Multi-WAN OpenVPN
From PFSenseDocs
OpenVPN can be used with any WAN connection with a static IP. The IP can be assigned via DHCP, as long as it does not change. You can use dynamic IP's that change infrequently on OPT WAN interfaces, though when the IP changes it requires a manual change to your OpenVPN configuration. This may change in the future, but for now, it's not practical to use OpenVPN on OPT WAN IP's that change frequently.
If you have one static and one dynamic IP, use the dynamic IP on the WAN interface and the static IP on the OPT WAN interface. This way you can run OpenVPN on both WAN interfaces. However, this configuration is best with only static IP's.
Contents |
OpenVPN Configuration
First, get OpenVPN working as you desire on your primary WAN interface. Once it is properly functioning, backup your configuration. Save a copy of this backup in case something goes wrong and you want to revert to your originally working setup.
Duplicate OpenVPN Configuration
Your OpenVPN configuration needs to be duplicated so you have one server running for each WAN IP. There are two options for duplicating your OpenVPN configuration. You can either edit the config file by hand, which I choose as it was easier for me, or manually copy each field into a newly created server configuration.
Editing Configuration File by Hand
Open the copy of the configuration backup you made previously and go down to the <openvpnserver> tag. Find the lines that refer to your existing configuration. Copy everything from the <config> line to the </config> line, including both those lines, and then paste it in beneath the existing </config> line. Change the <description> field on the copied connection. Save the file, and restore it in the webGUI.
Following the reboot after restoring the config, go to the OpenVPN screen in the webGUI.
Editing the Duplicated Configuration
Edit each of the OpenVPN server configurations, and in the Custom Options box, type in 'local x.x.x.x', where x.x.x.x is the WAN IP of the connection you want it to use. For example, I put: local 10.16.80.18
where 10.16.80.18 is the WAN IP it will use.
You will also need to choose a different address pool for each connection. Everything else remains the same.
Configuring Clients
This assumes the client is already configured for the connection on the primary WAN IP, and was tested to work with the primary WAN before starting this process of enabling it for multiple WAN interfaces.
On the Windows client, go into your config folder (default C:\Program Files\OpenVPN\config) and make a copy of your existing configuration file. Edit the copied file and change the "remote ..." line to the secondary WAN's IP or hostname. Rename both the configuration files as you desire, to indicate which WAN each will use.
Dynamic IP's and Multi-WAN OpenVPN
If you have a dynamic IP address on either of your WAN interfaces, the configuration process will differ.
Both WAN IP's dynamic
In this scenario, you will not be able to run OpenVPN on your OPT WAN interface. Only static IP's work for OPT WAN interfaces.
One dynamic IP, one static IP
The dynamic IP has to be on the primary WAN interface, with the static IP on the OPT WAN interface. The configuration will differ slightly from the above because you cannot use the "local" option to define the IP address, since it changes. This means the OpenVPN server for the WAN interface will be listening on all WAN interfaces. Because the IP will change, it will have to bind on all IP's. In the future, pfSense may support this by automatically changing your OpenVPN configuration upon IP change.
Because your primary WAN's VPN configuration is binding to all IP's using its port, you will have to use a different port for your OPT WAN interface's OpenVPN server.
More than two WAN connections
This guide explained how to make this work with two WAN connections, but you can repeat the same steps to add more WAN connections. You just need a server configuration for each WAN IP.
