Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prevent failover on OpenVPN client gateway

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 341 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcarson75
      last edited by

      I have two WAN gateways. My default gateway is a group with each of these configured as tier 1. I also have two OpenVPN clients connected to the same server, one configured to connect through each WAN gateway. I then have a VPN gateway group configured that combines the two VPN gateways for redundancy and bandwidth.

      When both WANs are up everything works as expected. However, when one of the WAN connections goes down, instead of disconnecting, the VPN client instead connects through the other WAN gateway so I have two connections from the same IP as verified on the server side.

      This isn't the desired behavior in my case. Is there a way to prevent the client from failing over to the other gateway and instead just go down?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        It sounds like you bound your OpenVPN clients to the gateway group instead of the individual WANs or something like that.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          mcarson75
          last edited by mcarson75

          No, that's not the case. They are bound to the individual WAN gateways. I've attached a few pictures. You can see in the OpenVPN clients list that they are each bound to separate WAN interfaces. The gateway list shows that one of the WANs is down but both VPN tunnels are up. The VPN status page shows that both are up but doesn't show the local IP address for the one with the gateway that is down. (I can see on the server end that both connections come from the same IP)

          EDIT to add: Each connection has a separate client cert so when I look on the server status I can also tell both are connected because both common names are used.

          alt text
          alt text
          alt text

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.