Openvpn – How to setup an Openvpn server with two gateways to internet

I doubt that a setup that large has ever been attempted before, so you likely will be pushing limits when trying. I could find an article on a VPN deployment for 400 clients but judging from the text, the author just relied on rough estimates about how many clients could be run per CPU and lacked some understanding about how his setup would perform.

You would mainly need to consider these two points:

1. The bandwidth your data transfers are going to use would need encryption / decryption at the VPN server side, consuming CPU resources

2. OpenVPN client connections consume both, memory and CPU resources on the server even when no data is transferred

Any decent PC hardware available today should easily saturate a Gigabit link with Blowfish or AES-128, even $100 embedded devices are capable of rates near 100 Mbps, so CPU bottlenecks due to bandwidth intensity should not be of any concern.

Given the default rekeying interval of 3600 seconds, a number of 1,000,000 clients would mean that the server would need to be able to complete 278 key exchanges per second on average. While a key exchange is a rather CPU-intensive task, you could offload it to dedicated hardware if needed - cryptographic accelerator cards available easily meet and exceed this number of TLS handshakes. And memory restrictions should not bother too much as well - a 64-bit binary should take care of any virtual memory restrictions you would be likely to hit otherwise.

But the real beauty with OpenVPN is that you can scale it out quite easily - simply set up an arbitrary number of OpenVPN servers and make sure your clients are using them (e.g. through DNS round-robin), configure a dynamic routing protocol of your choice (typically this would be RIP due to its simplicity) and your infrastructure would be capable of supporting an arbitrary number of clients as long as you've got enough hardware.

I would use static routes rather than push routes in a s2s situation. Or depending on how complex the network is use OSPF to exchange routes. But to be honest I've never tried to push routes in a s2s situation. It may work just fine for simple setups.

For setting up s2s with openvpn on pfsense you need to do 2 things once you've configured the openvpn server/client.

1. You need to add s2s tunnel as an interface in Interfaces->Assign on each router.
2. By default the firewall is going to block all traffic on these interfaces so you'll need to add some allow all rules to those interfaces. You can apply rules as necessary once you have things working