OPNsense Forum

English Forums => High availability => Topic started by: DeeGee on March 26, 2022, 01:21:25 pm

Title: Failover with VPN Tunnel
Post by: DeeGee on March 26, 2022, 01:21:25 pm

I've got some local failover using CARP/VIP with my two Opnsenses. Now I'd like to expand this to also get the VPN connectivity to also fail over. Right now it depends on LocalOpn1 to be up. I'm using Wireguard for VPN.

RemotePf1:
LAN IPv4: 192.168.20.1/24
LAN IPv6: 2000:abc:1111::1/64
This machine is also routing the whole 2000:abc::/56

LocalOpn1 (primary):
LAN IPv4: 192.168.5.254/24
LAN IPv6: 2000:abc:2222::254/64

LocalOpn2 (backup):
LAN IPv4: 192.168.5.253/24
LAN IPv6: 2000:abc:2222::253/64

LocalOpn1 gets a /60-net from RemotePf1's /56-net.
I use CARP/VIP on the two locals to assign them 192.168.5.1 and 2000:abc:2222::1
RemotePf1 is the exit node for all IPv6 traffic.

How can I get this two-to-one VPN setup to work?

Title: Re: Failover with VPN Tunnel
Post by: DeeGee on April 23, 2022, 05:16:29 pm

For anyone running into this thread, I ended up using a single tunnel instead of two and turning it off/on using hooks as mentioned by spali and jprenken in https://forum.opnsense.org/index.php?topic=25993.0 and https://gist.github.com/jprenken/18ca7bf14ddae547ae0fdf6f56d72573.