpost [as Openvpn Client] works fine. But what happens to routing if one WAN connections fails?
    WAN 1 fails, outposts connect to WAN 2, WAN 1 comes back online. Outposts are still connected to WAN 2.

    Does the routing work properly or does pfsense use WAN 1 again for routing traffic to outpost offices? ( i can't test at the moment, because we havent a real test environment for things like that)

    Or should i bind OpenVPN Server to Gatewaygroup as Interface?

    Thank you for your help.



  • Can nobody help me?



  • @Avides:

    Outposts are still connected to WAN 2.

    Yes, because there is no reason for them to drop perfectly working connection.
    @Avides:

    Does the routing work properly or does pfsense use WAN 1 again for routing traffic to outpost offices?

    If you don't mess with outbound rules - everything would work through WAN2.
    OR you CAN mess with them, so responses from OpenVPN server (outbound) will always go through Gatewaygroup and, consequently, will try to go through WAN1 if it is available.
    In case of failback from WAN2 to WAN1, openvpn clients would not receive responses and initiate reconnect.

    @Avides:

    Or should i bind OpenVPN Server to Gatewaygroup as Interface?

    There is no reason to do so.



  • Thank you for your reply!

    @pan_2:

    If you don't mess with outbound rules - everything would work through WAN2.
    OR you CAN mess with them, so responses from OpenVPN server (outbound) will always go through Gatewaygroup and, consequently, will try to go through WAN1 if it is available.
    In case of failback from WAN2 to WAN1, openvpn clients would not receive responses and initiate reconnect.

    Thats what i am afraid of. Default Firewall Rule uses the gatewaygroup.

    Whats the best way to solve that problem? Define a firewall rule with the Remote Subnets and no gateway set?
    Whats happens if one WAN fails?
    Do i need to enable default gateway switching for that case?



  • I have the same problem .. I have the LINKs WAN_1 and WAN_2 .. my VPN connection goes to the WAN_1 when it gets low. passes WAN_2 .. but when high WAN_2, the connections are still in WAN_2 ..

    I think pfsense should reinciar OpenVPN these cases we need a backup link only when the primary link is down.

    Is it not a failure?



  • @Avides:

    Thats what i am afraid of. Default Firewall Rule uses the gatewaygroup.

    That rule apply for outbound connections from clients on your LAN, not for OpenVPN server which reside on firewall host itself.

    @Avides:

    Whats the best way to solve that problem? Define a firewall rule with the Remote Subnets and no gateway set?

    I do not understand what you mean here.

    @Avides:

    Do i need to enable default gateway switching for that case?

    It doesn't failback, AFAIR.

    You can try to search forum for some script solutions for your case, it is not unique.
    Also, you can just make a cron job to automatically reboot outpost firewalls everyday.