VPN with MultiWAN Failover

Started by xalib, June 14, 2020, 08:31:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 14, 2020, 08:31:56 PM
I have two WAN connections, of which the second one (only LTE) should work as a failover if the first one fails.
I also have a client-side VPN connection, which should be always active.

Both of these work flawlessly individually, but not together: Once I point the default LAN rule to the Gateway Group, no packets get routed over the VPN connection anymore.

I am not sure about the theoretical foundations here; is it possible with OpenVPN (SSL) to jump between the gateways without reestablishing the connection (is this roaming, which wireguard is said to support?)?

If this is possible, what is there to do to run the VPN connection over the gateway group?
June 15, 2020, 12:23:00 PM #1
I'm new here so take what I say with a grain of salt but to my knowledge it is not possible to do a failover group with VPN but you could have two VPN connections set in your VPN application, one for the primary connection and the other for the secondary (failover).
If the first doesn't connect then try the next.

The other problem you may run into is unless you have a static IP on both you will likely need to use something like Dynamic DNS to resolve the new IP that your internet connections have received.

Hopefully that helps somewhat.
June 15, 2020, 12:50:20 PM #2
Thank you for your response.

I already suspected OpenVPN wouldn't support this. For now I would be happy to get the VPN connection to work with the Gateway Group's main WAN, even if it wouldn't work on the failover connection. So that the failover works in general, even if it doesn't work with the VPN, but that the VPN at least works for the main WAN.


June 29, 2020, 01:43:58 PM #3
I still did not get MultiWAN Failover and VPN to work together (both works for itself though).

Do I need a special firewall rule or something to at least have the VPN work for the default (=non failover) connection? The moment I assign the default outbound firewall rule to the gateway group the VPN packets seem to get dropped somewhere.
June 29, 2020, 07:59:16 PM #4
I get the idea to NAT the VPN port to localhost, where the OpenVPN server is bound to. But what to do if I have a OpenVPN client on this side?

I want to ideally have a VPN connection on both WANs of the gateway group, two VPN connections parallel would be ok too. But at the moment I would be happy to get MultiWAN to work with even VPN only on the default gateway...
July 01, 2020, 04:38:57 PM #5
Since nobody answers I guess the question is
a) stupid
b) easy to find in the documentation
c) too hard to answer

Please point me to where I can find information regarding this topic. I think I read every piece of information about this problem for pfSense and OPNsense, but maybe I am stupid myself.
July 01, 2020, 06:01:30 PM #6
OK, I just tested my fail-over VPN and it appears to work on my system.

You'll need to create two VPN instances, one for the LTE and one for your main wan. Now create a gateway group for those two interfaces. Remember you'll also need to setup and enable gateway monitoring for both VPN gateways, use anything you like, google dns whatever, but they must all be different, this includes your normal gateways.

I have a something extra, I only want to route a couple of PC's through the VPNs, so I have an alias setup with the addresses that I want to use the VPN, It's just called ExpressVPN hosts and contains the IP Addresses of the LAN clients that will connect to the internet via the vpn. Under the LAN firewall rules I have a rule for my ExpressVPN Hosts that says their gateway will be the gateway group I created for the VPNs.

Finally, under NAT, I am using Hybrid outbound and I have rules for both VPN interfaces with the source being my ExpressVPN hosts and the NAT address of each VPN Interface.

And it works. I can unplug either NIC and it fails-over to the VPN on the still connected NIC.

Whether it work for the way you have your VPNs setup I don't know, but it works when using something like ExpressVPN where I run the two clients.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
January 23, 2022, 10:10:56 AM #7 Last Edit: January 23, 2022, 10:29:23 AM by kirostan
Can someone tell me what gateways are in general and what they are for? It's just that I usually use VPN only to change my IP address and location. I often watch movies on services from all over the world before anyone else, and I use VPN for these purposes. Usually, I buy discount coupons for the service and use a discounted VPN. You can look at this site if you are also interested in something similar. I've never heard of gateways, and it's written in a too complicated language in Google, so I would like one of you to explain to me what it is in general
February 14, 2022, 04:10:39 PM #8
I know this is almost a month past, but gateways are your next hop router.  Basically you tell the firewall "This IP address knows how to get to the internet, so send all traffic here."  That's a default gateway.  Now let's say you have a subnet 10.42.42.0 that you need to access and your local  subnet is 10.42.43.0.  You would need a router that has one interface on each subnet.  (Those could be physical interfaces like lan or DSL connections or they could be a virtual interface like a VPN connection).  That router would be your "gateway" for the 10.42.42.0 subnet.
February 14, 2022, 05:43:15 PM #9
Quote from: marjohn56 on July 01, 2020, 06:01:30 PM
OK, I just tested my fail-over VPN and it appears to work on my system.

You'll need to create two VPN instances, one for the LTE and one for your main wan. Now create a gateway group for those two interfaces. Remember you'll also need to setup and enable gateway monitoring for both VPN gateways, use anything you like, google dns whatever, but they must all be different, this includes your normal gateways.

I have a something extra, I only want to route a couple of PC's through the VPNs, so I have an alias setup with the addresses that I want to use the VPN, It's just called ExpressVPN hosts and contains the IP Addresses of the LAN clients that will connect to the internet via the vpn. Under the LAN firewall rules I have a rule for my ExpressVPN Hosts that says their gateway will be the gateway group I created for the VPNs.

Finally, under NAT, I am using Hybrid outbound and I have rules for both VPN interfaces with the source being my ExpressVPN hosts and the NAT address of each VPN Interface.

And it works. I can unplug either NIC and it fails-over to the VPN on the still connected NIC.

Whether it work for the way you have your VPNs setup I don't know, but it works when using something like ExpressVPN where I run the two clients.

Can you not just create a Virtual link for the VPN and have the external DDNS once failed over able to connect to the VPN?
Print
Go Up Pages1
User actions