[SOLVED] Routing & Load Balancing

[Driver]

Hello all. Let me just say I love OpenVPN its been a very useful tool.

We have been using OpenVPN for a number of years and it has worked out great. Now we are interested in using the load balancing feature to utilize two Verizon Fios links. I have a OpenVPN server setup on two different servers. One server is on the 1st Fios circuit and the other is on the 2nd Fios circuit. The load balancing works great and is randomly choosing between the two servers which is great.

My problem is being able to hit these tunnels from our internal network. Before we just put a route on our proxy server to direct all traffic destined to "10.130.0.0" to go to the server hosting the tunnel. Now that we are using two different servers we can't just use a route on the proxy server because the proxy server has no way to determine which server the client chose randomly. Does anyone know of a solution to this issue. I would like to be able to hit any of these tunnels from our internal network. Any suggestions or ideas are greatly appreciated. Thanks for any help provided. Happy Holiday's!!

[Driver]

The only idea I can come up with is to use "10.130.0.0" on one server and "10.135.0.0" on the other. This will allow us to use a route statement on our proxy but would cause some confusion in house for some employees. I would much rather prefer to use "10.130.0.0" on both servers but I can't seem to come up with a solution to the routing. Clients don't need any access to our LAN we just need to ssh to these tunnels from our LAN.

[Driver]

No suggestions anyone?

[gladiatr72]

Greetings,

What you're after is available with either OpenBSD or Linux.

Now, the OpenBSD Way is still unknown to me. I only assume this functionality exists there because multiple routing tables were implemented in its kernel at some point over the last couple years. If you're on the OpenBSD road, read the documentation carefully and ask your questions intelligently or Theo will swallow your soul.

If you're running Linux, I would direct you to: http://tinyurl.com/yes3g2

I would be happy to have provided a specific solution, but I haven't actually implemented such a configuration. I came upon this document when working on a failover solution for a network that has two internet links: cable (fast and sometimes unstable) and fiber (slower (rate-limited) but rock solid).

Good luck!

Regards,
Stephen

[Driver]

So essentially I could do away with two seprate servers and go back to a single. Have eth0 connected to ISP 1 and eth1 connected to ISP 2. Then set the routing up so if it comes in on ISP 1 to go out ISP 1 and if it comes in ISP 2 it goes out ISP 2. Does anyone know if this will work with openvpn?

[gladiatr72]

If you get the round-robin business setup correctly on your gateway system, it should just be a matter of pointing your proxy server at the internal interface of the gateway. Even though the tun devices are virtual in nature, they are indistinguishable from real devices in the routing subsystem. Obviously, this isn't the same as a multiplexed circuit. The load balancing will only be in play for traffic outbound from your dual-homed location and on a per-connection basis.

Inbound, you are still dealing with two discrete IP addresses, so inbound traffic will be coming in on only one connection at a time. After you get the iproute2 configuration stable on one end, you could also set up a similar configuration on the remote end to at least fail-over in case one of the connection fails.

Regards,
Stephen

[Driver]

Ok I can't for the life of me get iproute2 and UDP to work correctly. If I switch everything over to TCP boom it works great and utilizes both links. What could be the issue for UDP? Has anyone had any difficulties with iproute2 and UDP packets? I greatly appreciate any input.

[Driver]

Looks like I figured it out. I added multihome to the server config file and now everything seems to be working great. What exactly does the multihome entry do?

Thanks,
Adam