How to: internet through failover OVPN clients

AndyScull

Just wanted to share working setup of multiple OVPN clients (which could connect and disconnect dynamically).
Maybe it's covered elsewhere, but the things I found deal mostly with 'static' OVPN setups which you have control of and can be sure of OVPN servers working all the time. I however needed to assure OVPN connectivity with randomly disconnecting 3rd-party OVPN servers.
Usual ovpn client behavior: when even one of ovpn clients disconnects for some reason (server down for example), pfsense ovpn client automatically reverts to it's default gateway, is does not switch to other ovpn client gateway.

1. Create multiple OVPN client profiles. Test them separately, setup NAT, firewall rules on each one so your LAN can access internet through each ovpn separately.
2. Create gateway group of their gateways. If needed, setup a different monitor IP for each of them (if gateway itself does not reply to ping). Assign each gateway a different tier, disable WAN and LAN gateways ('never')
3. Create a firewall rule for LAN network: protocol - 'any'; from - LAN network; to - any; in advanced set Gateway to gateway group you created before.

Supposedly, if all OVPNs are down, LAN clients won't have access to internet through WAN (could be good for some tight security setups?)

Things I didn't test: what if all OVPN gateways have same tier in gateway group. Would that mess up traffic or not…