Can we have a VPN failover ?

[ComputerSteve]

Is it possible to have a VPN failover that only activates and then deactivates if a specific client goes down?.. Meaning I would always like to use VPN Client 1 but if that goes down i'd like it to switch to VPN Client 2 / 3 /4 / 5, however I don't want it to stay on client 2 /3/4/5 once VPN client 1 goes back up and I'd like VPN client 2 to switch off... Almost like the dual wan failover.

 

[eibgrad]

You should be able to achieve OpenVPN failover provided each client instance is configured similarly w/ the VPN Director. The VPNs are prioritized from high (#1) to low (#5) and failover will occur automatically provided the lowest priority OpenVPN client is the only one w/ an active kill switch.

All that said, there's nothing that actually turns off a given OpenVPN client once it fails. If it recovers, it recovers (even if that requires YOU to hit the Apply or On button again), and it becomes accessible again according to its place in the priority list.

For example, if you have OpenVPN client #1 (with NO kill switch) and the VPN Director routing 192.168.1.0/24 through that VPN, and likewise through OpenVPN client #2 (with a kill switch active), and OpenVPN client #1 fails, that traffic falls through to OpenVPN client #2. If OpenVPN client #1 eventually recovers, routing returns to that instance. If both OpenVPN clients fail, the kill switch takes over and denies all internet access.

Note, you need to make sure you use the VPN Director and NOT specify Yes (all) on the OpenVPN clients, or else you risk routing one or more of them through another other OpenVPN client! So you end up running one tunnel inside another, creating a possible situation where a failure of a given OpenVPN client could lead to other OpenVPN clients failing as well.

 

[ComputerSteve]

Ok but right now with vpnmon installed what happens is all clients activate at the same time. Do I not need vpnmon ?

 

[eibgrad]

Ok but right now with vpnmon installed what happens is all clients activate at the same time. Do I not need vpnmon ?

I can't speak to third-party add-ons. I have no idea how they work, or even what they do. All I can speak to is how the OpenVPN clients are intended to work w/ the installed firmware. If you use any add-ons, it's at your own risk.

 

[ComputerSteve]

I understand. So then for clarification. If I didn’t use add-ons. How do I set it up that in the event the server stopped on client 1 it will switch to client 2 but then once client 1 goes back up it will stop client 2 and switch back to client 1. Cause what I was noticing is that both clients remained active ? Meaning once client 1 recovered both client 1 & 2 stayed connected.

 

[eibgrad]

If OpenVPN client #1 fails, it automatically falls through to OpenVPN client #2. If OpenVPN client #1 eventually recovers, it will automatically return to OpenVPN client #1. That's just the wait it works.

The bigger issue is making sure OpenVPN client #1 actually recovers! Unfortunately, the firmware does very little in that regard. That's why I wrote my own watchdog script for Merlin a few years ago (I haven't used it in a long time, I assume it still works).

asus rt-ax88u vpn director not connected right after reboot

Hello, i have installed latest asuswrt merlin on asus rt-ax88 router. I have installed a vpn connection as vpn client with openvpn protocol. When i reboot the router or take it from power, vpn director shows vpn connected status but it is not connected and i have no internet connection. Always...

www.snbforums.com

IIRC, this was even before @Viktor Jaep wrote his vpnmon utility. I'm never looked all that deeply into his solution, but I believe it's attempting to solve a similar problem (and perhaps a lot more). I just can't speak to that particular solution since I didn't author it. It may work great (he's an excellent developer). But if there are any relevant issues, he's the one to consult.

 

[ComputerSteve]

If OpenVPN client #1 fails, it automatically falls through to OpenVPN client #2. If OpenVPN client #1 eventually recovers, it will automatically return to OpenVPN client #1. That's just the wait it works.

The bigger issue is making sure OpenVPN client #1 actually recovers! Unfortunately, the firmware does very little in that regard. That's why I wrote my own watchdog script for Merlin a few years ago (I haven't used it in a long time, I assume it still works).

asus rt-ax88u vpn director not connected right after reboot

Hello, i have installed latest asuswrt merlin on asus rt-ax88 router. I have installed a vpn connection as vpn client with openvpn protocol. When i reboot the router or take it from power, vpn director shows vpn connected status but it is not connected and i have no internet connection. Always...

www.snbforums.com

IIRC, this was even before @Viktor Jaep wrote his vpnmon utility. I'm never looked all that deeply into his solution, but I believe it's attempting to solve a similar problem (and perhaps a lot more). I just can't speak to that particular solution since I didn't author it. It may work great (he's an excellent developer). But if there are any relevant issues, he's the one to consult.

