3g vpn bond issues

Home Page Forums Network Management Networking 3g vpn bond issues

This topic contains 6 replies, has 0 voices, and was last updated by  dotcomstu 6 years, 4 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #41770

    dotcomstu
    Member

    First off, thank you Fulvio for making ZS!

    I am trying to get aggregate bandwidth by bonding multiple vpn connections over 3g dongles and keep running into the following issues:

    1) vpn traffic does not honor the gateway directive.
    2) net balancer never recovers from a fault
    3) remote vpn server indicates all connections are from a single 3g ppp ip (see point 1)

    Here is the setup we are using:

    3 * 3g dongles (autostart, default route, no nat)
    3 * gateways ppp0 thu ppp2 defined in net balancer with 4x timeout.
    3 * VPNs running on udp ports 4000 thu 4002 to remote VPN server
    BOND00 comprising VPN00 thu VPN02 10.1.1.2
    Remote VPNs Bond 10.1.1.1
    ping from 10.1.1.1 to 10.1.1.2 works OK and vice versa

    Vpns are all connecting to the same remote vpn server ip using UDP on separate ports 4000 to 4002, one for each vpn/3g modem in the range.

    When running tcpdump on the separate ppp devices i see vpn traffic for all VPNs across all ppp devices. where as it should only route one vpn down one ppp device.

    i have also tried adding net balancer rules to the effect of:
    MARK udp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpt:4000 MARK set 0x65 gw ppp0
    MARK udp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpt:4001 MARK set 0x66 gw ppp1
    MARK udp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpt:4002 MARK set 0x67 gw ppp1

    but this does not make the vpns connect via each ppp gateway device

    also in the net balancer when a 3g gateway gets marked with a fault it never seems to be able to recover and get marked back as active again, yet when you manually disable the gateway and and re-enable it it then says its active.

    Our failover monitor settings are:
    -ICMP failover checking: enabled
    -Number of probes before marking DOWN: 2
    -Number of probes before marking UP: 1
    -Reply timeout (seconds): 5
    -Pause before starting a new cycle (seconds): 3
    -Immediately restart PPPoE and 3G Mobile: yes

    with all 3 fail-over ip addresses set + enabled

    All three usb 3g dongles are separated by +1m and always show blue connected (and are all on same 3g network operator)

    Any help or recommendations gratefully received!

    Best Regards

    Stu

    #48370

    jacasoj
    Member

    Hello Stu, were you able to get it running correctly? I am in the same problem as you and I’m almost discarding the possibility that this could be done.

    KR,
    José Antonio

    #48371

    dotcomstu
    Member

    @jacasoj wrote:

    were you able to get it running correctly? I am in the same problem as you and I’m almost discarding the possibility that this could be done.

    Unfortunately not, I has hoping that lucky beta13 might have some of these issues fixed!

    #48372

    ninnic
    Member

    I have the same problem , some news?

    #48373

    srix
    Member

    [Note to admin: for some reason my BBcode options is disabled. could be this bug http://www.phpbb.com/bugs/phpbb3/ticket.php?ticket_id=23495&start=8 . So my posts are not formatted correctly . I have to add # instead of ‘space’ in the ascii art , else ‘space’ gets stripped]

    Hi dotcomstu,

    did u manage to resolve it. If yes please share.

    Problem seems to exist in 1.0 beta 16 also. VPN connections ignore the Gateway association in the settings page.

    Here is my setup. Am trying to aggregate bandwidth over two ppp connections over EVDO ( USB wireless broadband dongle).

    Quote:
    #########–> VPN0 -> ppp0 ->
    bond0 (rr)—>| ############ | —-> VPN server
    #########–> VPN1 -> ppp1 ->

    If am right, above is the suggested solution by Zeroshell. But right now am here.

    Quote:
    –> VPN0 -> ppp0 ->
    ############# | —-> VPN server
    –> VPN1 -> ppp0 ->

    As you can see both the VPN connect to remote VPN server using the same ppp0 device ( If I connect ppp1 before connecting ppp0, both VPN will connect to ppp1). Both ppp gateways are created in Netbalancer page and Netbalancer is active in ‘Load balancing and failover’ mode. FYI, Disabling /Enabling Netbalancer didn’t affect the way VPN connected.

    I have not bothere to create the bond device yet because there is no point in bonding over the same ppp channel.

    On examination of ps -ef ( changed the remote server name for security purpose), I find that there is no parameter specifying the gateway to the openvpn client. Wondering how zeroshell is enforcing the gateway association to VPN.

    Code:
    root@zeroshell root> ps -ef | grep vpn
    root 11995 1 0 10:38 ? 00:00:00 openvpn –dev VPN01 –remote remotevpnserver.com –port 443 –proto tcp-client –tls-client –dh /etc/ssl/dh.pem –ca /etc/ssl/trusted_CAs.pem –cert /var/register/system/net/interfaces/VPN01/TLS/cert.pem –key /var/register/system/net/interfaces/VPN01/TLS/key.pem –tls-remote OpenVPN_Server –dev-type tap –float –keepalive 1 11 –script-security 3 –management 127.0.0.1 34001 –daemon VPN01_L2L –config /DB/watchyzs/ovpn/srix_auto/client.ovpn –down /root/kerbynet.cgi/scripts/vpn_mii

    root 17834 1 0 11:00 ? 00:00:00 openvpn –dev VPN00 –remote remotevpnserver.com –port 443 –proto tcp-client –tls-client –dh /etc/ssl/dh.pem –ca /etc/ssl/trusted_CAs.pem –cert /var/register/system/net/interfaces/VPN00/TLS/cert.pem –key /var/register/system/net/interfaces/VPN00/TLS/key.pem –tls-remote OpenVPN_Server –dev-type tap –float –keepalive 1 11 –script-security 3 –management 127.0.0.1 34000 –daemon VPN00_L2L –config /DB/watchyzs/ovpn/srix_auto/client.ovpn –down /root/kerbynet.cgi/scripts/vpn_mii

    #48374

    I also have the same problem… Was very excited to get this working. Any official response on the matter? Maybe we’re missing something basic.

    #48375

    It addresses this issue in the documentation, says it was upgraded from Static Routes requiring multiple public IP’s for each VPN on the server-side to the new Net-balancer way of doing things…

    “VPN LAN-to-LAN that may be configured in Zeroshell may be obtained using OpenVPN and TAP virtual interfaces. The latter entirely resemble real Ethernet interfaces and, as such, they may be aggregated through Bonding. This feature has been available since the first release of Zeroshell. However, for VPN bonding to be justified, each VPN tunnel belonging to the bond must flow to a separate Internet link. Before Net Balancer was introduced, this was done through static routes which required at least one peer to have two public IP’s. Now, thanks to Net Balancer, the VPN site-to-site configuration form allows you to choose a gateway to set up the ciphered connection. This greatly simplifies configuration by no longer requiring static routes and two public IP addresses.”

    http://www.zeroshell.net/eng/load-balancing-failover/#vpn-bonding

    It must be something small we’re missing….

    I did notice in Windows when I change the gateway’s interface to use before clicking save it resets it back to


    and when I return to change the gateways settings it doesn’t remember the interface I had previiously selected.

    #48376

    btklister
    Participant

    Anyone figure out how to solve this yet?
    Is there any way to redirect VPN traffic to specific gateway?

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.