PfSense ProtonVPN Backup Connection

I have ProtonVPN working well in PfSense along with a killswitch firewall rule that I’ve setup (thanks Tom)

The only issue I’m having is that about once a day the server will go down and I’ll lose connection. I then login to ProtonVPN and get the IP of another server, swap that in my config and away we go.

Is there a way I can have another VPN client setup as a backup for PfSense to swap to if the server goes down? This is becoming a little annoying.

If OpenVPN on pfsense is what is crashing you could load the “Service Watchdog” package and have it watch the OpenVPN service and auto restart it.

Thanks for the reply Tom! It’s not that - I’ve tried to manually restart the OpenVPN Client service it doesn’t recommect. The server also lists the server as ‘down’ or 100% full at the time as well so I know it’s at their end.

They have quite a few servers to choose from but it’s just a matter or automating the process if possible.

I have not tried it, but it should work by having more than one OpenVPN connection and then create another rule tagging the traffic with the same tag name so it also get’s caught by the same floating kill switch rule.

I’ll give that a crack, thanks mate.

If ProtonVPN provides you with say more than one simultaneous connection you can do what i have done.

AirVPN allows five simultaneous connections, so I’ve set up 3 OpenVPN clients to the fastest AirVPN servers close to me. Then I’ve defined a Gateway Group with those three gateways, the trigger level can be set from the choices available. Mine is for “Packet Loss or High Latency” so my traffic always takes the fastest route, there is also an option for “member down”.

If you set up vLans, just create a VPN vLan for all VPN traffic, if the gateway goes down, the traffic goes nowhere. If you have just moved from a consumer router it might not be obvious why you need vLans but buy a switch and you’ll have an easier life.

Thanks mate, that has worked perfectly. Do I have all of the VPN connections as ‘Tier 1’ in the gateway group?

I do have some VLANs setup but I use firewall rules to route to the traffic through the VPN for the machines I want and have a killswitch setup to catch tagged traffic as suggested by Tom in one of his videos.

I’m not quite sure what you mean by setting up a VLAN for all VPN traffic - is that a better way of doing it?

Yes I believe the Tier is the priority, I’ve set mine to all the same.

I’m sure I’ve seen the video but I’m old so forget things almost immediately :slight_smile:

The strength and weakness of PfSense is that there are a multitude of ways of achieving the same thing.

In my case, I find it easier to create a vLan for VPN traffic, all devices on that vLan goes out via the VPN I don’t have to think about it. My ISP vLan goes out unencrypted for all devices on that vLan, easy. Then I have alias and rules to route traffic between devices on the different vlans.

It’s taken me ages to understand PfSense, I’m continually trying to better understand each step I’ve taken (at least while I’m in lockdown).

With a VPN you must be sure you have no leakage, otherwise you are wasting your money. Think my approach allows me to be certain with my level of understanding.