How to distribute connections between two wan-ip interfaces



  • Dear,
    Please help me with the sizing of my OpenVPN server. I'm using pfsense 2.4.4-RELEASE-p3 (amd64), as shown in the diagram below, two wan-ip connections, the 189.20.108 Internet interface. xx 10 MB full duplex and the second wan-ip interface 187.75.209.2xx is a 100 MB PPOE connection. My demand for remote connections has increased a lot, so it is creating bottlenecks in the dedicated link for remote connections via OpenVPN. Help me with the configuration and distribution of these demands between the two links.

    diagrama client to site openvpn.jpeg

    I'm reading the documentation on Use Multiple Servers, but I don't know if that's the path I should take.
    https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#scaling-openvpn

    
    Use Multiple Servers
    
    OpenVPN is not multi-threaded so any single instance of OpenVPN is limited to using a single CPU. If a router has fast cores and not too many users, that may be OK, but it does not scale well. A workaround for this is to split users onto multiple servers. There are various means to reach this goal, including (but not limited to):
    
        Multiple servers on different WANs or ports, each with unique tunnel networks but otherwise identical settings (Same CA structure, encryption, etc).
    
            Administrators could choose to manually configure pools of clients to connect to specific servers, but that does not scale well.
    
            Clients may connect to any server configured in this manner so long as their settings line up properly.
    
            Multiple servers can be listed in a single client configuration with additional remote statements.
    
            Add remote-random to the client configuration so that clients will pick a random server when starting, which avoids overloading whichever server is listed first.
    
            Servers could be run on multiple WANs to overcome single-circuit throughput limits.
    
        Multiple servers with completely unique settings (Different CA structure, different clients, etc)
    
            More secure but more difficult to manage.
    
            Clients must use different configurations to reach each server, no automated/built-in way to pick between them unless a specific client supports that function.
    
            Good for isolating separate security levels (e.g. remote workers, remote administrators, vendors).
    
    
    

  • LAYER 8 Rebel Alliance

    https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html
    Multi-WAN Tactics starting at ~40:08... but the whole hangout is worth watching. 👍

    -Rico



  • Gentlemen,
    Please, can anyone help with this demand, I need to apply the concept of multi-wan-ip on my OpeVPN server, currently I already have two links, they are published in my DNS.

    Example:
    vpn.company.com.br -> 189.20.108.xx
    vpn2.company.com.br -> 187.75.209.2xx

    Below is an example of conf.OVPN

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    ncp-disable
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote vpn.company.com.br 1194 udp
    verify-x509-name "OpenVPN-Server" name
    auth-user-pass
    remote-cert-tls server
    remote vpn2.company.com.br 1194 udp
    keepalive 4 15
    <ca>
    

    best regards,
    Wesley Santos



  • https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ says :

    If –remote is unspecified, OpenVPN will listen for packets from any IP address, but will not act on those packets unless they pass all authentication tests. This requirement for authentication is binding on all potential peers, even those from known and supposedly trusted IP addresses (it is very easy to forge a source IP address on a UDP packet).
    

    So - it's a question of setting :

    a0316c24-448c-4863-b7f3-0627f5630d49-image.png

    Didn't know that this was possible.
    Don't know much more.



  • @Gertjan
    it is possible to use listening on all interfaces on the OpenVPN server, as shown in the image below.
    the problem that is occurring is the overload on a single link, all clients connect only on wan1-IP, which responds at the URL "vpn. company.com.br", if wan1-IP is not responding, therefore, all customers always connect to the wan1-IP interface as the primary.

    I am looking for a solution that can balance customer traffic between the wan1-ip and wan2-ip interfaces.

    Captura de tela de 2020-03-31 16-53-33.png



  • Unusual. The typical method is to bind to loopback and create port-forwards on the WAN interfaces.
    I think remote-random is the config option your are looking for.



  • @dotdash said in How to distribute connections between two wan-ip interfaces:

    I think remote-random is the config option your are looking for.

    Yes, I was told to use the random remote control in the configuration option, but I don't know where to start and I can't even find material to use as a reference.


Log in to reply