Second OpenVPN server on different WAN

[patrick3000]

I have a multi-WAN setup, with a gateway group and failover from the primary WAN to the secondary WAN whenever the primary WAN goes down.

I also have an OpenVPN server set up on the primary WAN so that I can access the network from the public Internet.

I would like to set up a second OpenVPN server on the secondary WAN so that I can access the network over the secondary WAN if the primary WAN goes down while I'm traveling. I tried to do this by simply cloning the existing OpenVPN server and changing the WAN interface and tunnel IP subnet, but it didn't work. I couldn't connect over the second OpenVPN tunnel.

Does anyone know whether I need to create a new certificate of authority for the second OpenVPN server and/or a new certificate of authority for the user? I don't understand why I would need to do so, but it appears that the second OpenVPN server is not working with the existing certificates.

[tiermutter]

It is not necessary to create a second server, you can simply let your server listen on both interfaces.
Even doing so, you will still not be able to establish a connection via secondary WAN, as primary WAN is used due to policy based routing, as long as primary WAN is up. Only when primary WAN is down, you will able to connect via secondary.
Thats the way I do in similar setup. Clients are configured to connect to primary WAN first, seconds later they will try fallback DNS for primary WAN and again seconds later they try to connect to secondary WAN.
Works perfect.

[patrick3000]

tiermutter thanks for the recommendation.

In the OpenVPN server configuration menu, there is not an option to choose two specific interfaces, such as "WAN" and "WAN2," but there is an option to choose "any" interface. Is this what you mean? I set the interface to "any," and I was able to connect at least through the primary WAN. (I haven't tested it yet with secondary WAN, but it should work).

On the client side, I will need to somehow set it to fall back to secondary WAN's IP address or URL when the primary WAN is down. You said that there is a way to do this. I don't see how in my client VPN software on the Linux Mint laptop that I use as my client. This is probably beyond the scope of this forum since it's an OpenVPN client configuration issue rather than an OPNsense issue. However, if you have any suggestions about how to configure the client to fall back to the public IP address or URL of the secondary WAN, I'd appreciate it.

As a last resort, this setup will still work because when the primary WAN goes down, which doesn't happen often but does occasionally happen, I can just manually change the IP address in the client software to that of the secondary WAN, which should get me into my network.

[tiermutter]

Sorry, yes... "any" is what I mean...

On client side I never tested automatical fallback, but I assume the client will try to reconnect when connection is lost. Just add multiple "remote IP/DDNS PORT PROTO" followed by "connect-timeout X" to your config, e.g.

Code: [Select]

remote yourPRIMARYdomain.com 12345 udp
connect-timeout 5
remote yourSECONDARYdomain.com 12345 udp
connect-timeout 5
this will make the client to try to connect for 5 seconds to primary WAN. If it fails, it tries to connect to secondary for 5s and then start again with primary.