Using OpenVPN with multiple WANs in NG Firewall

Overview

OpenVPN is able to accept incoming remote VPN connections on any WAN interface configured in the NG Firewall. This article provides some details that may be helpful in such a setup.

If your NG Firewall has a public hostname which is resolvable on the internet and all public IPs resolve to that hostname, you will need to manually edit your configuration to add additional IP addresses.

Creating a client configuration file

When a new client configuration file is created in the OpenVPN app on the NG Firewall, any interfaces which are marked with the flag is WAN = true will automatically be included in the config file. Each will be added sequentially, so the interface with the lowest eth value will be listed first, then the next-lowest, and so on. For example, if you have two WAN interfaces with device IDs eth0 and eth2, the client config file will list the first WAN (eth0), then the second (eth2).

When a remote client attempts to connect, it will try the WAN IPs in the listed order. If there is no response from the first listed public IP, the client will try again with each subsequent public IP.

You can download client config files in Apps > OpenVPN > Server > Remote Clients.

After adding a new WAN connection or public IP

After adding a new WAN or public IP, you will need to re-download and re-deploy your client configuration files to ensure all IPs are available to your remote clients.

Manually editing the client config file

Client config files are created with the file extension .ovpn, but are plain text files and can be edited with any text editor. You may need to manually edit those configs in certain instances:

• You do not wish for a particular WAN interface to be available to remote clients
• You want to change the order in which remote clients will try to connect to your public IPs
• You use a public hostname for your NG Firewall but wish to add its public IPs

Please be aware that editing the client config file in this fashion is not supported, so the Edge Threat Management Support team has limited ability to assist with such changes.