VPN Bonding

From BE Usergroup Technotes
Revision as of 19:32, 11 May 2009 by Drsox (Talk | contribs)

Jump to: navigation, search

Does your server in <Insert data center name here> have the ability to have a spare (or two if you don't want double-nat) ip and can it run vmware server?

If so that's the server side happy.

Secondly do you have a machine or ALIX box in your house that can run another vmware virtual machine to do the vpn bonding..

You then (may) need a "load balancer" (another machine running pfsense or zero shell) to split the two vpn streams down each line [so that machine needs two NICS]. There are two things I could have done to avoid the need for a pfSense box.. used an internal IP for the VPN, or used two IP's for the VPN Server.. see my notes at the end about subnets and my own requirements.

Thats the most challenging part - the rest is configuration which is easy now I can tell you what I did ;)

My setup is based on ZeroShell.

Setup of the Server and prerequisites

First off, get two ZeroShells running and passing traffic via something which can direct specific destination port traffic down two different lines.. for example pfSense.

Add two VPN's on your server without IP's assigned to them [see the network list screenshot further down] but obviously with the IP of the server you want to connect to:



Make sure you BOND Them! So go to the Setup--> Network section and click Create New Bond and select the two VPN's.

At this stage you may want to add an IP address to the BOND or do as I did... I then BRIDGED my ones with the servers ethernet so I could have a public IP at my house via the VPN.. however you could skip this step and do double-NAT or bridge at the "house" so your server is an extension to your lan:


In my case (as the server does not do the NATTING and my VPN has a public IP I do not need NAT on:


Setup of the Client (server in your house)

Add the two VPN connections again but this time as clients



Then add them to a BOND and add an IP address to it (For my use, this was the public IP address I was to assume at my datacenter:


Enable NAT on the interface:


Add DNS Forwarder Servers under the DNS section on the left


Enable the Net Balancer option and add the default gateway (either in my case, the datacenters gateway IP, or the IP of your server ZeroShell [and make sure NAT is enabled on the server too!])


Go into the Net Balancer rules and make sure that you send all traffic (other than anything you want to NOT go down the VPN (see my other rules to force it via my normal router)) down the VPN tunnel:


Here is an example of the port forwarding setup I have too:


Splitting the traffic down two Be* lines

Due to the way I wanted my VPN to have a public IP, and the fact that the IP the ZeroShell box would get is within the SAME subnet as the vpn server it needed to connect to.. I couldn't tell the ZeroShell how to connect, without a static route. A static route is fixed to one WAN.. so I then lost the whole point.. Using both my lines!. I did not want to use TWO IP's for the VPN server with two static routes, generally because I have a limited number of IP's I can use at my datacenter.

So I have to use another box.. a dual WAN'd pfsense box, to split the traffic down both my Be* lines


Personal tools