openvpn + multi wan

[reechie]

Single OPNsense 25.7.3_7-amd64 host (no CARP) with multiple WAN connections

WAN1 and WAN2 configured in a gateway failover group WAN1 is Tier1 gateway and WAN2 is Tier2 gateway.

All the rules on the LAN interface have the gateway set to the 'WAN-GW-Group"

For VPN traffic, we use WAN2 as the IP that users connect to as the primary for VPN, WAN1 is the primary for normal outgoing traffic.

I have created a rule in each WAN interface that allows port 1194 and set the gateway to that interface's specific gateway (not the group or default). 

First, is this the correct way to configure the rules?

Second, what is the proper way to configure the OpenVPN instances?  Do I make one instance, or do I make one instance for each WAN interface? 

In my testing, I couldn't get either to work reliably but will admit, I was hoping it would 'just work' and didn't keep proper notes of what I had tried/not tried and may have gotten lost in the weeds.

Thanks in advance,
-reechie

[Monviech (Cedrik)]

In openVPN instances leave the bind IP empty, or bind to localhost and use Destination NAT from both WAN interfaces.

In the client export do something like "host1.example.com,host2.example.com".

Policy based routing rules on the LAN interface do not influence traffic generated by the firewall itself. If you leave bind IP in instance empty, it will always use the current active default gateway for outgoing connections, or use reply-to if it received a packet from either WAN Gateway to force it back out of the correct one.

[reechie]

I added the reply-to on each of the wan interfaces with a single server instance.  Added the 2 hostnames in the export.  Everything is now working.

thanks!
-reechie