HELP! with Failover VPN connections

  • Hello all

    I have 2 OpenVPN clients configured on my LAN interface in a VPN Group with the one I want as my primary as Tier 1 and the other as Tier 2.

    Both VPNs are working individually, if I stop one and run the other.

    This is how I want the VPNs to work: When pfSense boots, both run with Tier 1 providing the VPN traffic for my LAN interface. If for what ever reason Tier 1 goes down then Tier 2 provides the VPN traffic automatically. Then When Tier 1 is back up and running, then it automatically takes over providing the VPN traffic from Tier 2 without me having to intervene.

    This is what is happening now: When pfSense boots, both run with Tier 1 providing the traffic. I then stop Tier 1 to simulate Tier 1 going down (if there is a better way to simulate this, please let me know). When Tier 1 is stopped, Tier 2 takes over. When I start back Tier 1, Tier 2 continues providing the traffic. If I stop Tier 2 with Tier 1 still running, then no VPN traffic at all. I then have to stop both and then start Tier 1 first, then Tier 2, for things to go back the way I want or alternatively restart pfSense.

    Can anyone help me configure this to work the way I want it to work?

    Also, I know that in actual practice, if my VPN goes down, there may be some cases where it is actually up, but just not transmitting data. How can I simulate this for testing purposes other than stopping the VPN, which is another scenario altogether?


  • Netgate Administrator

    What is expected to happen there is that when the tier 1 gateway comes back on line any new connections routed via the group will use that. As old connections on the tier 2 gateway timeout they will close and move back to tier1.
    Connections on the tier 2 gateway are not forcably closed though, that is necessarily disruptive.

    If you disconnect the tier 2 gateway connections on it die and as devices re-establish those connections they will be on tier 1.

    One option you have is to enable State Killing on Gateway Failure on System > Advanced > Misc. That will force everything to the other gateway in less time. But it kills ALL states including those on the gateway that is up so there is a trade off with disruption vs speed.


  • @stephenw10

    I trying to understand what you are saying but I am a little confused.

    Are you saying that the behavior I want already happens but instead of it being automatic with all the connections that once Tier 1 comes back online everything switches back to Tier 1, it only routes new connections back to Tier 1 while leaving existing connections on Tier 2 until those connections update themselves?

    If so, then would restarting the client device or the network connection on the client after Tier 1 is back up, force the new connection back to Tier 1? Am I understanding you correctly?

    Now this "State Killing on Gateway Failure", to be clear are you saying that if Tier 1 goes down, then Tier 2 goes down as well? So in essence, doesn't this setting break the fail over all together? or am I misunderstanding you?

    Please clarify.

  • Netgate Administrator

    Yes, existing connections on the tier 2 gateway will not be killed when tier 1 comes back on line. That would be disruptive for anyone using it. Existing states there wil close or timeout anyway and new states will then be on tier 1. The only issue there is for connections that never timeout such as SIP.

    Restarting a client or just reloading a webpage should open back on tier 1.

    The kill states just kills firewall states and therefore connections it doesn't affect the gateway status. The problem with setting that is if, for example, the tier 2 gateway goes down but tier 1 is up all states are flushed including those on tier 1 which would cause disruption for users. Though they would be able to reconnect immediately.


  • @stephenw10

    Okay. Understood.

    In my case for what I have described, would you recommend me enabling "State Killing on Gateway Failure"? Also, in one of the guides, I saw something about enabling Load Balancing in one of the Advanced settings. Is there a corresponding setting for Fail Over somewhere?

    Also, I note that the both VPNs I configured auto start when pfSense boots. Is it possible to configure a VPN connection but don't allow it to auto start but rather start manually when needed? For example, suppose I wanted that tier 1 only runs at boot but when it goes down, Tier 2 then starts up and run. Is this possible? The reason I am asking is because I am alloted monthly bandwidth allotments with my VPN and I wouldn't want to use up all my bandwidth for the month on Tier 2 when Tier 1 was the one in use the whole time. Basically, that bandwidth would be getting used up and not actually being used.

    I don't think disabling it would be the answer because then it would not be able to start by it self if Tier 1 goes down. So is this something that can happen or am I getting too sophisticated here?

  • Netgate Administrator

    You can configure the gateway group as load-balance or failover depending on the tiers you set.

    Not having it auto-start will likly not be useful. Any data will start it anyway. The data usage when it isn't the selected gateway should be minimal.


  • @stephenw10 Understood. Thanks

Log in to reply