Current Best Method for Multiwan OpenVPN Server



  • I've done a fair amount of research on the topic, but much of what I was finding was from before gateway groups were fully supported and it seems that is the smoother way to do it?  What is currently the best method for a Multiwan Load balanced server with clients that have only one WAN?  Port forwarding to LAN?  Gateway groups?  Other?

    Thank you for your advice.



  • If you want it "random load-balanced" across multiple WANs, then port forward the OpenVPN listening port from each WAN to the LAN IP, and have the OpenVPN server listen there. Then have a (dynamic if you your public IPs are not static) DNS name for the OpenVPN service on each WAN. When you give out client packages, have them with multiple "remote" lines their config, so they try each WAN public IP in turnand get spread "kind of randomly" across the WANs.

    If you want just a primary public address where all clients connect, but failover to a backup WAN, then have a gateway group with the primary WAN as tier 1, other/s as tier 2, 3… Make OpenVN server listen on the gateway group. Also have a dynamic DNS name that is off the gateway group, so the name changes as WANs go down/up. Then make the clients use that dynamic DNS name to connect.



  • Thank you, option 2 as a failover is what I'm looking for.  I'll pursue this method.



  • Ok, I've setup a Failover GW group with both of my WANs in it, set one to Tier 1 and the other to Tier 2.  OpenVPN is set to the Failover GW and I have configured a FreeDNS service that seems to be working as well as it can.  I'm not sure where to start with the issues I'm having.

    First, after disabling the Tier 1 WAN, the Cached IP on the Dynamic DNS page still shows the IP of the disconnected WAN in Red.  Even after 10-15 minutes it still doesn't update.  I went in and did a Save and Force Update.  This seems to make things work, the IP changes and turns Green but OpenVPN doesn't restart to start listening on the Secondary, Tier 2 WAN.  Are either of those things expected behavior?

    Then, I enabled the Tier 1 WAN port again and I ended up having to restart the apinger service to get it to realize the GW was back up.  Again, the cached IP stays red on the old one and I had to force update again.  OpenVPN also doesn't switch back to the Tier 1 GW Wan, even restarting the service doesn't do it, so now my Dynamic DNS is pointing to the Primary again, but OpenVPN is still listening on the Backup.

    There seems to be a number of things working against me here and I'm not sure what to tackle first.



  • In 2.1 there were some bugs with rewriting and restarting the necessary OpenVPN servers on GWG state changes, but I believe those are all fixed in 2.1.1 and 2.1.2. Those things fail over OK for me.
    Are you running 2.1.2?



  • Yes, it was a fresh install from 2.1.1 and Updated to 2.1.2.



  • Here is another oddity about the Cached IP.  I have a /29 Private WAN block being routed through a /30 IP from my ISP.  The cached ip shows up as the correct address from my /29 Block, but the address that gets pushed to the Dynamic DNS is the /30 IP.  I understand this is a routing issue on my edge router, but it still seems it should push the cached IP and not the IP that's detected from say, going to whatsmyip_dot_com.



  • So you have an address from the /30 on the WAN interface of your pfSense system? If that's the case then you shouldn't tell the dynamic DNS updater to use the WAN address. Isn't the /29 block given to you a static block of addresses anyway? Why do you need a dynamic DNS updater on your system?



  • The /30 address is assigned to my Edge router, a static IP from my /29 is assigned to WAN1 of my pfSense Firewall/OpenVPN server.  I'm using dynamic DNS with a gateway group so OpenVPN can failover from WAN1 Static IP to WAN2 Static IP if WAN1 goes down.

    eth1 on edge router plugs directly into my ISP and has address of 50.xx.xx.30/30
    eth2 has my /29 block on it and plugs into a switch which plugs into my WAN1 port of pfSense.



  • Ok, everything seems to be working splendidly now.  Not sure what I did other than disable NAT on my edge router.  It does take a couple minutes for the DNS to propagate out though, as expected.  I'm guessing there is not way to reduce that.  Thanks again for your advice.  :D