Gateway Group for OpenVPN Must be Failover?



  • For about a month or so, I've been running multiple OpenVPN clients through a Gateway Group configured for load balancing.  At least I thought I was.  Yesterday, I was reading through the pfSense book that comes with the SG-4860 and saw this:

    OpenVPN assigned to a Gateway Group

    A Gateway Group (Gateway Groups) may be selected as the Interface for an OpenVPN instance. Such a gateway group must be configured for failover only, not load balancing.

    Can anyone tell me why the Gateway Group has to be of the failover type for OpenVPN?

    I've attached some screenshots of my OpenVPN clients, my Gateways, and the Gateway Group (I've switched it to failover at this point).
    ![20170516 -- pfSense OpenVPN Clients.PNG](/public/imported_attachments/1/20170516 – pfSense OpenVPN Clients.PNG)
    ![20170516 -- pfSense OpenVPN Clients.PNG_thumb](/public/imported_attachments/1/20170516 -- pfSense OpenVPN Clients.PNG_thumb)
    ![20170516 -- pfSense Gateways.PNG](/public/imported_attachments/1/20170516 -- pfSense Gateways.PNG)
    ![20170516 -- pfSense Gateways.PNG_thumb](/public/imported_attachments/1/20170516 -- pfSense Gateways.PNG_thumb)
    ![20170516 -- pfSense Gateway Group.PNG](/public/imported_attachments/1/20170516 -- pfSense Gateway Group.PNG)
    ![20170516 -- pfSense Gateway Group.PNG_thumb](/public/imported_attachments/1/20170516 -- pfSense Gateway Group.PNG_thumb)
    ![20170516 -- pfSense VPN_LAN Firewall Rules.PNG](/public/imported_attachments/1/20170516 -- pfSense VPN_LAN Firewall Rules.PNG)
    ![20170516 -- pfSense VPN_LAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/20170516 -- pfSense VPN_LAN Firewall Rules.PNG_thumb)


  • Rebel Alliance Developer Netgate

    You are misunderstanding what it's saying there.

    It's talking about the interface setting on each OpenVPN instance being set to a gateway group in the settings for that instance specifically. That can only work in failover mode since otherwise it would randomly select an interface from the group the next time the server was saved or had its config refreshed.

    What you appear to have done is assign multiple independent clients so you get a gateway for each OpenVPN, and then put those into a gateway group. That works fine, and isn't at all what it's talking about in the quoted text.



  • By the "interface setting," you mean under VPN > OpenVPN > Clients? (see attached).  If so, mine's set to WAN, so I should be fine.  Thanks for the reply.  I appreciate it (and assuming those are your videos on the Hangouts site, I find them very useful for trying to get a handle on this stuff).

    ![20170517 -- pfSense OpenVPN Client Interface Settings.PNG](/public/imported_attachments/1/20170517 – pfSense OpenVPN Client Interface Settings.PNG)
    ![20170517 -- pfSense OpenVPN Client Interface Settings.PNG_thumb](/public/imported_attachments/1/20170517 -- pfSense OpenVPN Client Interface Settings.PNG_thumb)


  • Rebel Alliance Developer Netgate

    @beremonavabi:

    By the "interface setting," you mean under VPN > OpenVPN > Clients? (see attached).  If so, mine's set to WAN, so I should be fine.

    Yeah that's what it means, and yours is A-OK if that's how it's set.

    @beremonavabi:

    Thanks for the reply.  I appreciate it (and assuming those are your videos on the Hangouts site, I find them very useful for trying to get a handle on this stuff).

    That's me… Thanks!