Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN and Multi-WAN

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    4 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Boolah
      last edited by

      2.0-RC2 (amd64)
      built on Fri May 20 12:38:57 EDT 2011

      I have multi-WAN setup and working properly. In fact, my primary (WAN) connection is currently down (and therefore, why I'm noticing this now).  None of my OpenVPN clients seem to have failed over to the backup Internet connection like the rest of the traffic has.  I thought I might have some stale OpenVPN connections and that's why the tunnels weren't coming back up, but I don't see any stale connections.  I even manually restarted the OpenVPN clients and they're still not connecting.

      I have the OpenVPN clients set to use "any" interface.  If I change this to the secondary WAN interface (the interface that is currently up), the tunnels connect without issue.  When I change it back to the "any" interface, the tunnels do not connect.  In the context of OpenVPN is the "any" interface equivalent to the primary WAN?  Is there a more graceful way to handle multi-wan failover with OpenVPN clients?

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        For me it is not clear, if the clients are on the LAN interface behind the pfsense or if the clients are on the wan side.
        is the pfsense the OpenVPN server or is pfsense the client ?
        perhaps you can show us you network structure in a picture

        In the client config you can use:

        remote-random
        remote 1.2.3.4 1194
        remote 2.3.4.5 1194

        So the client will use both IPs in random mode - if one IP isn't available they will use the other after a timeout.

        1 Reply Last reply Reply Quote 0
        • B
          Boolah
          last edited by

          pfSense is the OpenVPN client.  There are a total of 12 OpenVPN clients and the OpenVPN servers are all remote to pfSense.  Regular traffic (HTTP, FTP, SSH, etc.) from LAN workstations automatically failed over to use the 2nd WAN connection, but none of the OpenVPN clients (which are running on pfSense itself) failed over to the 2nd WAN connection until I manually changed the interface defined in each OpenVPN client config to use the 2nd WAN interface instead of the "any" interface.

          The same thing appears to happen for traffic that is generated by pfSense itself.  For example, pfSense fails to connect to snapshots.pfsense.org to check for updates when the primary WAN is down.  If I manually change the default gateway on pfSense from the primary WAN to the 2nd WAN interface everything, obviously, works - pfSense can reach snapshots.pfsense.org, all traffic from the LAN goes where it needs to go and all the OpenVPN clients connect to their respective servers.

          It seems that when the primary WAN goes down, traffic which originates on the pfSense machine is not affected by the defined gateway groups.

          1 Reply Last reply Reply Quote 0
          • H
            heper
            last edited by

            you could try to use floating rules to redirect vpn traffic going out on WAN1 to go out on WAN2

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.