Elaborate dual-WAN set-up with site2site openVPN



  • Hi have an idea for our pfSense router and was wondering if it's possible and how to configure it. Here goes.

    We have two locations at work, our office and data center. I have two identical pfSense appliances with 6 interfaces. At the office, we have two internet connections, a primary and a fall-back one. The router we have now can successfully switch to the second line whenever the primary fails, but VPN doesn't go with it automatically (limitation of the router software). So we got pfSense instead which doesn't have this limitation.
    Since the backup internet connection isn't charged extra when used, I would like to have a more advanced configuration with it, using load balancing. The way it works is that we can use it as fail-over as well, whenever one line goes down, it will be removed from the load balancing pool. Easy enough.

    Now it gets interesting. I would like to create a site-to-site connection to the other pfSense router that has only one internet connection at our data center. The office side will be the client, the other the server. I've found http://forum.pfsense.org/index.php?topic=32603.0 for automatic fail-over for OpenVPN when using fail-over multi-WAN solution. It's a bit odd and it doesn't allow cable pulling to simulate internet failure, which is a bit problematic in case we need to reboot the modem (link will be down for a short time, until the modem initializes it's LAN again) and changing/rebooting switches isn't possible either (requires LAN connectivity).
    Sure, once everything is up and running, we won't be pulling those cables often, so I can live with it. But the device rebooting is something that is required sometimes and would like to avoid downtime of the VPN during such reboot.

    The thing I'm most interested in, is not how to avoid the above scenario, but to combine both internet connections for VPN for higher bandwidth. Is this possible, and how would I configure this? The office side will connect to the VPN server over both WAN connections, but I fear routing issues and inside network conflicts.
    If it's not possible, is there a cleaner solution to the fail-over scenario in the topic I linked? Whenever the primary internet fails, I want to have the users to not notice it, or as little as possible.

    Let me know if something isn't clear and I'll try to explain it better.


Log in to reply