Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Gateway Group for OpenVPN Must be Failover?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • beremonavabiB
      beremonavabi
      last edited by

      For about a month or so, I've been running multiple OpenVPN clients through a Gateway Group configured for load balancing.  At least I thought I was.  Yesterday, I was reading through the pfSense book that comes with the SG-4860 and saw this:

      OpenVPN assigned to a Gateway Group

      A Gateway Group (Gateway Groups) may be selected as the Interface for an OpenVPN instance. Such a gateway group must be configured for failover only, not load balancing.

      Can anyone tell me why the Gateway Group has to be of the failover type for OpenVPN?

      I've attached some screenshots of my OpenVPN clients, my Gateways, and the Gateway Group (I've switched it to failover at this point).
      ![20170516 -- pfSense OpenVPN Clients.PNG](/public/imported_attachments/1/20170516 – pfSense OpenVPN Clients.PNG)
      ![20170516 -- pfSense OpenVPN Clients.PNG_thumb](/public/imported_attachments/1/20170516 -- pfSense OpenVPN Clients.PNG_thumb)
      ![20170516 -- pfSense Gateways.PNG](/public/imported_attachments/1/20170516 -- pfSense Gateways.PNG)
      ![20170516 -- pfSense Gateways.PNG_thumb](/public/imported_attachments/1/20170516 -- pfSense Gateways.PNG_thumb)
      ![20170516 -- pfSense Gateway Group.PNG](/public/imported_attachments/1/20170516 -- pfSense Gateway Group.PNG)
      ![20170516 -- pfSense Gateway Group.PNG_thumb](/public/imported_attachments/1/20170516 -- pfSense Gateway Group.PNG_thumb)
      ![20170516 -- pfSense VPN_LAN Firewall Rules.PNG](/public/imported_attachments/1/20170516 -- pfSense VPN_LAN Firewall Rules.PNG)
      ![20170516 -- pfSense VPN_LAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/20170516 -- pfSense VPN_LAN Firewall Rules.PNG_thumb)

      SG-4860, pfSense 2.4.5-RELEASE-p1 (amd64)

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You are misunderstanding what it's saying there.

        It's talking about the interface setting on each OpenVPN instance being set to a gateway group in the settings for that instance specifically. That can only work in failover mode since otherwise it would randomly select an interface from the group the next time the server was saved or had its config refreshed.

        What you appear to have done is assign multiple independent clients so you get a gateway for each OpenVPN, and then put those into a gateway group. That works fine, and isn't at all what it's talking about in the quoted text.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • beremonavabiB
          beremonavabi
          last edited by

          By the "interface setting," you mean under VPN > OpenVPN > Clients? (see attached).  If so, mine's set to WAN, so I should be fine.  Thanks for the reply.  I appreciate it (and assuming those are your videos on the Hangouts site, I find them very useful for trying to get a handle on this stuff).

          ![20170517 -- pfSense OpenVPN Client Interface Settings.PNG](/public/imported_attachments/1/20170517 – pfSense OpenVPN Client Interface Settings.PNG)
          ![20170517 -- pfSense OpenVPN Client Interface Settings.PNG_thumb](/public/imported_attachments/1/20170517 -- pfSense OpenVPN Client Interface Settings.PNG_thumb)

          SG-4860, pfSense 2.4.5-RELEASE-p1 (amd64)

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            @beremonavabi:

            By the "interface setting," you mean under VPN > OpenVPN > Clients? (see attached).  If so, mine's set to WAN, so I should be fine.

            Yeah that's what it means, and yours is A-OK if that's how it's set.

            @beremonavabi:

            Thanks for the reply.  I appreciate it (and assuming those are your videos on the Hangouts site, I find them very useful for trying to get a handle on this stuff).

            That's me… Thanks!

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.