Two link in load-balance causing tunnels the stop working

dbht · Post by **dbht** » Wed Jan 19, 2011 3:17 pm

Hi all,

I have a linux box with 2 links configured in load balance.

However, after a sucessfully tunnel start, I can see packages going out not from the desired interface. Those packages are related to the udp tunnel.

I'm not sure if this is an issue either on the openvpn or on the iproute2. Do you guys have this kind of BOX with two links and load balance? - Do you have problems on the openvpn side? Did you have to change or add some openvpn option on the .conf file in order to get it working?

# ip route list
default
nexthop via a.b.c.d dev eth2 weight 1
nexthop via h.i.j.k dev eth1 weight 1

# ip rule list
0: from all lookup 255
3: from all fwmark 0x82 lookup link2
3: from all fwmark 0x81 lookup link1
100: from a.b.c.d lookup link2
100: from h.i.j.k lookup link1
32766: from all lookup main
32767: from all lookup default

The packages are being marked as usual

# iptables -L -n -v -t mangle
Chain PREROUTING (policy ACCEPT 4863K packets, 2545M bytes)
pkts bytes target prot opt in out source destination
41 4378 CONNMARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x0 CONNMARK set 0x81
0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x0 CONNMARK set 0x82
333 54209 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
32 1523 MARK all -- tun+ * 0.0.0.0/0 0.0.0.0/0 MARK set 0x81

Chain OUTPUT (policy ACCEPT 2706K packets, 1359M bytes)
pkts bytes target prot opt in out source destination
5 765 MARK all -- * * 0.0.0.0/0 VPN_CLIENT MARK set 0x81

Regards,

Davi

Post by **maikcat** » Thu Jan 20, 2011 9:00 am

if you want to do the following..

-vpn1---------------------vpn1-
vpn-server- -vpn-client
-vpn2---------------------vpn2-

using 2 wan links in both ends and you want load balance+failover?.

the only way i managed to accomplish this ,is using 2 vpn tunnels (with the
appropriate static routes for the 2 internet connections)
but both using tap interfaces and then bond them using bond interface in linux (ifenslave etc)
(ethernet type bonding..)

or do you want something else..?

cheers,

dbht · Post by **dbht** » Sat Jan 22, 2011 9:38 am

Hi. Thanks for your reply.

I'm afraid I don't want two tunnels. Also, I would like to skeep the static routes.

OpenVPN's tunnels are connection less aware (UDP of course) and marking packets using iptables + iproute2 should work fine, but isn't.

I'm afraid I'm either missing something with the couple (iptables+iproute2) or it will not work due the loadbalance across two or more links.

I'm still trying this setup. I hope I get some lucky on it.

Cheers,

Davi

OpenVPN Support Forum

Two link in load-balance causing tunnels the stop working

Two link in load-balance causing tunnels the stop working

Re: Two link in load-balance causing tunnels the stop workin

Re: Two link in load-balance causing tunnels the stop workin