Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Does tinc do multihomed failover?

    pfSense Packages
    2
    3
    1165
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ttblum last edited by

      Hello,

      I have a setup where multiple branch offices with dual internet connections need to connect to my site via a VPN connection to access a server.  My site only has one internet connection.

      Failover on IPSec is impossible, and OpenVPN's failover failback functionality seems a little crude.

      Is tinc able to failover and failback with dual internet connections?

      1 Reply Last reply Reply Quote 0
      • W
        weltonrodrigo last edited by

        Hi,

        i deal with a site with two internet connections who talks to a single connected master site over OpenVPN:

        
               +-----------------+
               |                 |
               |  Remote site    |
               |                 |
               +-----------------+
                     |      |
                     |      |
                     |      v
                     v   XXXXX
                    XXXXXX   XX
                 XXX          X
                 XX  internet X
                  XXXXXX   XXXX
                       XXXX
                        ^
                        |
                        |
               +-----------------+
               |                 |
               |  master site    |
               |                 |
               +-----------------+
        
        

        To it works wonderfully.

        Master site is linux, remote site is pfsense.

        This is how I got it:

        At the remote site:

        • Create a gateway group with your connections in two different tiers (failover)

        • Configure a firewall rule redirecting outgoing OpenVpn tunnel traffic (normally UDP traffic on port 1194) to this gateway group

        • Have fun

        At master site:

        • Check option "Allow connected clients to retain their connections if their IP address changes."

        • Sit back and relax.

        You'll lost connection for a few seconds while openvpn detects the IP change, but after that, traffic will resume.

        ![Captura de Tela 2015-10-27 às 19.10.53.png](/public/imported_attachments/1/Captura de Tela 2015-10-27 às 19.10.53.png)
        ![Captura de Tela 2015-10-27 às 19.10.53.png_thumb](/public/imported_attachments/1/Captura de Tela 2015-10-27 às 19.10.53.png_thumb)

        1 Reply Last reply Reply Quote 0
        • T
          ttblum last edited by

          This is off-topic, but I've been running the server portion of OpenVPN at the remote offices, listening on the failover gateway, and running the clients at the central site.

          I add this to the client config at the central site:

          remote rmt.fai.ovr.con pporrtt;
          keepalive 1 4;

          Seems to work pretty well.

          Total time to failover = failover timeout configured on gateway group + failover timeout configured by the keepalive statement on the client

          I believe the above OpenVPN timeout is set to 4 seconds

          1 Reply Last reply Reply Quote 0
          • First post
            Last post