Openvpn as backup link to point-to-point WAN

  • just want to ask anybody if this is possible… crude illustration below:

    office 1 LAN
    pfsense --------+
        |                  |
        |                  |
        |WAN          | openvpn
        |                  |
        |                  |
    pfsense --------+
    office 2 LAN

    the pfsense box in office 1 has 2 dsl connections and we are able to use the gateway groups and firewall rules to redirect internet traffic from the primary dsl connection to the next if the primary goes down.  would it be possible to have the something like that for traffic between office 1 and office 2 using site-to-site openvpn as the backup if WAN goes down?


  • If you want the OpenVPN to fail-over to another WAN then:
    a) Nake a gateway group at server and client end with the WANs on appropriate tiers as you want the failover to be.
    b) At the server end have a dynamic DNS name that is set based on the gateway group
    c) Make the OpenVPN server/client listen on the gateway group
    d) Make the client connect to the dynamic DNS name as the destination

    Now the server will be listening on whatever WAN is up, the client will go out whatever WAN is up and connect to where the server is listening.

  • Hi Phil,

    Thanks for the reply.  The WAN link between the two sites is actually a VPN connection from a service provider so i'm not keen on having the openvpn traffic go through it. It does not go offline that often but when it does, it takes time to restore as one office is in a building and the admin requires a lot of paper work just to allow the contractor to restore the facility.

  • I think it should be able to work. Essentially you have 2 links that can reach the same remote office subnet(s). Lets call them Link1 (WAN in your diagram) and Link2 (OpenVPN in your diagram. In your case, Link1 happens to be a "leased VPN circuit" and Link2 is an OpenVPN secure site-to-site connection across the public internet. Each link has an IP address at each end, just like if there was a real cable with 2 ends.

    At Office 1:
    a) Make 2 gateways, to Office2 Link1 IP and Office2 Link2 IP.
    b) Make a gateway group with those 2 gateways, Link1 tier 1, Link2 tier 2. Lets call it Office2GWG
    c) On LAN put a policy-routing rule to pass traffic, source pfSense1 LAN, destination pfsense2 LAN, Gateway: Office2GWG
    d) Do not put these as the actual gateway on any interface - they are not gateways to the general public internet.

    The gateways will be monitored by default by pinging the other end. If Link1 goes down, the traffic directed to Office2GWG should be sent down Link2.

    Do similar at Office2 pointing towards Office1.

    Put rules on Link1 and Link2 interfaces at each end to allow the desired traffic.

    I think this should work - but it really needs a lab test to see if there are any gotchas.

  • can you point me where i can do step (a)? i tried creating one in the System-Routing-Gateways but the only options there are physical ports… the openvpn port is not there... am i looking in the wrong place?

  • You need to go to Interfaces->Assign and assign an interface to the OpenVPN. Then enable it, but leave the IPv4 and IPv6 configuration type = none. OpenVPN does its own thing with the tunnel addresses based on the OpenVPN settings.

    Then there will be an interface to select for the gateway and…

  • got it… will post again when testing is complete... application that will pass through the connection are RDP and FTP.

  • hi,

    link1 is down so i had the chance to do some quick tests while my users were on lunch break… here's what i did...

    on office1 pfsense:

    1. checked routing table... route to office2 via link1 was there
    2. disabled static route to the office2 network
    3. checked routing table, no more router to office2 network
    4. enabled the site-to-site openvpn connection (connection is off while link1 is up)
    5. checked routing table, route to office2 network via site-to-site openvpn found

    on office2 pfsense:

    1. checked routing table... router to office1 via link1 was there
    2. disabled static route to office1 network
    3. checked routing table...  no more route to office1 network
    4. enabled site-to-site openvpn, pfsense able to connect
    5. checked routing table... route to office1 network via site-to-site openvpn was there
    6. workstations able to connect to office1 servers
    7. created interface for openvpn connection (ovpn), system created gateway (ovpn_vpn4)
    8. created gateway group ToHO with link1 as tier2 and link2 as tier2
    9. checked the routing table, no route to office1 found
    10. workstations unable to connect to office1 servers

    users back from lunch break... undid changes in steps 7-10, users able to connect to office1 network again.

    shouldn't a route be created after step 8? i tried changing the tiering-- link1 as tier2 and link2 as tier1, but still no route was created in the routing table.  any ideas?


  • was able to setup a lab environment with only the site-to-site openvpn connection and here's what i've done so far:

    1. created site-to-site vpn for lab pfsense on office1 pfsense
    2. enabled site-to-site vpn for both machines and connection was successfully established
    3. created interface on both machines using the openvpn link as the nic
    4. created static route to lab lan on office1 pfsense
    5. created static route to office1 lan on lab pfsense
    6. workstations on lab network able to access office1 lan hosts and vice versa
    7. disabled static route to office1 lan on lab pfsense and created a gateway group ToHO with the gateway of the created interface in 3 for the office1 pfsense as tier 1.
    8. created firewall rule on lan port of lab pfsense to use the ToHO gateway group for any traffic to office1 lan
    9. workstations on lab pfsense lan still able to access office1 hosts.
    10. disabled static route to lab lan on office1 pfsense and created a gateway group ToHO with gateway of the created interface in 3 for the lab pfsense as tier 1.
    11. created a firewall rule on lan port of office1 pfsense to use the ToHO gateway group for any traffic to the lab lan
    12. workstations on office1 lan no longer able to connect to lab network hosts and vice versa
    13. disabled firewall rule on office1 pfsense created in step 11
    14. enabled static route which was disabled in step 10
    15. workstations on lab network able to access the office1 lan hosts again

    any ideas what could've happened? i tried rebooting both machines but still got the same result.


  • I had a read through all those steps and am struggling to keep it all in my head as I follow each step.
    I guess you are just using the static routes as a test step to confirm traffic can pass - because there will not be any need/reason to have static routes in the final config.
    The policy-routing that happens when you have rules feeding traffic to a gateway (or gateway group) should work as long as the traffic is matching the rule - the policy-routing rule needs to come high enough up on LAN rules so that the traffic is caught by the rule.
    Use traceroute from clients and packet capture at each router and target system to see where the traffic goes (maybe out some unexpected interface) or stops (due to some firewall issue).

    Policy-routing rules do not and are not expected to create static routes. The policy-routing is implemented by pf, which does not give the packets to the ordinary routing table.

  • hi phil,

    i created the static routes because from the previous test i wondered why no route was created. anyway, went through your suggestions and what happened in the previous attempts, reset office2 pfsense config, removed the interface bound to openvpn gateway and static routes on office1 pfsense then did the following:

    1. enabled site-to-site vpn for both machines and connection was successfully established

    2. created interface on office1 pfsense using the openvpn link as nic
    3. created gateway group ToLAB on office1 pfsense with the gateway created in step 3 as tier 1
    4. created firewall rule on office1 to divert all traffic for lab network to the ToLAB gateway group

    repeated steps 2-4 on lab pfsense with ToHO as the gateway group

    office1 now able to access lab network and vice versa…. you were right, no need for static routes.. next test is to simulate the leased vpn circuit then unplug it to test if the failover works.

    will post as soon as test there's progress...

  • couldn't setup a simulated leased vpn circuit so i implemented the lab settings on to the production environment after office hours… removed the static route from office1 lan to office2 lan on the office1 pfsense and everything was still working... until i disable the static route from office2 lan to office1 lan on the office2 pfsense. when i return the static route, everything works again (had to connect to one of the office2 terminals via teamviewer).

    might have to check out ospf...


Log in to reply