OpenVPN as a backup link



  • Hi all!
    I have pfsense with 3 interfaces - LAN, WAN (default) and OPT1 , where WAN - link to internet, OPT1 is corporate link (static address) with our 29 filials. And all is well, but sometimes OPT1 link is down and in this case
    I'm set up Openvpn on my pfsense. OpenVPN service is worked good. When OPT1 link is down , I manually added or uncomment the line route 10.x.x.x; in OpenVPN: Server: Advanced configuration: Advanced on my pfsense , where 10.x.x.x; - client network address. But i don't want do it manually and I can't do it not manually :( because when this line is not uncomment in configuration - this route to client network is becomes the main route but OPT1 link is worked fine in this time. I need that a route with OpenVPN connection would be a minor route (and of course I'm add a static route to the client network with OPT1 gateway by default).

    I try add metric to the route\interface but (sic!) FreeBSD doesn't have the possibility of adding a metric.

    I just want that the OpenVPN link (as second gateway) and default gateway (OPT1 in my case) worked simultaneously w\o the problems.
    Please help. Thx.

    P.s. Sorry for my English.



  • Hello,

    Have you considered using QuaggaOSPF to achieve the fail over?

    That would be a good solution if you:

    1. Run OSPF on your switches
    2. Do not need Layer2 communication between your switches (ie running 802.1q between your switches)

    There probably is a way to do the layer 2 links but I ran out of time to figure it out.

    Fred



  • OSPF is indeed the best solution for that. It can also be hacked in using gateway groups with proper monitor IPs that'll detect the connection status, but that gets ugly in comparison.



  • Thx for your help, guys!
    Can I used OSPF when on the second end of the tunnel is w2k-server as OpenVPN-client? Is that will be work? And where I can find good manuals for OSPF on Win?



  • On the end with the server you will have a easier time if you can put a pfsense box on that end between the server and the redundant connections. Remember pfSense will run very nicely on a old computer, so you may have a suitable box lying around or in the recycle pile.



  • Windows won't do OSPF so that's not an option. You need a proper router to do failover, you'll really have to move the OpenVPN off the Windows server to do that properly.


Log in to reply