October 18, 2008 at 9:00 pm #41238
I have been experimenting with ZS and the use of VPN with bonding.
I have used OpenVPN on vanilla Linux to create UDP VPNs between head and tail routers. I have used ifenslave to bond these successfully. When I configure the server VPN I do not set the IP address of the remote peer and allow the remote (tail) router to open the connection to the head router. Based on password etc. I work on basis that that authenticates the link. This also means it is NAT friendly and works well with dynamic IP at the remote end. By sending keep alives on the OpenVPN link I can use the connection track in the NAT router to keep the link open. This then allows me to route a block of real IP from the head to the tail behind the NAT router and thus bypass any filtering while also enjoying a portable network.
Can ZS work in the same way? When setting lan-lan VPN can I leave the server end with no IP and depend on the UDP port and PSK to authenticate and identify the link? Can 2 or more such links then be used in a bond?
I am planning to deploy two test ZS systems on Monday but just had the idea this evening and was wondering if anyone has similar experience?October 19, 2008 at 6:53 am #47028
You should have no problems. Only in the OpenVPN client configuration the IP of the remote peer is required. The VPN bonding works fine and allow you to obtain higher bandwidth and failover mechanism if you configure more than one WAN link in the Net Balancer module (beta11).
FulvioOctober 19, 2008 at 9:59 am #47029
Thanks for the reply. Bonding and netbalancer have worked very well in trials. I am keen to setup bonding to multiple remote sites and establish inter-site routing in addition to internet routing. Initial tests are very promising and ZS is excellent in its capabilities.
The need to setup the central or head router without specifying the remote peer IP address was very important, especially for dynamic DNS and especially for NAT router/firewall configuration.
I assume I simply set one VPN end as server and do not specify the remote IP address. At the client end I then specify the IP address of the server. As long as I use a unique UDP port for the VPN and same port at each end it should be fine? At this stage I am using PSK for simplicity.
BTW Thanks for all the great work you are doing on ZS. Much appreciated.
You must be logged in to reply to this topic.