Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Failover Site-to-Site MultiWAN (CARP, VIP, Gatewaygroup)

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Avides
      last edited by

      Hello,

      i did a lot of research, but haven't found a clear answer.

      Setup:
      Two Pfsense Boxes as CARP Cluster
      WAN Failover at both with CARP WAN IP
      Default Firewallrule and added Failover Gatewaygroup as Gateway

      We have one headquater and three outposts (which only have 1 WAN connection), which should connect to our headquater.

      I created the OpenVPN Server with following settings:

      Interface: Listen to localhost
      Server Mode: Peer to Peer (SSL/TLS)
      Client Specific overrides for each client / cert
      tun

      OpenVPN Clients:
      WAN 1 VIP as Server
      WAN 2 VIP with remote statement in advanced config (remote x.x.x.x 1194 udp)

      Test Connection with one outpost [as Openvpn Client] works fine. But what happens to routing if one WAN connections fails?
      WAN 1 fails, outposts connect to WAN 2, WAN 1 comes back online. Outposts are still connected to WAN 2.

      Does the routing work properly or does pfsense use WAN 1 again for routing traffic to outpost offices? ( i can't test at the moment, because we havent a real test environment for things like that)

      Or should i bind OpenVPN Server to Gatewaygroup as Interface?

      Thank you for your help.

      1 Reply Last reply Reply Quote 0
      • A Offline
        Avides
        last edited by

        Can nobody help me?

        1 Reply Last reply Reply Quote 0
        • S Offline
          Soyokaze
          last edited by

          @Avides:

          Outposts are still connected to WAN 2.

          Yes, because there is no reason for them to drop perfectly working connection.
          @Avides:

          Does the routing work properly or does pfsense use WAN 1 again for routing traffic to outpost offices?

          If you don't mess with outbound rules - everything would work through WAN2.
          OR you CAN mess with them, so responses from OpenVPN server (outbound) will always go through Gatewaygroup and, consequently, will try to go through WAN1 if it is available.
          In case of failback from WAN2 to WAN1, openvpn clients would not receive responses and initiate reconnect.

          @Avides:

          Or should i bind OpenVPN Server to Gatewaygroup as Interface?

          There is no reason to do so.

          Need full pfSense in a cloud? PM for details!

          1 Reply Last reply Reply Quote 0
          • A Offline
            Avides
            last edited by

            Thank you for your reply!

            @pan_2:

            If you don't mess with outbound rules - everything would work through WAN2.
            OR you CAN mess with them, so responses from OpenVPN server (outbound) will always go through Gatewaygroup and, consequently, will try to go through WAN1 if it is available.
            In case of failback from WAN2 to WAN1, openvpn clients would not receive responses and initiate reconnect.

            Thats what i am afraid of. Default Firewall Rule uses the gatewaygroup.

            Whats the best way to solve that problem? Define a firewall rule with the Remote Subnets and no gateway set?
            Whats happens if one WAN fails?
            Do i need to enable default gateway switching for that case?

            1 Reply Last reply Reply Quote 0
            • M Offline
              mantunespb
              last edited by

              I have the same problem .. I have the LINKs WAN_1 and WAN_2 .. my VPN connection goes to the WAN_1 when it gets low. passes WAN_2 .. but when high WAN_2, the connections are still in WAN_2 ..

              I think pfsense should reinciar OpenVPN these cases we need a backup link only when the primary link is down.

              Is it not a failure?

              1 Reply Last reply Reply Quote 0
              • S Offline
                Soyokaze
                last edited by

                @Avides:

                Thats what i am afraid of. Default Firewall Rule uses the gatewaygroup.

                That rule apply for outbound connections from clients on your LAN, not for OpenVPN server which reside on firewall host itself.

                @Avides:

                Whats the best way to solve that problem? Define a firewall rule with the Remote Subnets and no gateway set?

                I do not understand what you mean here.

                @Avides:

                Do i need to enable default gateway switching for that case?

                It doesn't failback, AFAIR.

                You can try to search forum for some script solutions for your case, it is not unique.
                Also, you can just make a cron job to automatically reboot outpost firewalls everyday.

                Need full pfSense in a cloud? PM for details!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.