Backup tunnel with overlapping routes
-
My setup includes a WAN from FIOS and a WAN using an LTE modem.
I have a VPN server running on WAN_FIOS. Since I cannot receive any incoming packets on the LTE modem, I have a separate OpenVPN tunnel using the LTE modem as a client connecting to the same server WAN_FIOS connects. Different certificates.
All tunnels are using /30 topology.
The issue I'm having is that when the openvpn client interface for the modem is initialized, the routes to the remote server are rejected from freeBSD, presumably because they already exist for the server tunnel.
How can I set this up so that if my WAN tunnel goes down, the client tunnel will carry traffic. As of now, if WAN goes down, the client routes aren't created, although they are specified on the config.
I'm sure there is a solution for this somewhere.
As always, thanks,
Devan
-
@ddbnj
Best pactice might be to run only one client with the proper routes using both WAN connections as failover group.To do so, you have to add a gateway group and add both upstream Gateways to it, the WAN_FIOS as tier 1 and the LTE as tier 2.
Then you can configure the client to use the gateway group for connecting to the server. -
@viragomann said in Backup tunnel with overlapping routes:
@ddbnj
Best pactice might be to run only one client with the proper routes using both WAN connections as failover group.To do so, you have to add a gateway group and add both upstream Gateways to it, the WAN_FIOS as tier 1 and the LTE as tier 2.
Then you can configure the client to use the gateway group for connecting to the server.I thought the same plan but stopped because I have a firewall rule to block site to site snapshot backups over LTE. Too much data. If I go the gateway group route I would lose the LTE only tunnel interface.
-
You can use policy routes instead of OpenVPN added ones if you want that. So you can use both VPNs for different purposes and additionally set up a fail-over gateway of both for common use.
If you want to this, you have to remove the remote networks from the OpenVPN settings, so that both connections can be established without interfere.
Then create a gateway group with both VPNs.
Now you can add policy routing rules using either the gateway group or only one VPN gateway.
You will have to check the "skip filter rules if gateway down" option in the advanced settings to avoid skipping a rule and use another gateway. -
This post is deleted! -
@viragomann said in Backup tunnel with overlapping routes:
You can use policy routes instead of OpenVPN added ones if you want that. So you can use both VPNs for different purposes and additionally set up a fail-over gateway of both for common use.
If you want to this, you have to remove the remote networks from the OpenVPN settings, so that both connections can be established without interfere.
Then create a gateway group with both VPNs.
Now you can add policy routing rules using either the gateway group or only one VPN gateway.
You will have to check the "skip filter rules if gateway down" option in the advanced settings to avoid skipping a rule and use another gateway.I think I got this working using policy routing.
Thank you!