OpenVPN with failover and Dynamic DNS



  • Hello guys,

    I am trying to set one network that can handle OpenVPN with failover and Dynamic DNS without losing connectivity from clients when failover is triggering to less priority tiers and when is returning to the highest priority tiers when available but dont know if such thing is possible or if there is a easy way.

    One way that I was thinking to do this, I think would not avoid the loss of connectivity during triggering.

    Would be to set clients to connect OpenVPN through a hostname from dyndns associated with pfsense, where the uplink IP is being updated in dyndns from a server inside of the pfsense network, since I cannot see a way to do this job at pfsense.

    Then when a higher priority tier lose connection, all VPN clients would try next to reconnect, they would be able to do that, and when that higher goes online again, they would have to reconnect again. But setting OpenVPN to use FailOver groups if it will be needed to reconnect, in other words if there will be just lag from user side and will avoid to reconnect again.

    Anyone?



  • i am trying now to set equal configuration and the problem is that openvpn server, if i set to listen on interface GW group failover, do not restart on tier 2 interface when tier 1 interface is down and do not restart if teir 1 interface is returning up



  • Works like this for me:

    • Single OpenVPN road-warrier server instance bound to Localhost.

    • Port forward on both WAN-1 and WAN-2 to the same OpenVPN localhost instance.

    • Add appropriate FW rules to allow forward VPN traffic

    • Separate DDNS entries for each WAN.

    • Then

    • In the Client config file, simple add two entries for the VPN host connections, i.e.

    • remote wan1.ddns.com 1194 tcp-client

    • remote wan2.ddns.com 1194 tcp-client

    Note: I used TCP for my OpenVPN, because UDP didn't work well in my scenario, but UDP should also work.

    This way when your two WAN gateways switch from High to Low tier, the VPN clients should reconnect to the second DDNS.  Only downside is they will remain connected to the Low tier GW when the high tier comes back online, however when they disconnect & reconnect later they will get the high tier as it's the first in the client list.


Log in to reply