Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configuring a "fail-secure" OpenVPN connection

    OpenVPN
    1
    1
    222
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CyberMinion
      last edited by CyberMinion

      Hello,

      I've been exploring some of the options for using pfSense as an OpenVPN client. I'm new to this aspect of pfSense, so please excuse my ignorance.

      If I want to connect remote devices to a "home" network, or even a commercial VPN solution, I can create a self-signed CA, add the config and auth details to OpenVPN, then add a NAT mapping to route traffic between the local device and the "home" VPN concentrator. Great, now the user can access internal ("home") resources from a remote location. However, I'm uncertain how this operates in a failure case.

      If the VPN server goes down for maintenance (or other reasons) and there is no load balancer or other redundancy to keep everything working, what happens to the remote user? pfSense cannot connect to the VPN server, so...does the outbound connection for users break (meaning all outside access is essentially lost), or does it just fall back to a direct connection to the WAN?

      For this use case, I would want to ensure that it fails secure, meaning that if the VPN concentrator cannot be reached, remote clients connected to pfSense would simply be denied WAN access. Does it do this already? If not, how can I configure it this way? A firewall rule to block port "LAN" from connecting to port "WAN"? Or is there a more elegant solution?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.