Policy Routed Multi-WAN OpenVPN?

  • Hello,

    I have a situation where I have many branch offices, each with two WANs, and a central office with only one WAN.  Each branch office needs connectivity with the central office, but not with each other.

    Right now I am running OpenVPN servers at the branch offices, with the OpenVPN server listening on a gateway group.  The VPN is then able to fail over and fail back when an outage occurs.

    I watched the 'Advanced OpenVPN Concepts' hangout - it said there's a way I could run an OpenVPN server on each connection, and use policy routing to load balance the traffic over the WANs.  Is this true?  If so, how?

  • run 2 openvpn site2site tunnels (one on each wan).
    assign interfaces for both tunnels. automagically it'll create gateways
    those gateways can be put in a gateway group –-> available for policy routing

  • OK.

    How would I configure the central office side?  Wouldn't configuring 2 OpenVPNs with the same remote subnet cause a routing conflict on that side?

  • probably….you could do the same on both ends, but it gets messy really quickly.
    personally i don't use gateway groups for redundant openvpn tunnels. i run quagga-ospf on top of both/all site2site vpn's to handle the routes. (you could probably do the same with bgp, but i've never used bgp & its probably overkill)

    do note that there is (possibly) an issue with the latest quagga package on 2.3.0 (see https://forum.pfsense.org/index.php?topic=111108.0   / the workaround seem to work for me)

  • OK.  I think OSPF does routing, but not load balancing, though.

    So it sounds like the only way to do this would be to create two separate OpenVPNs on both sides (one for each remote branch WAN), then assign interfaces for them on both sides, and then policy route the traffic through the tunnels on both sides.

    I'm thinking that since the traffic would be policy routed on both sides, neither side would have a routing conflict (even though the same subnets are configured on both OpenVPN tunnels).

Log in to reply