[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Load balanced vpn


On Tue, Aug 28, 2007 at 07:39:14PM +0200, Markus Feilner wrote:

> would these tools support also port based routing?

of course they don't but IMHO this doesn't matter for requiurements of
the original posting. But, if you like, you can achieve similar effects
when you are using route-maps.

Remember the map of the original request:

> >                   LAN 1
> >
> >
> >
> >               [Linux box + openvpn]
> >
> >               [Router 1]     [Router 2]
> >
> >             [------ INTERNET -------]
> >
> >               [Router 3]     [Router 4]
> >
> >               [Linux box + openvpn]
> >
> >
> >                  LAN2

IMHO the intention has been that you will have an automatic failover for
the connection of the two Linux boxes running openvpn.

I suggested using a routing protocol as one (of the many!) possible solution.
The setup might look like this:

a) I don't know how the routers are connected to the Linux boxes, so I
assume they have some kind of ethernet interfaces pointing to the
them. This might be eth0 and and eth1 (or even alias interfaces like
eth0:1 and eth0:2)

b) assure the the traffic between linux-box-on-lan1.eth0 to
   linux-box-on-lan2.eth0 uses the path Router1-Router3 and
   linux-box-on-lan1.eth1 to linux-box-on-lan2.eth1 uses the path
   Router2-Router4. Do this with static routes.

c) create the OpenVPN tunnels:
       linux-box-on-lan1.eth0 <--> linux-box-on-lan2.eth0
   and linux-box-on-lan1.eth1 <--> linux-box-on-lan2.eth1

   (as these are site-to-site tunnels it makes it easy
    using "mode p2p")

d) in order to handle failover and recovery put a routing
   protocol an top of the tunnels, eg. with BGP. 
   Configure the BGP on linux-box-on-lan1 with the 'addresses of 
   the OpenVPN tunnels interfaces' of linux-box-on-lan2 as the
   BGP neighbors. Doing this, both linux-boxes will each get
   two neighbors on the other side of the internet.

e) if one neighbor fails the routing will automatically switch to
   the other tunnel

If you get more familiar with BGP you can configure a loadbalancing
based on addresses/netmasks by giving them more or less priority to one
of both tunnels. Alternatively you can easily prefer one of the tunnels
(eg. if traffic on one of them is much cheaper than on the other one).

Best regards,


Attachment: signature.asc
Description: Digital signature