PF-Sense Multi-WAN VPN Setup

This is the forum to post your config. Include diagrams, usage graphs, and all the other goodies to show off your network.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
WonkoTheSane
OpenVpn Newbie
Posts: 2
Joined: Tue Sep 13, 2022 3:30 pm

PF-Sense Multi-WAN VPN Setup

Post by WonkoTheSane » Tue Sep 13, 2022 3:53 pm

Hello all. I'm sorry to say, but I am a complete novice at this, so please bear with me. I am an MSP who's taken over a client that utilizes PFSense for their router and OpenVPN for their site to site VPN. So far everything has worked without issue, however I now am having to make a change, and it is not going as smoothly as I had hoped it would.

My client purchased a TMOBILE 5G Hotspot with unlimited data which they would like to utilize as their primary ISP, and continue to use their old ISP as a failover. The client utilizes site to site VPN's for data transfer, and I need to maintain this communication. I seem to be able to bring the network up under the new 5G connection, but I cannot make the VPN work. What I would like to do is create a Failover for VPN with the TMOBILE connection being the primary. When I attempt to do this however I loose VPN. I've tried just adding the Interface Group and changing what the primary was, but did not work.


I realize this is a fairly vague post, but I'm unsure what information would be most helpful here. I am running version 2.4.4-RELEASE-p3 for the PFSENSE, based on FreeBSD 11.2-RELEASE-p10 on both sides. I've created an interface for the 5G TMOBILE hotspot and set it to DHCP. I have a server (disabled) and a client (disabled) already configured, both using shared key, both with the same encryption.

Server Side:
Mode : Peer to Peer (Shared Key)
Protocol : UDP on IPv4 only
Device Mode : tun - Layer 3 tunnel mode
Interface : (Live ISP Connection, set correctly)
Local Port : (Unique, but matches on both sides)
Description : (Location) Site to (Location) Site
Shared Key : Generated from server (then copied to client)
Algorithm : AES-256-CBC (256 bit key, 128 bit block)
Enable NCP - AES-128-GCM, AES-256-CBC (Matches on both sides)
Auth Digest : SHA512 (512-bit)
No hardware crypto
Tunnel network : 192.168.61.0/24 (unique, does not overlap other tunnels)
IPV6 : Not configured
Remote Network: 192.168.5.0/24
LZO Compression [Legacy style, comp-lzo yes]
Gatway Creation : Both

Client Side:
Mode : Peer to Peer (Shared Key)
Protocol : UDP on IPv4 only
Device Mode : tun - Layer 3 tunnel mode
Interface : TMOBILEGATEWAY
Server Host: Omitted
Local Port : (Unique, but matches on both sides)
Description : (Location) Site to (Location) Site
Shared Key : Copied from the server
Algorithm : AES-256-CBC (256 bit key, 128 bit block)
Enable NCP - AES-128-GCM, AES-256-CBC (Matches on both sides)
Auth Digest : SHA512 (512-bit)
Tunnel: 192.168.61.0./24
Remote Network : 192.168.0.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24,192.168.6.0/24,192.168.16.0/20,192.168.17.0/24,192.168.32.0/20
LZO Compression [Legacy style, comp-lzo yes]
Gatway Creation : Both

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: PF-Sense Multi-WAN VPN Setup

Post by TinCanTech » Tue Sep 13, 2022 4:44 pm

WonkoTheSane wrote:
Tue Sep 13, 2022 3:53 pm
Hello all. I'm sorry to say, but I am a complete novice at this, so please bear with me. I am an MSP who's taken over a client that utilizes PFSense
And you want us to teach you how to do your job.

I believe that pfSense have paid support portal designed to provide support to people exactly like you.

WonkoTheSane
OpenVpn Newbie
Posts: 2
Joined: Tue Sep 13, 2022 3:30 pm

Re: PF-Sense Multi-WAN VPN Setup

Post by WonkoTheSane » Tue Sep 13, 2022 5:27 pm

Not trying to get anyone to "teach me how to do my job". I am trying to understand why my connection is failing despite having had followed guides.
If the client had purchased a PFSense instead of building one, yes. I would happily get real support. Real support is not available.

Thanks so much for your insight.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: PF-Sense Multi-WAN VPN Setup

Post by openvpn_inc » Wed Sep 14, 2022 11:39 am

Hi Wonko,

Multi-WAN is generally an OS issue, not something relevant to OpenVPN. While I don't agree with the tone of what was said, in substance, it is valid: "you probably need to seek help for PFSense/BSD."

I suspect as well that part of the problem is how the T-Mobile router works. A WAG about that I can offer: see --float in the manual. Which peer has --remote, the "client"? Or both?

See also --comp-lzo, and disable that.

Hope you decide to hang around, good luck.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: PF-Sense Multi-WAN VPN Setup

Post by ordex » Wed Sep 14, 2022 11:49 am

Another thing to consider is --multihome, which allows using multiple incoming IPs. Otherwise OpenVPN would always use the same to send replies.

All this said, beware that Shared key is unsafe and not recommended.

Post Reply