OpenVPN failover with multi-WAN & CARP

  • Hi,

    I have a tricky situation here: I want to implement failover for our branch offices and HA for the central pfSense install.

    I have a CARP cluster with two pfSense machines in the central datacenter. The CARP is only on the internal subnets, because I cannot use CARP on WAN - the upstream provider has a MAC address binding for the public IPs, i.e. I can only use each public IP with a provider-specified MAC address and CARP insists on its own MAC address. I can have more IPs though if I need them, and also subnets. Right now I have 3 and use 2 (one for each machine).

    Right now we are using OpenVPN, but I'm open to other solutions.

    CARP on the LAN subnet works fine, when one pfSense is down, the traffic goes out through the other pfSense and uses the other public IP.

    However, I have read about and tried many things to have a OpenVPN failover but I cannot make it work. Most threads here are about a single WAN IP or other scenarios.

    One idea was to have two OpenVPN server instances (on two different ports), then for each branch office connect two clients (one to each public IP/port combination) and use a gateway group to direct the traffic to either OpenVPN server.

    I have also tried some other things, but I think the main problem is that when failover occurs, the packets back from the central datacenter try to route through the now-dead OpenVPN connection A.

    Any pointers on how to make it work?


  • CAnt you just set OpenVPN to use ANY.
    Then setup DDNS to update the IP externally  and use the FQDN for the vpn client?

  • I have static public IPs, that's not the problem. The problem is that OpenVPN doesn't find the route "back" when the failover happened and the first OpenVPN server is down.

Log in to reply