Load Balance OpenVPN Site-to-Site

eytanes

I've configured a working site-to-site openvpn tunnel between two pfsense boxes (using the psk method outlined http://blog.stefcho.eu/?p=576).

The "Client" side (SiteA) of the tunnel has two slow WANs while the "Server" side (SiteB) has 1 fast WAN.

I was able to configure the gateway group in SiteA to load-balance the two wans for specific rules using that gateway group.

What I'd like to do is have the OpenVPN client in SiteA use the load-balanced gateway group for it's connection to SiteB.
Also, Will this make the tunnel faster or will it just establish the tunnel on one of the WANs?
Any chance this is possible?

Thanks in advance.
-E

heper

I believe you will need to establish 2 vpn tunnels simutaniously.

then assign each tunnel an interface (do this on both ends). Only enter the bare essentials for bringing up the tunnel (do not enter routes to pass subnets from one side to another).

then install the ospf package on both ends and bind it to the interfaces you use for the openvpn tunnels. in the ospf webgui settings set the subnet's you wish to pass

i've done this when both end's have 2 WAN connections and it works brilliantly

kind regards

jeroen

eytanes

Thanks I'll try that tonight and post the results.
-E

eytanes

I've added the OpenOSPFd package but I am not sure how to configure it to bind the openvpn interfaces together. Under interface settings I can only add my LANs and WANs.
Is there any documentation on this package? I looked around but couldn't find anything.

heper

you need to assign an interface to your openvpn tunnels, in the menu where you can edit your lan/wan interfaces click "assign"

then you can bind the ospf software to the vpn tunnels

eytanes

That makes sense.

I'm confused which values I should put in each field of the Global Settings.
I'm assuming I only need to fill in the "Area" and the "Subnet To Route". For "subnet to route" to i just add each subnet of the opposite site.
Say Site B is 10.0.0.0 /24 and Site A is 10.0.1.0 /24, I'm going to place "10.0.0.0 /24" in the "subnet to route" for Site A, is that correct?
For the area should I just be using "0.0.0.0"?

Under the "Status"  tab all the sections read "ospfctl: connect: /var/run/ospfd.sock: No such file or directory". I'm running 2.0 RC1. I can update to RC3 is necessary.

Thanks again,
E

heper

area=some number you can pick (it has to be the same on both ends). You could pick 6.5.4.3 for example

do not add the subnets of the opposite site, pick the subnets of site A when you are in the webgui of site A, pick the subnet's of site B when in the webgui of site B

the status page should work once all the settings are configured … it is possible you need to restart the openvpn services and/or ospf service when you have made considerable changes in the openvpn settings.

I don't know if it is needed to update to RC3, but it certainly can't hurt

eytanes

Thanks jeroen! It got it set up and it appears to be working.
I'll do some more testing tomorrow and will post the results.
Thanks again for all your help
-E

eytanes

I'm still not getting the load-balancing to work.
The ospf service on site A looks like it finds both routes to B.
In the "OpenOSPFd FIB" section of the "Status' tab I see

Flags  Prio Destination          Nexthop
*O      16 10.0.0.0/24          10.1.1.10
*O      16 10.0.0.0/24          10.1.1.6

But in the pfsense route table all I see is:

10.0.0.0/24 10.1.1.10 UG 0 3453 1500 ovpns5

I was under the impression that the ospf service would use some type of round robin when sending packets over but as far as I can see they all go through one connection and not the other. Am I missing something?

Thanks,
E

heper

in the ospf webgui, are all tunnel-interfaces selected on both ends ?

if yes, then you should see in the ospf status that multiple routes are being added for the same destination.

Look for the costs of all the routes, if you want loadbalancing the cost should be equal for the same route to the other side.

if you dont specify any metric one will be assigned automagically, a low metric causes low cost … a high metric generates a high cost.

costs have to be the same over both tunnels to achieve balancing.
if costs are different then the lower one will be the preferred way ... thus you achieve failover

eytanes

On each side both interfaces are selected. In the status tab under "OpenOSPFd FIB" I see:

Destination          Nexthop          Path Type    Type      Cost    Uptime
10.0.0.1            10.1.1.10        Intra-Area  Router    10      04:23:45
10.0.0.1            10.1.1.6          Intra-Area  Router    10      04:23:45

But again everything is routed through 10.1.1.10.

I just stumbled upon this http://forum.pfsense.org/index.php/topic,24436.msg126273.html post, do you think I can implement that in this case to load balance the two vpn tunnels?
-E

eytanes

I ended up using a combination of your advice and the forum (http://forum.pfsense.org/index.php/topic,24436.msg126273.html).
I setup the two tunnels as you suggested (with the routes added). Then assigned them Interfaces and static IPs.
Grouped them in a gateway group and made firewall rules to use that gatewaygroup. I added the allow all rules on the rules for those interfaces and everything works great.
I can start 2 simultaneous transfers from Site A to B and the WAN traffic graphs show both being utilized.
Thanks again for all the help,
-E

exabyte

Sorry to mingle myself in this thread.

I am trying to set this up for 3 sites, all 3 with 2 wan connections.
I have no trouble to set up the openvpn tunnels, without entering ip subnet details.
However, I am having trouble setting up interfaces for the tunnels. Do I need to enter ip address? Or do I set the interface type to none?

If I set the interface type to none, ospf doesn't seem to start.
If I set up ip addresses, ospf starts, but no traffic is routed through the openvpn tunnels.

Any kind of help will be greatly appreciated!

eytanes

When I used ospf I set the interfaces to static with the correct ip and created a gateway for that interface with the gateway ip being the ip address of the opposite site. I did this on both ends of the tunnel.
-Eytan

exabyte

Eytan,

thanks for the quick reply.

So if my tunnel network is 10.10.41.0/30, my server gets 10.10.41.1 and my client 10.10.41.2.
I assign an interface on the server side with 10.10.41.1 as the ip and 10.10.41.2 as the gateway.
The interface on the client side gets 10.10.41.2 with gateway 10.10.41.1.

I will try this tomorrow.

Thanks for the advice!

apant

I tried all the combinations of the following posts but no success  Huh

http://forum.pfsense.org/index.php/topic,24436.msg126273.html
http://forum.pfsense.org/index.php?action=printpage;topic=39328.0

I have 2 openvpn tunnels. I have gateway group. But the traffic goes to one of them and not balanced  Huh

Is there anyone who managed this to tell me the recipe? I worked on this scenario about 10 hours but I didn't manage to succeed the desired result.

eytanes

Do you have the lan rules in place that specify the group as the gateway?
If so, test that when you disable tunnel A traffic goes through tunnel B, and vice-versa.
The best way to test load balance is to create multiple simultaneous connections across the tunnels.

-E

apant

I tried to transfer files simultaneously from two pc from the one site to the other and the traffic goes through the one openvpn connection. Failover works with about 10 lost packets during the change. But load balance is not working.

eytanes

What is your setup? Are you using ospf or the gateway group?

apant

I tried every combination. OSFP. Gateway group. Gateway group AND OSFP.

One try had the result the one site to work from the one ιinteface and the other site from the other but nor this is what I want.