Prevent failover on OpenVPN client gateway

  • I have two WAN gateways. My default gateway is a group with each of these configured as tier 1. I also have two OpenVPN clients connected to the same server, one configured to connect through each WAN gateway. I then have a VPN gateway group configured that combines the two VPN gateways for redundancy and bandwidth.

    When both WANs are up everything works as expected. However, when one of the WAN connections goes down, instead of disconnecting, the VPN client instead connects through the other WAN gateway so I have two connections from the same IP as verified on the server side.

    This isn't the desired behavior in my case. Is there a way to prevent the client from failing over to the other gateway and instead just go down?

  • LAYER 8 Netgate

    It sounds like you bound your OpenVPN clients to the gateway group instead of the individual WANs or something like that.

  • No, that's not the case. They are bound to the individual WAN gateways. I've attached a few pictures. You can see in the OpenVPN clients list that they are each bound to separate WAN interfaces. The gateway list shows that one of the WANs is down but both VPN tunnels are up. The VPN status page shows that both are up but doesn't show the local IP address for the one with the gateway that is down. (I can see on the server end that both connections come from the same IP)

    EDIT to add: Each connection has a separate client cert so when I look on the server status I can also tell both are connected because both common names are used.

    alt text
    alt text
    alt text

Log in to reply