Q: How do I forward traffic from my VPN gateway to the multiple local subnets that I have?

A. If you have multiple local subnets and a router or layer-3 switch is used to separate the subnets, then you must create persistent routes on the gateway. Select "Edit persistent routes..." from the "Network" menu in the Configuration window, and add a route for each one of the local subnets. The next hop will be the router or switch IP address. You must also turn on the "This is the main policy server for multiple local subnets/VLANs" option on the local policy server.

Q: What is the "Use single IP address for VPN process" option on the Gateway configuration tab?

A. A gateway may have multiple NICs and IP addresses. When trying to communicate with a non-local IP address, the gateway's TCP/IP stack generates packets using its WAN IP address instead of its LAN IP address. Normally, this would require a separate security policy for the WAN address. By forcing OmniVPN to use a single IP address for all VPN processing, the task of defining security policies becomes simpler because you do not have to create separate policies for each of the gateway's interfaces.

Q: How do I configure VPN gateways for load balancing?

A. Simply configure each computer to be a gateway and register with the local policy server. The gateways will automatically provide load balancing and active failover for all the VPN connections. When a client registers with the local policy server, it receives the list of all available gateways and load balances its network connections through them. When a gateway goes off-line, all clients are automatically instructed to re-route their traffic through the remaining gateways.

Q: Will VPN load balancing work for local clients that do not have OmniVPN installed?

A. No, only the local clients that have OmniVPN installed will benefit from VPN load balancing.

Q: How do I configure a Top Policy Server cluster?

A. Install OmniVPN as Top Policy Server on each of the nodes in the cluster and then use one of them to issue certificates to all the others. Enter the FQDN or IP addresses of all other Top Policy Servers in the Configuration window of each Top Policy Server. This ensures that all your Top Policy Servers will synchronize their policies. Enter the FQDN or IP addresses of all Top Policy Servers in the Configuration window of each lower policy server. If a policy server is not able to contact the first Top Policy Server in its list, it will sequentially go through all items in its list until it succeeds.