Automatic Failover + Site-to-site VPN: Is it a pipe dream?

My main site has a 100 mbps fiber connection with 100 mbps Uverse copper backup. Both with static IP addresses. The firewall and LAN is a full Unifi setup with USG configured for failover.

My DR site is a commercial DC with static IP, with a USG and Unifi switch. I have configured a site-to-site VPN between the two USG boxes (using the very easy Unifi setup process) so that data replication and other private network communications can occur.

The main site fiber connection is through a local ISP and is slightly flaky with occasional drops. This triggers failover on the USG. Two issues: 1) My site to site VPN drops during failover, which is not ideal, but I can live with it. 2) the USG does not failback cleanly, and I have to restart the router in order to restore full site-to-site VPN connectivity.

As much as I enjoy the Unifi system, this is becoming frustrating.

If I invest in new routers from Netgate or other brands, is it possible to set them up so that failover and failback will happen cleanly, with “automatically healing” site-to-site VPN? Does anyone here on the boards have a setup that works like this?

pfsense support OpenVPN for site to site and OpenVPN supports failover so it should work.

Personally, I would look to setup two different tunnels and run BGP across them. This will be your fastest failover instead of waiting for a firewall to determine it lost internet access, failover to secondary ISP, then have to re-establish VPN tunnel before it can even start sending traffic.

My only experience with pfsense and openvpn is that when ever I disconnect one end or the other, it reconnects in a few seconds. But that is with a single connection path.

The dual tunnel with bgp sounds like a good idea, your changeover from a failure should be “very fast”.