VPN Bonding

From BE Usergroup Technotes
Revision as of 18:47, 11 May 2009 by Drsox (Talk | contribs)

Jump to: navigation, search

Does your server in <Insert data center name here> have the ability to have a spare (or two if you don't want double-nat) ip and can it run vmware server?

If so that's the server side happy.

Secondly do you have a machine in your house that can run another vmware virtual machine to do the vpn bonding..

You then (may) need a "load balancer" (another machine running pfsense or zero shell) to split the two vpn streams down each line [so that machine needs two NICS]. There are two things I could have done to avoid the need for a pfSense box.. used an internal IP for the VPN, or used two IP's for the VPN Server.. see my notes at the end about subnets and my own requirements.

Thats the most challenging part - the rest is configuration which is easy now I can tell you what I did ;)

My setup is based on ZeroShell.

Setup of the Server and prerequisites

First off, get two ZeroShells running and passing traffic via something which can direct specific destination port traffic down two different lines.. for example pfSense.

Add two VPN's on your server without IP's assigned to them:

Farend3.png

Farend4.png

Make sure you BOND Them! So go to the Setup--> Network section and click Create New Bond and select the two VPN's.

At this stage you may want to add an IP address to the BOND or do as I did... I then BRIDGED my ones with the servers ethernet so I could have a public IP at my house via the VPN.. however you could skip this step and do double-NAT or bridge at the "house" so your server is an extension to your lan:

Farend1.png

In my case (as the server does not do the NATTING and my VPN has a public IP I do not need NAT on:

Farend2.png

Setup of the Client (server in your house)

Add the two VPN connections again but this time as clients

Nearend5.png

Nearend6.png

Then add them to a BOND and add an IP address to it (For my use, this was the public IP address I was to assume at my datacenter:

Nearend1.png

Enable NAT on the interface:

Nearend2.png

Add DNS Forwarder Servers under the DNS section on the left

Nearend4.png

Enable the Net Balancer option and add the default gateway (either in my case, the datacenters gateway IP, or the IP of your server ZeroShell [and make sure NAT is enabled on the server too!])

Nearend7.png

Go into the Net Balancer rules and make sure that you send all traffic (other than anything you want to NOT go down the VPN (see my other rules to force it via my normal router)) down the VPN tunnel:

Nearend8.png

Here is an example of the port forwarding setup I have too:

Nearend3.png

Splitting the traffic down two Be* lines

Due to the way I wanted my VPN to have a public IP, and the fact that the IP the ZeroShell box would get is within the SAME subnet as the vpn server it needed to connect to.. I couldn't tell the ZeroShell how to connect, without a static route. A static route is fixed to one WAN.. so I then lost the whole point.. Using both my lines!.

So I have to use another box.. a dual WAN'd pfsense box, to split the traffic down both my Be* lines

Splitter1.png

Personal tools