openvpn client connecting to server with multiple IP addresses

User202406071 · June 7, 2024, 10:17am

Hi,

I have an openvpn server in our head office which remotes can connect to via multiple ISPs for redundancy. When connecting PC’s we just put multiple remote lines in the ovpn file like so…

remote <ip#1> <port#>
remote <ip#2> <port#>
remote <ip#3> <port#>

The idea is if the first link is down, the openvpn client on the pc can just try again via the second link and then the third link and back to the 1st link again… i was trying to do this with routeros via the console but the only the last IP is saved. Is there any other way to have something like this in routeros?

Thanks in advance

own3r1138 · June 10, 2024, 5:26pm

You could create three separate ovpn clients with the same routing table and use the distance in the route list for failover.

User202406071 · June 11, 2024, 1:02pm

will try this, thanks!!

User202406071 · June 24, 2024, 11:58am

this worked but had to create an ovpn server for each remote. thanks!!!

own3r1138 · June 24, 2024, 10:47pm

You’re welcome. Out of curiosity, why did you need to create separate OVPN servers for each client?

User202406071 · June 26, 2024, 11:48am

each ovpn-client on mikrotik needs to have a different tunnel network as they all have to be connected at the same time. mikrotik can then freely switch between available routes based on the distance value.

User202406071 · June 27, 2024, 1:40am

Unless there’s a way to have mikrotik connect the 2nd if the 1st goes offline, then the 3rd if the 2nd is offline and back to the first if the 3rd is also unavailable… scripting maybe?

yccit · June 27, 2024, 3:21am

I think I understood your problem correctly. You can create a netwatch that activates the well-suggested connections by @propio3r1138, based on the comment name. If it doesn’t ping the IP behind the VPN, activate the next connection, and turn off the previous one. It would work with 2. I can’t think of 3

own3r1138 · June 27, 2024, 6:41am

Of course, it’s possible with the scripting. Furthermore, as suggested earlier, the Netwatch option is more suitable for the task.
However, I still wonder why, as the distance should be enough for the failover.
Perhaps you could elaborate more? I didn’t understand the meaning of your previous remark.
" to have a different tunnel network as they all have to be connected at the same time"

User202406071 · June 27, 2024, 1:21pm

at the hq i have the following internet connections:
isp1
isp2
isp3

i also have the following ovpn servers (on pfsense)
hq-isp1 with tunnel network 10.40.0.0/24
hq-isp2 with tunnel network 10.41.0.0/24
hq-isp3 with tunnel network 10.42.0.0/24

on the hex i have the following ovpn-clients and all of which are enabled
tohq-isp1 to connect to hq-isp1
tohq-isp2 to connect to hq-isp2
tohq-isp3 to connect to hq-isp3

i also have the following static routes on the hex:
src dst gateway toho-isp1 distance 10
src dst gateway toho-isp2 distance 20
src dst gateway toho-isp3 distance 30

while tohq-isp1 is connected, the distance 10 will be used for traffic from the branch network to the hq network. if hq-isp1 becomes unreachable, since tohq-isp2 with distance 20 is online, hex reroutes traffic from the branch to the hq to tohq-isp2. if hq-isp1 and hq-isp2 are both unreachable, since tohq-isp3 is online, hex reroutes to it. the moment hq-isp1 becomes reachable, tohq-isp1 is connected so hex reroutes the traffic back to tohq-isp1. this works perfectly now.

however, it would’ve been better if i only had 1 ovpn server at the hq accepting ovpn traffic from any of the 3 isp’s.

will look into netwatch later.

cjwootton · February 14, 2025, 3:30pm

Hi all, looking for some help.

I have 2 remote OpenVPN servers with the same public IP, but different port numbers:

Primary OpenVPN server
Secondary OpenVPN server

I want one ovpn-client interface on my MikroTik to be able to use the primary server and fail over to the secondary server, for resilience purposes.

I have configured the .ovpn client configuration file on my server, which is a Debian 12 host. Which is then transferred, uploaded, and imported (certificates and keys embedded).
Within the client .ovpn file, I include these lines:

#Primary server is top and Secondary server is bottom
remote port <no. >
remote port <no. >

Note: I received a log message saying that the ‘remote random’ feature is not supported.

My ovpn-client interface uses the bottom server, of the pair. I want it to initially connect to the primary, on top.

The connection to the secondary server is running fine. However, I would ideally want to add a distance (priority) to the routes. As the route is dynamic, I am unable to edit its distance. By default, the distance of both the routes is =0, so I cannot specify the route’s priority.

As the ovpn-client interface choose to read the bottom remote server, it creates the route to this. However the route for the primary server is not added to the routing table. Which makes me think MikroTik does not support this feature. Even if I have two separate ovpn-client interfaces, both their routes will be dynamic and have the same distance of =0 .

This there a way around this?

Does MikroTik support the use of multiple ‘remote port <no.>’ e.g. ‘remote 81.215.67.222 port 1456’ lines?