4. How to distribute connections between two wan-ip interfaces

How to distribute connections between two wan-ip interfaces

  • W

    Dear,
    Please help me with the sizing of my OpenVPN server. I'm using pfsense 2.4.4-RELEASE-p3 (amd64), as shown in the diagram below, two wan-ip connections, the 189.20.108 Internet interface. xx 10 MB full duplex and the second wan-ip interface 187.75.209.2xx is a 100 MB PPOE connection. My demand for remote connections has increased a lot, so it is creating bottlenecks in the dedicated link for remote connections via OpenVPN. Help me with the configuration and distribution of these demands between the two links.

    diagrama client to site openvpn.jpeg

    I'm reading the documentation on Use Multiple Servers, but I don't know if that's the path I should take.
    https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#scaling-openvpn

    
Use Multiple Servers

OpenVPN is not multi-threaded so any single instance of OpenVPN is limited to using a single CPU. If a router has fast cores and not too many users, that may be OK, but it does not scale well. A workaround for this is to split users onto multiple servers. There are various means to reach this goal, including (but not limited to):

    Multiple servers on different WANs or ports, each with unique tunnel networks but otherwise identical settings (Same CA structure, encryption, etc).

        Administrators could choose to manually configure pools of clients to connect to specific servers, but that does not scale well.

        Clients may connect to any server configured in this manner so long as their settings line up properly.

        Multiple servers can be listed in a single client configuration with additional remote statements.

        Add remote-random to the client configuration so that clients will pick a random server when starting, which avoids overloading whichever server is listed first.

        Servers could be run on multiple WANs to overcome single-circuit throughput limits.

    Multiple servers with completely unique settings (Different CA structure, different clients, etc)

        More secure but more difficult to manage.

        Clients must use different configurations to reach each server, no automated/built-in way to pick between them unless a specific client supports that function.

        Good for isolating separate security levels (e.g. remote workers, remote administrators, vendors).
    0
  • LAYER 8 Rebel Alliance

    https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html
    Multi-WAN Tactics starting at ~40:08... but the whole hangout is worth watching. 👍

    -Rico

    0
  • W

    Gentlemen,
    Please, can anyone help with this demand, I need to apply the concept of multi-wan-ip on my OpeVPN server, currently I already have two links, they are published in my DNS.

    Example:
    vpn.company.com.br -> 189.20.108.xx
    vpn2.company.com.br -> 187.75.209.2xx

    Below is an example of conf.OVPN

    dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-disable
auth SHA1
tls-client
client
resolv-retry infinite
remote vpn.company.com.br 1194 udp
verify-x509-name "OpenVPN-Server" name
auth-user-pass
remote-cert-tls server
remote vpn2.company.com.br 1194 udp
keepalive 4 15
<ca>

    best regards,
    Wesley Santos

    0

  • https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ says :

    If –remote is unspecified, OpenVPN will listen for packets from any IP address, but will not act on those packets unless they pass all authentication tests. This requirement for authentication is binding on all potential peers, even those from known and supposedly trusted IP addresses (it is very easy to forge a source IP address on a UDP packet).

    So - it's a question of setting :

    a0316c24-448c-4863-b7f3-0627f5630d49-image.png

    Didn't know that this was possible.
    Don't know much more.

    0
    W
     1 Reply
  • W

    @Gertjan
    it is possible to use listening on all interfaces on the OpenVPN server, as shown in the image below.
    the problem that is occurring is the overload on a single link, all clients connect only on wan1-IP, which responds at the URL "vpn. company.com.br", if wan1-IP is not responding, therefore, all customers always connect to the wan1-IP interface as the primary.

    I am looking for a solution that can balance customer traffic between the wan1-ip and wan2-ip interfaces.

    Captura de tela de 2020-03-31 16-53-33.png

    0

  • Unusual. The typical method is to bind to loopback and create port-forwards on the WAN interfaces.
    I think remote-random is the config option your are looking for.

    0
    W
     1 Reply
  • W

    @dotdash said in How to distribute connections between two wan-ip interfaces:

    I think remote-random is the config option your are looking for.

    Yes, I was told to use the random remote control in the configuration option, but I don't know where to start and I can't even find material to use as a reference.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy