OpenVPN in load balancing/failover scenario



  • Hi all,
    I'm sorry to asking perhaps something as already discussed, but I haven't found any previos post as similar case.

    So, this is the case:
    PFSense 2.01 with
    LAN as private network
    WAN1 interfaced with HDSL, having a public IP
    WAN2 interfaced to a Wi-Fi router (Mikrotik), having a private natted IP
    Failover / Load Balancing is active on both Wan in outgoing direction.
    DNS forwarder & DHCP server active on pfS
    Inside the Lan there's a Mailserver and several other services active on specific standard ports, that has to be forwarder via pfS.

    Requirings:
    In order to have a full redundance I've thinked to acquire a VPN-service provided public IP, to be assigned to the WAN2.
    This is in order to have a second public Ip where several services are working, first of all a second MX record for mailserver failover features.
    I need to view the new public IP obtained via VPN like a third WAN, where has to be set all port forwarding for all services.

    In that way, if HDSL link goes down, all services will be still reachable via VPN / WAN2 link, even WAN2 is a private/natted connection.
    Also, if the WAN2 link goes down, VPN can be activated via WAN1, and again all services are available on both public IP.
    As the third case, if VPN provider goes down, the HDSL public IP remains active, so at least at one of two public IP, services are on.

    Do you think is it possible ?  How I can manage the VPN as a WAN3 ?  Have someone any other suggestion ?

    Many thanks to all.



  • In that way, if HDSL link goes down, all services will be still reachable via VPN / WAN2 link, even WAN2 is a private/natted connection.

    yes probably

    Also, if the WAN2 link goes down, VPN can be activated via WAN1, and again all services are available on both public IP.

    this might be a little tricky … there is, by my knowledge, no way to "activate" an openvpn connection upon failure.

    two things that might be worth a shot:
    -run the openvpn client (pfsense) on a virtual ip on the LAN interface and use a failover group to decide what WAN interface the client should connect to the server <-- perhaps someone has done this allready
    -perhaps the vpn provider is willing to offer 2 seperate openvpn connection, attached to the same public-ip ?

    Do you think is it possible ?  How I can manage the VPN as a WAN3 ?  Have someone any other suggestion ?

    most of it yes, some detail are a maybe. assign an interface to openvpn (interfaces–>assign). Lots of folks will probably have suggestions about the details :)


Locked