OpenVPN Server WAN Failover Using GW Group Question



  • I currently have a NAT forward on each WAN connection (WAN1, WAN2) to OpenVPN that is listening on LAN.
    Each remote OpenVPN client has advanced option: remote <ip><port>; to accommodate a failover WAN1 connection on the server.

    Problem is that OpenVPN clients will connect to the slower WAN2 connection and stay there when there is a hiccup on WAN1 or even something like a restart on the OpenVPN server. Thats fine if the main WAN1 goes down, but after WAN1 it comes back online it would be great if the clients could reconnect to WAN1, the faster connection.

    I would simply like to know if setting OpenVPN server to listen on a GW group (WAN1 = tier1 and WAN2 = tier2) would alleviate this issue or possibly cause some other issues. Would this setup be ok for production? Thanks!

    BTW, I have searched the forum to no avail, but I apologize if I have missed something.</port></ip>



  • Had to wait until after hours to give this a try, and no dice.

    The client would connect to the server using WAN1 (tier1) address, then when I would pull the cable on WAN1 the client would disconnect, but never connect back to WAN2 at all… then after I would reconnect WAN1, the client would remain disconnected. I can see the client trying to connect to both IP addresses in the logs, but there is no answer from the OpenVPN Server. Soooo, either I am doing something wrong, or I suspect that the GW Group is not functioning properly in conjunction with the OpenVPN server.

    Anyone get OpenVPN to failover on the server side with OpenVPN listening on a gateway group???

    Everything else works quite well and I LOVE pfSense, but this is my last obstacle. Help would be greatly appreciated. Thanks.



  • As usual, the reason I could not get a pfSense feature working was an oversight on my part. I discovered and fixed the problem and now its working just fine. I had a 1 to 1 NAT on the secondary WAN's primary address that took over after I removed the port forward that was redirecting the OpenVPN port to where it was listening on my LAN. After moving that port forward to another virtual IP, everything works as designed. OpenVPN is now listening on my WAN Group. Failover to tier 2 and recovery to tier 1 now works flawlessly.