3 vpn load balanced connections in dual failover wan?
-
I'd like to create three load balanced VPN connections (I'm seeing AirVPN, it permits up to five simultaneous connections).
But these load balanced group should go through a dual wan in failover mode (two internet connections).Is it possible?
-
Yes
I posted almost identical set up to what you are looking for in response to another user here.
Hopefully it should make sense if you are familiar with....
Create/Assign Interfaces and the Gateway_Groups page at.... " System -> Routing -> Gateway_Groups" .I saw another post yesterday about the secondary WAN not reverting back to principle WAN when reconnected, and someone offered a script to solve it. I need to find it again in order to link to it. Will update if I find, test and confirm it works to fix the problem.
Hope this is useful.
Behavior
Main WAN connection = DHCP with 3 VPN clients sharing traffic. Any failing VPN is dropped and load shared over remaining two. (Redunancy between VPN's)
Pull WAN cable => connection fails over to LTE Wireless and VPN's re-establish connection. ...Takes a couple of minutes but it works.
Reconnect WAN cable => DHCP connection always comes UP but it doesn't always switch back from LTE to PPPoE.
Configuration:
5 interfaces assigned
- WAN_DHCP - Vendor A : Monitor 1.1.1.1
- VPN1 - At Vendor B - server X, port 80 : Monitor 4.2.2.1
- VPN2 - At Vendor B - server Y, port 443 : Monitor 4.2.2.2
- VPN3 - At Vendor B - server Z, port 1194 : Monitor 4.2.2.3
- WAN_LTE - Vendor C : Monitor 1.0.0.1
All are "UP"
System -> Routing -> Gateway Groups
-
VPN_GROUP => VPN1 (Tier 3) + VPN2 (Tier 3) + VPN3 (Tier 3) Trigger Level = Packet Loss or High Latency
-
WAN_GROUP => WAN_DHCP (Tier 1) + WAN_LTE (Tier 5) Trigger Level = Member Down
Firewall -> Rules --> add pass rules for internet traffic using "VPN_GROUP" gateway
System -> Routing -> select Default Gateway IPv4 = "WAN_GROUP"
System -> Package Manager -> Service Watchdog -> Added all VPN clients + dpinger Gateway Monitoring Demon + DNS Resolver (..... not sure if this is necessary but thought it useful to ensure service watchdog was watching those services that are likely impacted by switching WAN gateways).
-
@why at the end is more or less the same setup that I did.
I started from nguvu guide and adapt to dual-wan failover.
Until now (finger cross) all tests I did the wan switch always worked (but I had to remove the persist-tun option otherwise the vpn connections didn't change wan).Two things: now the VPN gateways monitored IPs are the gateways itself and I have a different tier numbering:
- wan failover: wan1 is tier 1 and wan2 is tier 2
- vpn balancing: all in tier 1