How to make VPN tunnel stay on 1 gateway in a failover group
-
@viragomann
I can route cellular phones out VPN and the rest outside VPN, but that is not excactly what i want.
Starlink is a meetered / expensive wan connection so i would use this at a bare minimum. -
Seems that you have very uncommon and complex requirements.
@Proton said in How to make VPN tunnel stay on 1 gateway in a failover group:
But what i really want is to not use VPN when WAN1_GW is not the default gateway.
I only need VPN when WAN1_GW is the default gateway to fix some VoWifi issues.
So if the WAN1_GW down trigger doesn't make you happy, what exactly triggers the default gateway? And what could be the status of WAN1_GW if it's not the default and not down?
How did you configure the gateway group and what are the other gateways? -
@viragomann
WAN1_GW never goes down. I have a failover gateway group with 3 gateways where WAN1_GW is tier 2. I have also tier 1 and 3.
So when it fails over to tier 2 i do not want the traffic to still go out WAN1_GW at all, VPN or other. -
@Proton said in How to make VPN tunnel stay on 1 gateway in a failover group:
I have a failover gateway group with 3 gateways where WAN1_GW is tier 2. I have also tier 1 and 3.
So when it fails over to tier 2 i do not want the traffic to still go out WAN1_GW at all, VPN or other.WAN1_GW = Tier 2
If it fails over to it, it shouldn't be used.
I think, that's to high for my brain. -
@viragomann Sorry a typo there.
It should be:
I have a failover gateway group with 3 gateways where WAN1_GW is tier 2. I have also tier 1 and 3.
So when it fails over to tier 1 or 3 i do not want the traffic to still go out WAN1_GW at all, VPN or other. -
@Proton
Is WAN1 used for the VPN only or should also other upstream traffic go out on it in case that the Tier 1 is offline?If it is used for VPN only you could simply replace it in the gateway group by the VPN GW.
-
@viragomann said in How to make VPN tunnel stay on 1 gateway in a failover group:
@Proton
Is WAN1 used for the VPN only or should also other upstream traffic go out on it in case that the Tier 1 is offline?If it is used for VPN only you could simply replace it in the gateway group by the VPN GW.
Genious thought :)
Yes i think so.
When tier 1 goes down all traffic will go to tier 2 . All lan traffic must go out vpn when tier 2 is the default gateway
When tier 2 fails, all traffic will go out on tier 3.
And when tier 2 comes back we go back to VPN only ijn tier 2. And when tier 1 comes back all go out tier 1. No VPN on tier 1&3So simply said: all traffic must follow the default gateway and when on tier 2 all traffic must exit a vpn tunnel out on tier 2.
So to implement this i can replace my tier 2 with the vpn gateway. And i need to make sure the vpn gateway always exits through my wan1_gw interface (earlier tier 2).
Can i do this with the already FW block rules i have for the vpn endpoints on the tier 1 & 3 gateways? Do i need a static route in addition?And i guess i must remove my policy based routing in my FW rules and rely only on default gateways, correct?
THX!
-
@Proton said in How to make VPN tunnel stay on 1 gateway in a failover group:
And i need to make sure the vpn gateway always exits through my wan1_gw interface (earlier tier 2).
Can i do this with the already FW block rules i have for the vpn endpoints on the tier 1 & 3 gateways? Do i need a static route in addition?Yes, since the rule blocks the VPN connection over the other WANs, it can only be established over WAN1.
In case of OpenVPN you can also bind the connection to the desired interface.
I don't know if this is also possible in WG.
However, the VPN will be established as soon as WAN1_GW is online. If you don't want this for whatever reason, maybe there is a possibility to let it only connect if the other WANs are down. I think, this can be achieved by binding the OpenVPN to the gateway group. You will need to recreate the gateway group as you hat it before for this, with WAN1_GW as tier 2 and the other WANs as 1 and 3.
But use this gateway group for the VPN client only. For the default routing use the other one with the VPN GW.The static route would not be necessary then, as it obviously follows the default route anyway.
And i guess i must remove my policy based routing in my FW rules and rely only on default gateways, correct?
Depends on your needs. Without the policy routing, the devices can also go out on the other interface in case they are the default gateway.
-
@viragomann
What about this tip:
https://github.com/Ysurac/openmptcprouter/issues/2384 -
@Proton And anothe rtip usinf floating rules:
https://forum.opnsense.org/index.php?topic=26315.0 -
@Proton
The first one is a completely different system, and the mentioned VXLAN is not supported on pfSense.The latter solution is just an outbound floating rule for the remote VPN endpoint with policy routing. You can also add the gateway in your rule. But it won't detain the VPN to connect as soon as the gateway is online.
So the VPN will be connected if the tier 1 is used. -
-
@Proton
Nice. And you got it work even with Wireguard? -
@viragomann said in How to make VPN tunnel stay on 1 gateway in a failover group:
@Proton
Nice. And you got it work even with Wireguard?Yes , now i have default gateway for IPv4 setup using a gateway group consisting of 3 tiers. I have 2 tier 2 Mullvad VPN tunnels using wireguard for redundancy.
I had to use a static route to open the tunnels out on my preferred gateway/interface and i had to block the endpoint IPs on the wans i did not want the tunnels to be.
No policy routing nesessary.Thanks for all your help!
I would not be able to solve this without your dedication and professional help!.
THX! -
Sadly i must say i concluded to soon :(
It looked like it worked 100%, but when i tested today client PCs is not gettingf internet when failover to VPN gateway.
My guess is that i am missing a route, or i need a firewall rule.
I am not seeing the VPN gateway marked as default gateway either in widget.
Any ideas?
-
@Proton said in How to make VPN tunnel stay on 1 gateway in a failover group:
It looked like it worked 100%, but when i tested today client PCs is not gettingf internet when failover to VPN gateway.
I am not seeing the VPN gateway marked as default gateway either in widget.
So what now? If the default gateway fails over the the VPN, I'd expect, that the VPN is the default gateway then. (?)
-
@viragomann
Now i added a FW rule to allow traffic from my WAN interface WAN1_GW to my VPN interface.Now internet traffic works :)
in my routing table i see:
default link#15 US 31 1420 tun_wg1
So default route is through my tunnel :)
-
I just found from mullvad VPN docs that my vpn gateways should tick the "use non-local gateway" in advanced settings
Not sure if i needed this or what this will do for the firewall since i already managed to get this working.
But in many of the docs i have read they seldom mention the firewall rule i had to add to allow access from WAN1_GW to VPN_GW? I did not get internett access for my clients in my lan if this rule is not there...