Right but what i'm noticing is that once client 1 recovers then client 2 still stays connected... I want something that once client 1 recovers client 2 disconnects... Almost like the wan failover.

 

[eibgrad]

Right but what i'm noticing is that once client 1 recovers then client 2 still stays connected... I want something that once client 1 recovers client 2 disconnects... Almost like the wan failover.

I understand. But it's NOT designed to work that way. Lower priority OpenVPN clients do NOT start up and shut down on-demand like multi-WAN typically does. They have to be running all the time in order to be useful. Granted, if there isn't a failure of OpenVPN client #1, OpenVPN client #2 essentially goes to waste. But again, that's just the way it works. The router just doesn't have the smarts to do it the way you prefer. The router doesn't even KNOW when you're in failover mode, vs. you just happen to have two or more OpenVPN clients active at the same time for other reasons (e.g. each is serving the interest of different clients on the LAN).

 

[eibgrad]

FWIW, in my own experience, the most common reason the OpenVPN client fails is due to an AUTH_FAIL event (it will show up in the syslog), most commonly caused by the OpenVPN provider himself. It's an asynchronous event, often done to purposely kick you off their servers! It's a pretty nasty way to deal w/ overloaded servers, or move customers to other servers during scheduled down time (e.g., maintenance).

The problem w/ an AUTH_FAIL event is that it *kills* the OpenVPN client process completely! It becomes impossible to recover unless the router is specifically looking for the loss of the process and is smart enough to restart the OpenVPN client. But as I said, it doesn't, and it's why my script and vpnmon exist.

But there's even more to it.

It really helps if you configure your OpenVPN client w/ *multiple* servers (not multiple OpenVPN clients, but multiple servers within the *same* OpenVPN client) so that should a server fail, and become permanently unavailable, there are other servers you can attempt to use w/ that OpenVPN client. In effect, you've created a kind of "failover" capability within any OpenVPN client by NOT relying on a single server, provided you also use a script like mine or vpnmon. Obviously this preserves resources by NOT having to run additional OpenVPN clients concurrently.

I've explained how to do that several times in these forums over the years.

OpenVPN Speed Slows Over Time

Apologies if this has been answered before, I couldn't find it if it has. Running 386.2_4 on an Asus RT-AC5300. When I first boot the router, my connection speeds over the VPN are pretty good, around 60 mbps down, 11 up. Over time this speed degrades, dropping about 10 mbps per day...

www.snbforums.com

 

[ComputerSteve]

Yes the issue I’m having is that I use VPN client 1 as a dedicated IP vpn for specific clients. If it changes to a different server the ip changes. That’s why I want something that would switch to client 2 temporarily only while client 1 is down.

 

[Viktor Jaep]

It really helps if you configure your OpenVPN client w/ *multiple* servers (not multiple OpenVPN clients, but multiple servers within the *same* OpenVPN client) so that should a server fail, and become permanently unavailable, there are other servers you can attempt to use w/ that OpenVPN client. In effect, you've created a kind of "failover" capability within any OpenVPN client by NOT relying on a single server, provided you also use a script like mine or vpnmon.

And @ComputerSteve, this is how vpnmon works. You basically just use 1 slot, and assign it multiple VPN server IPs that it can randomly connect to. Not a true primary/secondary failover, but more like a random round robin to provide redundancy.

 

[eibgrad]

Yes the issue I’m having is that I use VPN client 1 as a dedicated IP vpn for specific clients. If it changes to a different server the ip changes. That’s why I want something that would switch to client 2 temporarily only while client 1 is down.

Then I suggest using the methodology I descibed above. Use a single OpenVPN client w/ multiple servers, but do NOT use the remote-random option. That way, a restart will always try your preferred server first. If it's NOT available, you have a fall through to other servers. But there's no way to have the OpenVPN client detect that your preferred server is available again. Not unless you wrote a script to periodically check and force a restart.

Basically, there is no perfect solution since it's just not designed to work in a failover mode like multi-WAN. Would be a nice addition. Maybe vpnmon can do this. But that's the best I can conjure at the moment.