Is this diagram possible with OpenVPN ? Several links to each router



  • Hi.

    I have been reading posts regarding something similar but they are really outdated, and nobody really mentions how things are done in the new version of pfsense.

    If somebody has time to take a look at this diagram, is this possible with pfsense + openvpn ? Would you have to use OSPF i'm assuming ?

    Also forgot to mention. The requirement would be that if Link from Site A to Site B is down, however, site B can talk to Site C and Site C can talk to Site A, would be nice if the system was able to figure that out a route thru another site to get to the destination.



  • Yes, you can setup a full mesh of site-to-site OpenVPN links.
    Yes, you can make each link find its connection at the other end via either WAN1 or WAN2 (e.g. client end goes out WAN1 if up, but goes out WAN2 if WAN1 is down, and server end has listen ports on WAN1 and WAN2 both forwarded through to where it is listening (e.g. on LAN IP).
    No, you can't make a single site-to-site connection run in parallel over both WAN pairs to increase effective bandwidth (there is no "MLPPP"-style functionality built-in). (You didn't ask that, but I thought I would say it anyway!)

    This will make static routes that tell each pfSense which other remote LAN subnets are reached across which OpenVPN links.

    Because the OpenVPN links are soft-links (not actual cables) they don't "fail" in the way cables and switches… do. If the OpenVPN link is down from SiteA to SiteB that means that either SiteA or SiteB has both WANs down. In that case, SiteC will also not be able to connect to both of SiteA and SiteB. So an alternate path via SiteC will not exist. Assuming this is the way the real-life failure modes can happen, then there is no need/use for a routing protocol (OSPF).

    But you can use OSPF and I believe it will try to learn other routes - I haven't done that myself, I rely on the multi-WAN failover features to keep each OpenVPN site-to-site up as much as possible.



  • Thanks for the response, phil.davis

    I guess the reason i want to use OSPF is to assign a "metric" to each WAN connection, so that the VPN tunnel doesn't try to connect via slower WAN2 when wan1 is available ( not 100% sure how failover works in pfsense ) and sometimes ISPs will mess up their routers, so you can ping one site but not the other from one location, but all sites have WAN links up… i'm guessing OSPF can provide route via other sites ?



  • The selection of WAN1 or WAN2 in priority order is done in pfSense by making a gateway group with the required WANs listed in priority order, then telling the OpenVPN server/client to use that gateway group as its "interface". pfSense does the rest underneath to bind the OpenVPN to the "best" WANin the gateway group as conditions change. So you don't need OSPF for that.
    What you say about ISPs and reach-ability is true, and that is a failure mode that could benefit from having OSPF. I have had times when SiteA cannot reach SiteB, but SiteA can reach SiteC and SiteC can reach SiteB, so there is a possible path. So yes, OSPF should learn and route around that.