Does tinc do multihomed failover?



  • Hello,

    I have a setup where multiple branch offices with dual internet connections need to connect to my site via a VPN connection to access a server.  My site only has one internet connection.

    Failover on IPSec is impossible, and OpenVPN's failover failback functionality seems a little crude.

    Is tinc able to failover and failback with dual internet connections?



  • Hi,

    i deal with a site with two internet connections who talks to a single connected master site over OpenVPN:

    
           +-----------------+
           |                 |
           |  Remote site    |
           |                 |
           +-----------------+
                 |      |
                 |      |
                 |      v
                 v   XXXXX
                XXXXXX   XX
             XXX          X
             XX  internet X
              XXXXXX   XXXX
                   XXXX
                    ^
                    |
                    |
           +-----------------+
           |                 |
           |  master site    |
           |                 |
           +-----------------+
    
    

    To it works wonderfully.

    Master site is linux, remote site is pfsense.

    This is how I got it:

    At the remote site:

    • Create a gateway group with your connections in two different tiers (failover)

    • Configure a firewall rule redirecting outgoing OpenVpn tunnel traffic (normally UDP traffic on port 1194) to this gateway group

    • Have fun

    At master site:

    • Check option "Allow connected clients to retain their connections if their IP address changes."

    • Sit back and relax.

    You'll lost connection for a few seconds while openvpn detects the IP change, but after that, traffic will resume.

    ![Captura de Tela 2015-10-27 às 19.10.53.png](/public/imported_attachments/1/Captura de Tela 2015-10-27 às 19.10.53.png)
    ![Captura de Tela 2015-10-27 às 19.10.53.png_thumb](/public/imported_attachments/1/Captura de Tela 2015-10-27 às 19.10.53.png_thumb)



  • This is off-topic, but I've been running the server portion of OpenVPN at the remote offices, listening on the failover gateway, and running the clients at the central site.

    I add this to the client config at the central site:

    remote rmt.fai.ovr.con pporrtt;
    keepalive 1 4;

    Seems to work pretty well.

    Total time to failover = failover timeout configured on gateway group + failover timeout configured by the keepalive statement on the client

    I believe the above OpenVPN timeout is set to 4 seconds


Log in to reply