VPN Bonding

From BE Usergroup Technotes
(Difference between revisions)
Jump to: navigation, search
m (Protected "VPN Bonding" ([edit=autoconfirmed] (indefinite) [move=autoconfirmed] (indefinite)))
(2 intermediate revisions by 2 users not shown)

Latest revision as of 17:42, 16 August 2010

Do you have two BE (or other ISP!) lines and wish to merge them so they appear like just one?

Does your server in <Insert data center name here> have the ability to have a spare (or two if you don't want double-nat) ip and can it run vmware server?

If so: that is the server side happy.

Secondly do you have a machine or ALIX box in your house that can run another vmware virtual machine to do the vpn bonding..

You then (may) need a "load balancer" (another machine running pfsense or zero shell) to split the two vpn streams down each line [so that machine needs two NICS]. There are two things I could have done to avoid the need for a pfSense box.. used an internal IP for the VPN's public IP, or used two IP's for the VPN Server.. see my notes at the end about subnets and my own requirements.

Thats the most challenging part - the rest is configuration which is easy now I can tell you what I did ;)

My setup is based on ZeroShell.

[edit] Setup of the Server and prerequisites

First off, get two ZeroShells running and passing traffic via something which can direct specific destination port traffic down two different lines.. for example pfSense. (Or use two IP's at your VPN Server end and direct each VPN Stream down the correct WAN in the VPN client options screen, Note that UDP mode does not seem to work or split the traffic! If using UDP you must have pfsense or another system splitting the traffic down the two lines)

Add two VPN's on your server without IP's assigned to them [see the network list screenshot further down] however you may want to enter the different WAN IP's for each VPN - although I do not believe this acts as an "allow only this IP" setting.. but I use it as a note on which IP is for which VPN:



Make sure you BOND Them! So go to the Setup--> Network section and click Create New Bond and select the two VPN's.

At this stage you may want to add an IP address to the BOND or do as I did... I then BRIDGED my ones with the servers ethernet so I could have a public IP at my house via the VPN.. however you could skip this step and do double-NAT or bridge at the "house" so your server is an extension to your lan:


In my case (as the server does not do the NATTING and my VPN has a public IP I do not need NAT on:


[edit] Setup of the Client (server in your house)

Add the two VPN connections again but this time as clients



Then add them to a BOND and add an IP address to it (For my use, this was the public IP address I was to assume at my datacenter:


Enable NAT on the interface:


Add DNS Forwarder Servers under the DNS section on the left


Enable the Net Balancer option and add the default gateway (either in my case, the datacenters gateway IP, or the IP of your server ZeroShell [and make sure NAT is enabled on the server too!])


Go into the Net Balancer rules and make sure that you send all traffic (other than anything you want to NOT go down the VPN (see my other rules to force it via my normal router)) down the VPN tunnel:


Here is an example of the port forwarding setup I have too:


[edit] Splitting the traffic down two BE lines

EDIT: I have since removed pfsense and purchased a second IP for my ZeroShell Server at my datacentre.. so I now only have one box (My router ZeroShell) at home! However it appears that for some reason it will only send the traffic down different gateways when the VPN type is set to TCP. When set to UDP it appears to send both streams down one WAN! Keep an eye out for that problem!

PREVIOUSLY: Due to the way I wanted my VPN to have a public IP, and the fact that the IP the ZeroShell box would get is within the SAME subnet as the vpn server it needed to connect to.. I couldn't tell the ZeroShell how to connect, without a static route. A static route is fixed to one WAN.. so I then lost the whole point.. Using both my lines!. I did not want to use TWO IP's for the VPN server with two static routes, generally because I have a limited number of IP's I can use at my datacenter.

So I have to use another box.. a dual WAN'd pfsense box, to split the traffic down both my Be* lines


Personal tools