Sun Dec 05, 2021 4:47 pm
One approach is that you really allow only one ovpn tunnel to establish at a time, another approach is that you let both of them establish and use routes with different distance value to prefer one of the tunnels. The latter way may provide a faster failover but may not be possible with stock OpenVPN server (I'm not sure whether you can assign the same iroute destination prefixes to two distinct clients and if you can, how to prioritize them).
To prevent the secondary client from actually connecting while the primary one is alive, I'd do the following:
/ip firewall mangle
add chain=input src-address=primary-wan protocol=tcp src-port=1194 action=add-dst-to-address-list address-list=ovpn-blocker address-list-timeout=1m tcp-flags=!rst,!syn,!fin
This rule adds/refreshes an item on and address list each time the server sends a regular packet (carrying some payload or at least an ACK); the address list becomes empty 1 minute after the last useful packet arrives, so there has to be some keepalive traffic - if OpenVPN doesn't generate keepalive traffic autonomously, you have to take care of that.
/ip firewall filter
add chain=output src-address-list=ovpn-blocker dst-address=ip.of.HQ.wan2 protocol=tcp dst-port=1194 action=drop
This rule prevents the OVPN packets from the backup client from being actually sent as long as the address list is not empty, preventing the backup client from connecting and even occupying the uplink bandwidth, but once the connection establishes, it will not actively terminate even when the primary one re-establishes. It has to die away due to some timeout, and until it does, the routing at server side may be confused.
Even if you use scripting to disable and enable the backup client depending on the state of the primary client, this period of uncertainty when both clients are active will be there, as the only way to determine whether the primary server works is to establish a connection. Hence it seems better to me to have both clients active simultaneously, and use route priorities to choose which of the tunnels the client and server will use.
Same approach applies to any kind of VPN except bare IPsec.