After several checks I found this: the OpenVPN accepts connections only in one of the WANs. If I set the other WAN as option in client export I get:
Feb 08 17:54:13: TCP/UDP: Incoming packet rejected from <WAN-1-IP>:1196, expected peer address: <WAN-2-IP>:1196 (allow this incoming source address/port by removing --remote or adding --float)
There is a floating rule for OpenVPN, though.
The <WAN-1-IP>is a PPoE VLAN interface and the <WAN-2-IP>is the main WAN port of PFSense.
Am I right, that your OpenVPN server is listening on WAN1 and WAN2 and you are using UDP as protocol ?
Then Failover will not work. Failover and OpenVPN do not work with this kind of configuration. To make it work configure it this way:
The OpenVPN Server is listening on the LAN address, port 1194, UDP
Create a "Port Forward" from WAN1 address, poirt 1194 to LAN address, port 1194
Create a "Port Forward" from WAN2 address, port 1194 to LAN address, port 1194
Create corresponding firewall rules for these two Port Forwards.
Add this to your OpenVPN client.conf
remote WAN1_address 1194
remote WAN2_address 1194
remote random means: The client tries to use the one or the other IP. There is no order, it is "random".
If you delete "remote random" then the client first uses WAN1-IP and if this fails WAN2-IP. It checks the remote IP addresses from top to down.
PS: Delete the floating rule for OpenVPN - just use "normal" rules like I wrote above - that's enough.