Project

General

Profile

Actions

Feature #7881

open

OpenVPN client - add support for multiple server entries

Added by robi robi over 4 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
09/20/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

OpenVPN in client mode supports multiple "remote" directives, these can be used for redundancy, if the first server fails, try to connect to the next one.

Currently pfSense allows only one "Server host or address" and "Server port" to be specified in the client configuration page. My suggestion would be to allow adding multiple address-port pairs in the configuration page. Something similar to how addresses and descriptions are added in the aliases page.

Also add a checkbox to randomize the remote entries list (OpenVPN feature).

The need for this in pfSense is also because of the CARP possibility. If one has several site-to-site connections via OpenVPN, and these sites use each several CARP-enabled pfSense firewalls, it could be very handy to allow OpenVPN clients to connect not only to the CARP IP address, but also try to connect to members directly, in case of CARP failure.

Currently this can be worked around by adding the "remote" entries manually in the "Custom options" box:

remote 1.2.3.4 1194;
remote 2.3.4.5 1194;
remote 3.4.5.6 1194;

From OpenVPN manual:

--remote host [port]
    Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different OpenVPN server.

    The OpenVPN client will try to connect to a server at host:port in the order specified by the list of --remote options.

    The client will move on to the next host in the list, in the event of connection failure. Note that at any given time, the OpenVPN client will at most be connected to one server.

--remote-random 
    When multiple --remote address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure. 
Actions #1

Updated by Brendon Baumgartner over 4 years ago

I think to implement this is by setting the server to Other towards the top and leaving the field blank. Then using the "Custom options" to specify the VPN servers. There is a limit to what the GUI can offer and these are advanced VPN configurations. Just my 0.02.

Actions #2

Updated by Jim Pingle over 4 years ago

Brendon Baumgartner wrote:

I think to implement this is by setting the server to Other towards the top and leaving the field blank. Then using the "Custom options" to specify the VPN servers. There is a limit to what the GUI can offer and these are advanced VPN configurations. Just my 0.02.

That's in the OpenVPN Client Export Package. This ticket is talking about pfSense acting as an OpenVPN client.

It's still probably best to keep this in the advanced options for now though, it's not quite as straightforward as it sounds.

Actions #3

Updated by Jim Pingle over 2 years ago

  • Category set to OpenVPN
Actions

Also available in: Atom PDF