OpenVPN failover, routing issue

[alexandre.dulche]

Hello,

First of all, I've been a pfSense user for over 10 years now and I must say I'm very pleased discovering and  making the switch to OPNsense. :)

Now to the problem I'm facing.

I'm running OPNsense 20.1.2 inside a VMware VM and using VLAN to access two WAN routers (xDSL + 4G).
When I create a single OpenVPN tunnel to NordVPN using either WAN access, it works.

However I'd like to have some failover to my VPN access.
Unlike pfSense, OPNsense doesn't offer to use a gateway group as the OpenvPN interface.

As a workaround I tried to  :
- create two NordVPN tunnels, one using WAN1 and one using WAN2
- create 2 interfaces
- create a gateway group

On the paper, it's supposed to work :
- both tunnels are up
- both OpenVPN tunnels are not overlapping (one is 10.8.x.0/24, the other is 10.7.x.0/24)
- I use firewall rules to route the traffic through the gateway group of my choosing
- routing table looks fine, eg:

Proto   Destination    Gateway    Flags    Use   MTU       Netif    Netif (name)
ipv4      10.8.2.0/24   10.8.2.1   UGS      0   1500      ovpnc1   NORDVPN_1       
ipv4      10.8.2.1      link#20   UH      0   1500      ovpnc1   NORDVPN_1       
ipv4      10.8.2.22      link#20   UHS      0   16384  lo0   
ipv4      10.7.1.0/24   10.7.1.1   UGS      0   1500      ovpnc2   NORDVPN_2       
ipv4      10.7.1.1      link#21   UH      0   1500      ovpnc2   NORDVPN_2       
ipv4      10.7.1.10      link#21   UHS      0   16384  lo0   


However routing gets messed up, and both tunnels are unreachable (traceroute KO).
Looks like when the second tunnel goes up it conflicts/breaks the first one.

Any idea what I could be missing ?