VPN-Bonding (HMA OpenVPN) for true load-balancing

  • Hello forum,

    i need some assistance to configure my pfSense-Box to do true load-balancing.
    ATM I have:

    • A Mini-ITX DualWAN pfSense Box (pfSense 2.1)
    • Two identical 3G-Sticks (working fine) with 10/6mbit speed and unlimited data plans
    • A HMA! VPN-Connection

    What I want is basically a LAGG that uses two VPN-Tunnels, one over each WAN-Interface (3G-Stick) in Round-Robin-Mode so that my 2 10/6 interfaces provide me (something close to) 20/12 mbit Speed.

    I've already googled for a few days and read tons of threads, e.g. these two:

    But up to now I've not been able to achieve what I want.

    My first, very basic question: Is it possible to do what I want using a HMA! VPN or do i need a full Root-Server at the over end of my tunnels?

    If it is possible, I still need some guidance in configuring my pfSense-box accordingly.
    My WAN-Interfaces are up and working fine, I've configured two identical OpenVPN-Tunnels in TAP-Mode on each WAN-Interface, but atm they are not working simultaneously, the second one always stops the first one and vice versa, resulting in an endless loop of reconnections.

    If my setup is too complex to just answer it here in this forum, I can place a bounty on this task…

    Any advice and help is very much appreciated :)

    This is my first post and this is not my mother-tongue, so please excuse any mistakes I may have made.

  • Since this is obviously not completely trivial to configure, I want to add a few more things:

    • If a HideMyAss-VPN is not sufficient and a full Server is necessary, I can also rent a virtual server to try this out.
    • If there are easier ways to achieve true load-balancing, e.g. MLPPP instead of bonding OpenVPN, I'm also willing to try these other ways…

    I know that there already are products on the market offering true load-balancing, but since they are not really cheap (and I'm really interested in this topic) I prefer developing a similar solution myself (with your assistance ;) ).

    If anyone is willing to give me step-by-step instructions to make my PFsense box do true load-balancing over all available WAN-Lines, I'm willing to pay a small compensation of $50.

  • The way I understand "Load Balancing" is that you have two (or more) (in this case) "WANs"

    Each WAN has a corresponding IP address.

    The "Load" or traffic has to be split between these WANs and a single connections such as a file transfer will never be faster than the speed of the actual WAN its coming in on.  (with 4 load balanced 1mbps/768kbps connections your Open Office download would only come down at 1mbps)

    MLPPP on the other hand uses multiple interface connections. But has one IP address assigned to the WAN interface which includes these interfaces in a PPP.

    In this case a single file transfer is split across the multiple interfaces and is limited by the sum of the multiple internet connections. (Your Open Office download would now transfer at 4mbps)

    If one could create a bonded connection in the same way a DSL provider does (my ISP uses Cisco gear) then you could use pppoe connections over your present internet connections to your datacenter/other location to achieve this.

    Of coarse it would mean you need a pppoe server device at the other end capable of mlppp connections.  pfSense does the client side easy enough.

    Im not sure how an OpenVPN solution fits in and compares with the above.  :)

  • Thanks a lot for you reply, chpalmer.

    I agree with you, the MLPPP-approach is a completely different one and makes the OpenVPN-Bonding obsolete.
    I did a bit of research on MLPPP yesterday, and may have come up with a solution:
    If I rent a vServer with a 100 Mbit-Connection, with FreeBSD and install a MPD5, i should be able to make a MLPPP-Connection from my PFSense-Box, completely without VPN.
    Do you think this would work?

    If this does not work, I'll try a vServer with Ubuntu and an OpenVPN-Server on it, then I should be able to do a VPN-Bonding… At least I hope so ;-)

  • And one more reply from myself.

    As far as I understand MLPPP, the MLPPPoE-approach won't work.
    PPPoE does only work over Ethernet (suprise ;) ), so I can't connect to a PPPoE-Server over the Internet.
    I think it may work to connect via PPPoE over some kind of tunnel, but then I would have to setup a VPN/Tunnel to establish two PPPoE-Connection to use MLPPP.
    And this does not look much simpler than bundling two OpenVPNs.

    I also thought that it may be possible to use MLPPP with PPTP or L2TP-Tunnels, but at least for PPTP I'm now quite sure, that this won't work.
    ( https://doc.pfsense.org/index.php/Can_I_use_pfSense's_WAN_PPTP_feature_to_connect_to_a_remote_PPTP_VPN%3F )

    So, atm I don't think that MLPPP is much use for me here, so now I'm back on the OpenVPN-Bundling idea.
    Within the next few days I'll get my new root-server with Ubuntu 12.04, I'm going to use it as an OpenVPN-server for my tap-VPNs…

    To be honest, I thought this would be a little bit easier ;)

  • Hi SimPru, how did this work out for you in the end? If you got this working would you mind drafting a write up of how you achieved it? I have access to a small data center and I'm trying to achieve the same thing and I would love to know what direction is best to head :) Thanks

  • hi guys, I am interested in this topic (link bonding) as well. Are there any news?

Log in to reply