OpenVPN and High Availability

OpenVPN works well with high availability (HA) on pfSense® software. To provide an HA OpenVPN solution, configure the OpenVPN server or client to use a CARP VIP as its Interface. For HA server instances, configure clients to connect to the CARP VIP.

When XMLRPC Configuration Synchronization settings are enabled, OpenVPN instances will automatically synchronize from the primary node to the secondary. The connection state is not retained between hosts so clients must reconnect when failover occurs, but OpenVPN will detect the connection failure and reconnect automatically.

When an OpenVPN client instance has a CARP VIP for its Interface the firewall will automatically shut down the client as needed while a CARP node is in a BACKUP state. This prevents OpenVPN from making unnecessary outbound connections and also prevents it from placing potentially conflicting information into the routing table. When the CARP VIP status transitions to MASTER, the firewall starts OpenVPN clients automatically.