Dual WAN (Failover) with open VPN - reinstall mwan3?

I'd like to have my openvpn client interface be the default gateway (If the VPN goes down, I am ok with the router routing traffic over the primary or secondary WAN interfaces).

I have successfully setup mwan3 with the two WAN ports (and tested), and then added a open vpn client to the router (i've tested the vpn client setup with my laptop and confirmed that it works).

The VPN client does connect, but its not clear to me what I should do next to achieve the stated goal.

I assume I should add the interface i created for the vpn tun to my mwan3 managed interfaces, but it seems that if mwan3 is installed before a interface is created, it cannot use it (I get the No metric set! message in the interface table in the manager UI, and the vpn is reported as down even when its not).

Do I have to reinstall mwan3 for it to see my vpn interface properly?

No, you should set the metric on the VPN interface, in /etc/config/network.

ah ok. I did do that via the UI, but it doesn't seem to register with mwan3

I had the same problem when i setup my second wan. I had installed mwan3 before creating the wan1 interface. after creating the wan1 interface and ensuring the metric was set via the UI, mwan3 was not able to see the metric.

So, you are saying, just edit the file, and it should be good to go?

Using the UCI, I confirmed that the vpn interface has the lowest metric


With mwan3, there is no requirement that the VPN has the lowest metric, because mwan3 will create a new routing table with the VPN as the only interface available, and apply it to the traffic that is configured to go through the VPN. However, there is a requirement that the metric is unique, and that the actual metric matches the configured one. Also there is a soft requirement (if you want to use mwan3 to define which traffic should bypass the VPN) that the existing default route is not removed by the VPN software. These requirements can translate into some non-trivial OpenVPN options that need to be added.

First of all, please add the pull-filter ignore redirect-gateway option, to prevent the other end from pushing configuration incompatible with mwan3. We'll provide our own replacement.

Second, please be aware that redirect-gateway def1 option is incompatible with mwan3, because mwan3 looks for new default routes, while this option causes two separate routes for bottom and top halves of the IP address space be installed instead. I would actually recommend removing all redirect-gateway options and replacing them with redirect-private, so that the original gateway is kept for mwan3.

Third, with redirect-private, we need to make sure that the default route through the VPN exists, with the correct metric. For that, an explicit route command is needed.

This yields (tested on the desktop with the free VPN from vpngate.net, 50 is the metric, everything else is verbatim):

pull-filter ignore redirect-gateway
route vpn_gateway 50

Hi @patrakov,
Thank you for the guidance. I tested the new settings with my AWS Client VPN endpoint service and it worked as expected.

I am still not able to get mwan3 to recognize the vpn interface metric (after using both the UI and UCI to set and confirm the metric on the vpn interface, and rebooting it)

Do I need to uninstall mwan3 and reinstall?

No, you don't.

Please provide the output of ip route with the VPN connected.

Hi @patrakov
I was able to get mwan3 to read the vpn interface's metric by deleting and recreating the vpn interface. Perhaps there is another way, but that seemed to work.

I reduced the vpn_gateway metric from 50 to 10 in the ovpn config.

Here is the output from ip route

default via dev tun0 metric 10
default via dev lan1 proto static src metric 30 dev tun0 proto kernel scope link src dev br-lan proto kernel scope link src dev lan1 proto static scope link metric 30

Does mwan3 detect the vpn as online now?

Yes, it works now. Apologies for leaving that out of the last comment!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.