Client Outbound on OPT1



  • We have a dual wan environment where we connect to an openvpn server at our colocation facility. Today one of our connections has been very unreliable and as such the vpn has been up and down. Is it possible to have the open vpn client go outbound via OPT1? I was never aware that it would not and always just assumed it would follow our routing rules. I have been looking for a possible variable to force it to go out via OPT1, but have had no success. Is there a workaround?

    Thanks ahead of time.



  • I forgot to mention, currently we have automatic failover which did not work properly due to the nature of this downage(just major packet loss, but many still going through) We manually forced all our outbound to use our OPT1 at this time.



  • Services on the pfSense itself dont follow the failover/balance pools.
    They follow the routing table on pfSense.
    Since there are no redundant entries in the routingtable they will not failover.
    A possibility if you have the option of multiple IPs on the server you're connecting to is that you specify all IPs in the OpenVPN config.
    Then create static routes to these IP's using different WANs.
    Now if one of the IPs of the server appear as down it will use the other IP (via the other WAN).

    Another alternative is, that you set up two OpenVPN links. But this also requires that you have multiple IPs for the server.
    Like this you can create a failover-pool with the other end of the VPN tunnels as gateways.



  • I have 2 wans but not in a multiwan configuration. The WAN interface is an adsl connection with ppoe. The second wan (opt1) is an adsl with static ip. I use the first WAN  only to connect my clients to an ftp server in lan with port forwarding.
    The second wan (opt1) is the GW for the rest of the pfsense traffic.

    So i need to connect this pfsense to another pfsense in a remote site with openvpn, and I have to use the op1 as the gw of this site to site connection.

    I'm not an expert so could you please tell me how I can do this?

    I tried already but with no results. I performed this site to site connection with pfsense in another places with succes but there was a single wan configuration.

    Culd you please give me a hand?



  • @GruensFroeschli:

    Then create static routes to these IP's using different WANs.

    (As I note I work in the same office as catanoj)

    We do have multiple IPs on both ends but we don't need this to fail over.  This is just something we would put in place if this happens again to force the OpenVPN connection to use our other connection.  As catanoj said we where getting 50% packing loss on our main connection so it was going up and down.  Automatic fail over wont help in that situation.  I just changed the gateway on our rules to use our other fail over group with OPT1 as the primary.  So all traffic but the VPN was using our backup.

    Now If I understand right I could just pop a static route in with the IP of the OpenVPN server and the gateway of OPT1 to force the service to use the backup connection?

    Destination network: XXX.XXX.9.226/32
    Gateway: XXX.XXX.205.1 (this being the gateway of OPT1)

    What would I select for Interface?



  • The idea is: the Loadbalancer-tool is able to detect only partial loss of link.
    I'm not sure what the exact values and i cannot find the thread where this was discussed.
    But the problem: since pfSense itself cannot use the balancer you have to fake two links to the other side.
    This can be done via two openVPN links.
    The loadbalancer uses then the other side of the tunnel as gateway.
    Now if one of the links starts loosing packets, the packets will also start dropping on the openVPN link on top of it, and the balancer should switch over to the second link.

    Destination network: XXX.XXX.9.226/32
    Gateway: XXX.XXX.205.1 (this being the gateway of OPT1)

    What would I select for Interface?

    The interface is the one on which traffic leaves.
    I assume that in your case this would be OPT1.

    A small diagram what i mean:

    whatever
                                           |          
                                           |
                               LAN1 [private_IP1]
                        pfSense1 - OpenVPN server1 & 2
            WAN1  [public_IP1]                 WAN2 [public_IP2]
         oVPN_server1 [tunnel_IP1]      oVPN_server2 [tunnel_IP2]
                           |                                      |
                           |                                      |
                           |                                      |
                           |                                      |
                           |                                      |
         oVPN_client1 [tunnel_IP3]      oVPN_client2 [tunnel_IP4]
            WAN1  [public_IP3]                 WAN2 [public_IP4]
                        pfSense2 - OpenVPN client1 & 2
                               LAN2 [private_IP2]
                                           |
                                           |
                                      whatever

    On pfSense2 you create a failover pool with as gateways [tunnel_IP1] and [tunnel_IP2]
    Use this failover pool in the firewall rule on LAN2.

    The same can be applied on the server side.
    Create a failover pool with as gateways [tunnel_IP3] and [tunnel_IP4]
    And write a rule with as destination LAN2 and as gateway (in the firewall rule) the failover pool to LAN2.

    To make sure that the answer to the request comes back over the same link i would also enable NAT into the link.
    From the point of view of whatever you connect to, this would look like two different clients access it whenever a failover happens.

    How to enable NAT on an OpenVPN link:

    • System –> Advanced: "Disable Auto-added VPN rules"
    • Add to your "custom options" of the openVPN link something like:
      dev tun10;
      To force the OpenVPN link to always use the same tun.
      In your case where you need two tun's is would use "dev tun10" and "dev tun20"
    • Interfaces --> assign
      Assign the two tun(s) as OPT interfaces.
    • Firewall --> NAT --> outbound
      Enable "Manual Outbound NAT rule generation"
      Below an auto-generated rule for WAN is added.
      You can create as many additional NAT rules as you want. The order of the rules is important (top to down) and first catch, rest never considered.
      In your case i see 4 rules.
      WAN1
      WAN2
      OPT1(tun10)
      OPT2(tun20)
      The interface field is the interface on which traffic leaves.


  • We don't need two links or load balancing for the VPN link.  I just want to be able to tell the OpenVPN client service to use our other internet connection.  This would be something I would change by hand when needed.  As one of our connections is way faster then the other I only needed this when the main connection is having issues.



  • ok.
    In this case a simple command in the "custom options" field is sufficient:
    Assuming you're using a PSK site to site setup:
    route x.x.x.x 255.255.255.255 y.y.y.y;
    where x.x.x.x is the IP of the server you connect to and y.y.y.y is the gateway of the second WAN.
    This adds dynamically a static route to the routing table when the link comes up, and removes it again when the link goes down.
    Alternatively you could add by hand a static route under system–> static route



  • Static route did that trick; thanks guys.



  • So this works now as you want?
    With the method i described, it would failover automatically whenever you experience high packet-loss ;)



  • Yep, I was able to test it after my office closed today. Just popping the static route in when I need it works for me.


Log in to reply