[SOLVED] Use of multiple NIC's

[BoundlessSecurity]

How can one use multiple NIC's with OpenVPN simultaneously ? For example, both wired and wireless connections simultaneously. I have researched this in the past, but there did not seem to be a solution because OpenVPN only used the primary network interface, unless it was not active, in which case OpenVPN rolled over to the next one.

Our machines often have multiple paths to the Internet, and we need to be able to use VPN's with all of those paths simultaneously, not just the one on the primary network interface card.

Thank you.

[Mimiko]

If you don't specify in OpenVPN server's config file any explicit biding, the OpenVPN leastens on every interface.
For the OpenVPN client is the default gateway used so it's up to you to configure which connection is used.

[janjust]

Our machines often have multiple paths to the Internet, and we need to be able to use VPN's with all of those paths simultaneously, not just the one on the primary network interface card.

you probably want the VPN connection to be tunneled over two interfaces at the same time : this is currently not possible, as it would require some form of device bonding (e.g. bond the wireless and wired nics together). It is also quite tricky to do this right (due to way TCP/IP is designed).

[BoundlessSecurity]

Hi janjust,

Thank you for your reply.

Unless I misunderstand Mimiko's comment, I need to use client mode for my "hidden" machines that are behind non-port-mappable firewalls. These "hidden" machines will originate the VPN tunnels that connect to distant OpenVPN servers whose ports are accessible.

I want to have VPN tunnels over multiple network interfaces at the same time, but with different VPN connections that are totally independent of one another. No bonding would be required. Wouldn't this avoid the TCP/IP problem you mentioned ? If so, is there a solution ?

[Mimiko]

I want to have VPN tunnels over multiple network interfaces at the same time

If you are talking about client, then create different config files with different "local" option.

[BoundlessSecurity]

Hi Mimico,

Thank you for your reply.

I looked up the 'local host' option for OpenVPN clients, but I do not see how to specify the network interface, such as eth0 or tun0, that it should use. Could you point me to a description ?

[janjust]

you would use

local <IPaddress>

to have the OpenVPN client use a local address; this can cause conflicts in routing however; on Linux cilents you can overcome this using source routing, not on Windows/MacOS, IIRC.

[BoundlessSecurity]

Hi Janjust,

Thank you for your reply.

I am using Ubuntu Server 10.04 LTS.

Are you saying that if I have multiple NICs in a given machine, that I need to assign each one of them a (unique) static local address, and then specify that static local address with the 'local host' option instead of using an identifier, such as eth0 or tun0, of the interface that I want to use with a particular instance of the OpenVPN client ?

[BoundlessSecurity]

I forgot to mention...

My machines are connected to public networks over which I have no control of the IP addresses assigned to my machine. So if I assign a static local IP address to a particular NIC, it would be a dummy address by which I would hope to identify the NIC. Would the OpenVPN client allow me to use such a dummy IP address to identify the NIC for use with a particular instance of the OpenVPN client, since the actual IP address assigned to that NIC by the public network would be different and would change from time to time ?

[janjust]

Are you saying that if I have multiple NICs in a given machine, that I need to assign each one of them a (unique) static local address, and then specify that static local address with the 'local host' option instead of using an identifier, such as eth0 or tun0, of the interface that I want to use with a particular instance of the OpenVPN client ?

yep. currently it's not possbible to bind OpenVPN to an interface.
However, as you're using Linux I'd go for some iproute2/iptables magic instead: use source routing to ensure that traffic intended for server1 leaves NIC1 and traffic intended for server2 leaves NIC2 : that way you don't need to specify anything in the config files, and have the kernel routing tables take care of it.

[BoundlessSecurity]

To: Janjust

RE: routing magic

Thank you !