Does tinc do multihomed failover?
I have a setup where multiple branch offices with dual internet connections need to connect to my site via a VPN connection to access a server. My site only has one internet connection.
Failover on IPSec is impossible, and OpenVPN's failover failback functionality seems a little crude.
Is tinc able to failover and failback with dual internet connections?
i deal with a site with two internet connections who talks to a single connected master site over OpenVPN:
+-----------------+ | | | Remote site | | | +-----------------+ | | | | | v v XXXXX XXXXXX XX XXX X XX internet X XXXXXX XXXX XXXX ^ | | +-----------------+ | | | master site | | | +-----------------+
To it works wonderfully.
Master site is linux, remote site is pfsense.
This is how I got it:
At the remote site:
Create a gateway group with your connections in two different tiers (failover)
Configure a firewall rule redirecting outgoing OpenVpn tunnel traffic (normally UDP traffic on port 1194) to this gateway group
At master site:
Check option "Allow connected clients to retain their connections if their IP address changes."
Sit back and relax.
You'll lost connection for a few seconds while openvpn detects the IP change, but after that, traffic will resume.
![Captura de Tela 2015-10-27 às 19.10.53.png](/public/imported_attachments/1/Captura de Tela 2015-10-27 às 19.10.53.png)
![Captura de Tela 2015-10-27 às 19.10.53.png_thumb](/public/imported_attachments/1/Captura de Tela 2015-10-27 às 19.10.53.png_thumb)
This is off-topic, but I've been running the server portion of OpenVPN at the remote offices, listening on the failover gateway, and running the clients at the central site.
I add this to the client config at the central site:
remote rmt.fai.ovr.con pporrtt;
keepalive 1 4;
Seems to work pretty well.
Total time to failover = failover timeout configured on gateway group + failover timeout configured by the keepalive statement on the client
I believe the above OpenVPN timeout is set to 4 seconds