Site to Site OpenVPN WAN Failover



  • Hello,

    We are about to create a Site to Site OpenVPN between two sites (main and branch). In the main site, PFsense is running in a PC and we are about to put an Alix box in the branch (costing issues).

    We need from the branch to have two IP phones connected to our IP phone center and 3 machines connected to an SQL server.

    We are doing this now via WAN and firewall rules in the main PFsense to allow connection only from the branche site's WAN IP.

    We need to have some kind of failover to this scenario. In the main site we have 3 WAN gateways. Is it possible to create a site-to-site OpenVPN that can keep the link up if the main WAN fails?

    Best regards

    Kostas



  • i find it easier to setup multiple openvpn-tunnels to the same site and then use gateway-groups or quagga-ospf to do the routing



  • Thank you,

    You mean one tunnel per WAN, and create failover group for OpenVPN?

    If it wore, maybe if easier fr me than quagga, though I would loves tutorial.

    Best regards

    Kostas



  • The other way is to have the main office OpenVPN site-to-site server listening on LAN, then port forward a port on each WAN to LAN. Then 1 server is listening for connects coming in on any of the WANs.
    The client can have extra "remote" lines in the advanced box, so it will try each remote WAN in turn until something connects. Like this post http://forum.pfsense.org/index.php/topic,49033.0.html
    But that does not automatically fail back - if you want to always prefer WAN1 when it comes back up.
    On 2.1 there is an option to specify a gateway group for the OpenVPN server to listen on - that should allow it to be listening on the highest priority WAN that is up.



  • @costasppc:

    Thank you,

    You mean one tunnel per WAN, and create failover group for OpenVPN?

    If it wore, maybe if easier fr me than quagga, though I would loves tutorial.

    Best regards

    Kostas

    yes i mean 1 tunnel per WAN.  (you'd need to create interfaces for your openvpn connections)
    If you haven't worked with quagga it might be a little hassle but the advantages are huge if you plan to increase the number of sites in the future.

    also consider phil.davis' option, i haven't tried it myself, but i'm sure its a viable alternative



  • Thank you all,

    I will try to implement this without quagga at this time. What interfaces shall I create?

    Best

    Kostas



  • when creating interfaces you can select ovpnc1,2,3,… (if you fill in a proper description in your openvpn config it'll show up aswell)

    set type: none



  • If you are not using Quagga, then IMHO you will not need to create interfaces for the OpenVPN server or client. Just filling in the local network and remote network boxes in the OpenVPN GUI will make the ordinary routes to/from main and branch office. On the OpenVPN firewall rules tab you can specify rules to allow whatever traffic you like.



  • quagga does not need interfaces (anymore) either. I just prefer it that way because then you have a seperate firewall tab for each vpn connection.

    for me that makes it easier to visualize what i'm trying to do :)


Log in to reply