Fail-over client config
-
Hi,
running latest pfSense and OpenVPN.
The OpenVPN server runs pfSense, the client runs that, too. It is a working P2P configuration. The OpenVPN server has two WAN connections, each running a OpenVPN server. The client has two OpenVPN clients configured, for both WANs on the server. Currently we have to manually disable one client and enable the other when a WAN line goes down. Is there a way to make a fail-over configuration where there is one preferred client connection that switches to the other when down and switches back when the preferred line comes back?
Thanks!
-demux -
On the server side it's sufficient to run only one server for that and forward both WANs to the IP it is listening. Best practice is to set the OpenVPN server to listen on localhost and set up two port forwardings for both WAN addresses to localhost.
On the client side one instance is sufficient as well. Configure it to connect to the WAN1 IP or host name and enter a remote line for the second WAN IP into the Custom options like
remote second-WAN 1194 udp
-
I assume that I can do the same for normal OpenVPN road warrior configs. Right?
-
With "remote" it does not switch back if the preferred line comes back. We have one line that has much more capacity than the other (it is a backup line only). This one should always be used if available - even if the connection is dropped for switching back.
-
Yes, it's the same thing.
In the client config file you can state multiple remote lines.
-
@demux said in Fail-over client config:
With "remote" it does not switch back if the preferred line comes back.
No both remote lines have the equal priority.
Don't know if there is another way to prefer a connection.
-
Thank you very much!
If I knew that a client going to the secondary line is a result of a failed preferred line then I could kick that client off the secondary line if the 1st line is back again.
Do you know a place (source) to hook where I can get an immediate information about a failing line. I could write a file (flag) and later react on that and kick of clients from the secondary. I need to know even the smallest outage. -
No, you didn't mention that you prefer one of your WAN lines in your first post. In that case, it would be best to go with two parallel connections and set up a gateway-failover group.
It should work like this: Assuming you have already assigned an interface to each VPN connection on the client, go to
System > Routing > Gateway Groups
and add a new group, set the Tier of your preferred gateway to 1, that of the other one to 2 and set the Trigger Level to "Member Down".
Use that gateway group in your firewall rules or static routes. -
Thanks again.
I did it like that. No clue if it works as I cannot drop a line currently (off-site), but I see packets going to the server quite happily.
So, the last rule in client's OpenVPN set is a pass rule that uses the gateway group (which has both ovpn IFs).
On the server side I will reduce to one OpenVPN server only, bind this one to the localhost and create one NAT on WAN 1 and another on WAN 2 both pointing to the localhost:ovpn-port.
I will do the same for road warriors and on the clients I will add the "remote ..." line.