We are using pfSense as Openvpn server / clients. We are have around 20 site to site pfSense clients which connects to main site using Openvpn site to site configuration. On main pfSense (vpn server) we did install multiple wans and we have setup failover site to site connection, by setting server to listen localhost and port forwards vpn ports from multiple wans to 127.0.0.1. On the clients in Custom options we added:
remote serverAlternatieWanIp VpnPort udp
This scenario working OK for us when main link goes down clients established new connection over alternative WAN.
What we do not know is:
How to push clients to switch back (reconnect) to main WAN after main WAN connection get up again ? (Our workaround is now to restart Openvpn client or sometimes to restart whole pfSense to push vpn clients to connect again to main WAN, or to "kill" alternative WAN to push VPN clients to reconnect to main. All of them seems for me is bad way to do that).
We will also love to see which of clients is connected to alternate WAN. Now workaround is to go on each vpn client pfsense and to read remote host address on vpn status of client. We are using Zabbix to monitor our network infrastructure, and we will love to try figure which wan is used for connection in some API way so we can at least trigger error on Zabbix and tell admins to reconnect client to main WAN.
I have two ideas
1. You could have OpenVPN wait until there is no activity (if possible, maybe at night?) and then drop the connection or re-resolve the servers IP (and maybe do something tricky/creative with DNS) automatically. I have not tested any of this, I've just glanced at the documentation. It looks like this could work for you, you'll just need to experiment.
Aside from that, I don't see anything inherently wrong with dropping client connections to get them to reconnect by restarting their instances or taking the backup link down momentarily as long as users can handle a brief disconnect. Were you worried about that? Or just keen on having it happen automatically?
Extracted from OpenVPN man page: https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
I suggest reading the manual. There's more stuff there.
See this too - PfSense specific discussion about the matter: https://forum.pfsense.org/index.php?topic=42935.0
2. Another idea is to run a script (to restart OpenVPN?) on interface status change. This also, I'm not going to go test or anything but I did find some discussion about it.
https://forum.pfsense.org/index.php?topic=65846.0
Apparently you can store commands in
/etc/devd.conf
Mine contains:
Maybe that will work for you