Using OpenVPN with Multi-WAN¶
OpenVPN servers can be used with any WAN, or multiple WANs, as can OpenVPN clients. This document covers only a remote access OpenVPN server, but a similar process could be applied for site to site VPNs. For OpenVPN client instances on pfSense software, in most cases it’s as simple as picking the gateway group for the interface.
There are many different ways to configure multiple WANs with OpenVPN on pfSense® software for remote access or site to site VPNs.
See also
Many of these scenarios were covered during the September 2014 . “Advanced OpenVPN Concepts” presentation available through Hangouts Archive.
OpenVPN Configuration¶
First, get OpenVPN working as desired on the primary WAN interface. Once it is properly functioning, make a backup.
Bind to Localhost and Setup Port Forwards¶
The OpenVPN configuration needs to be adjusted so it can be reached from either WAN. The simplest way to do this is by changing the Interface on the VPN connection to be Localhost, and then adding a port forward on each WAN to redirect the OpenVPN port to Localhost (127.0.0.1).
For example: If there are two WANs and the OpenVPN server is running on port 1194, set the Interface to Localhost, then add two port forwards:
- WAN1:
UDP, Source any, Destination WAN1 Address port
1194
, redirect target127.0.0.1
port1194
- WAN2:
UDP, Source any, Destination WAN2 Address port
1194
, redirect target127.0.0.1
port1194
Configure Clients¶
Clients may be configured to use the second WAN by adding a second remote statement to their configuration, such as:
remote x.x.x.x 1194 udp
Where x.x.x.x
is the second WAN IP address or host name.
This process can be automated by using the OpenVPN Client Export package. When exporting a client, in Host Name Resolution choose one of:
- Automagic Multi-WAN IPs (port forward targets):
Adds a remote statement for each port forward found targeting the interface binding and port used by this VPN, uses the IP address of each WAN as-is.
- Automagic Multi-WAN DDNS Hostnames (port forward targets):
Like above, but uses the first located Dynamic DNS hostname for a given WAN. If the WAN is a private IP address, this may be the better choice.
More than two WAN connections¶
The same steps can be repeated to add more WAN connections. Add a port forward to any additional WAN. Clients will need an updated configuration file if another WAN is added later.