Multi WAN with Open VPN

winet

Hello, can anyone confirm whether or not it is possible to accomplish equal link load balance using OVPN.
We use a Static IP Open VPN solution and use Multi-WAN.
We establish a Gateway group and set VPN client to use said group.
Per documentation, the WAN interfaces in the gateway group cannot be of the same priority, which essentially takes away the opportunity for load balancing the WAN links.

Is there a way to configure Gateway groups with Open VPN and load balance across multiple WANs.

Thanks

phil.davis

No way directly with OpenVPN - whatever you do, an OpenVPN client connects to an OpenVPN server across 1 physical link, so even if you do set the gateway group with equal tier gateways, you will get only 1 active at any time.
(i.e. there is nothing like MLPPP that bonds multiple links between a pair of routers into a single logical higher-bandwidth link)

I believe you could setup 2 separate OpenVPN clients - 1 out gateway 1 to OpenVPN server A, another out gateway 2 toOpenVPN server B.
Then make gateways for the inside of each of these OpenVPN links, make a gateway group out of them with equal tier.
Then pass traffic on LAN into that gateway group.
It should be load balanced across the 2 OpenVPN links.

programster

Hey guys, thanks for the useful info. With regard to:

"OpenVPN client connects to an OpenVPN server across 1 physical link, so even if you do set the gateway group with equal tier gateways, you will get only 1 active at any time."

Does this mean that everything I run through OpenVPN should now just use the one line no matter what? Or each connection over the VPN uses a single line?

I have "balanced" two of the same connection using tier1 gateway and am using OpenVPN, not on the router itself, and achieving speeds at double the speed like I had hoped when using a download manager that makes multiple connections (4 segments) per download, but if I use wget (which uses a single connection), I only get the speed of a single line.

I had hoped that since OpenVPN uses UDP, it would be able to load balance, but I guess not.

"I believe you could setup 2 separate OpenVPN clients - 1 out gateway 1 to OpenVPN server A, another out gateway 2 toOpenVPN server B.
Then make gateways for the inside of each of these OpenVPN links, make a gateway group out of them with equal tier.
Then pass traffic on LAN into that gateway group.
It should be load balanced across the 2 OpenVPN links."

This melts my brain. I think I would need a diagram.

phil.davis

As I understand, in the client system you bring up 2 connections to the external VPN server. These connections likely end up on different physical WANs (if the pfSense they go through is doing general load-balancing). Then using a download manager, the client starts sucking parts of a file, and each segment is going round-robin on those 2 OpenVPN links out of the client. Thus all segments in total can use the available bandwidth of both links.
When you are doing a single segment only, it can only go over 1 link, so only single-link speed as you describe.

"I believe you could setup 2 separate OpenVPN clients - 1 out gateway 1 to OpenVPN server A, another out gateway 2 toOpenVPN server B.
Then make gateways for the inside of each of these OpenVPN links, make a gateway group out of them with equal tier.
Then pass traffic on LAN into that gateway group.
It should be load balanced across the 2 OpenVPN links."

This is the same principle as what you have done on the client, just moving the OpenVPN client origin to be pfSense. There will be 2 OpenVPN clients on pfSense, attached to WAN1 and WAN2 respectively. Traffic is load-balanced (= gateway group with equal tier gateways) into the links.
When you use a download manager,the segments will get spread around the available links, just the same as you have done directly on the client device.