Zeroshell Lan to Lan VPN bonding to CentOS server?

Home Page Forums Network Management ZeroShell Zeroshell Lan to Lan VPN bonding to CentOS server?

This topic contains 6 replies, has 0 voices, and was last updated by  gcams 8 years, 4 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #41395

    gcams
    Member

    Hi there,

    I’m currently looking at zeroshell on Alix.1D board, as a UTMS/3G VPN client solution for a site demanding high availability (no ADSL available), by bonding 2 VPN connections over separate 3G carriers in the UK (Vodafone and 3).

    However my VPN server is a dedicated server running Centos V5. What I’m wondering is, can I still use the bonding feature in Zeroshell at the remote site to aggregate the 2 VPN tap interfaces, even though the server will be running OpenVPN under Centos? Or would I need to be running Zeroshell at both the remote and local site? If it is possible to use the CentOS box as the server, can anyone provide any guidance as to what I would need to do at the CentOS end, in terms of config?

    Any ideas on the above would be greatly appreciated!

    Kind regards,
    Graham

    #47377

    imported_fulvio
    Participant

    It is possible to use a general purpose Linux Distribution such as CentOS to obtain VPN bonding, but in this case it is not so easy to manage the failover and balancing of the connections. Zeroshell is a network appliance specialized to provide network services and hence you can have good results without effort.

    Regards
    Fulvio

    #47378

    gcams
    Member

    Thanks for your speedy reply Fulvio, I was worried that might be the case.

    Unfortunately, I’m using a cloud computing solution for my server (GoGrid) and therefore don’t have the option to install a dedicated Zeroshell box at the server end. Is there anyway I can more easily replicate the configuration of the VPN from a fail-over load balancing point of view, on the CentOS server? Either that, or can you point me in the right direction as far as what tools Zeroshell uses for the load balancing/bonding/failover, so I can try and replicate it as best I can?

    I take in the interface bonding is done using the bonding module? For load-balancing, I actually only really need the zeroshell device to load-balance traffic leaving the zeroshell device over the 3G links, as most of the traffic will be outbound (with only acknowledgments inbound). In other words, it wouldn’t really matter if traffic from the CentOS server, back to the Zeroshell box went over one link. However fail-over is paramount and the biggest reason for my wanting a solution like this.

    Thanks again for any ideas on the above!

    #47379

    gcams
    Member

    I thought I’d post a quick update, now that I’ve given this setup a go.

    I’ve managed to get reasonable load balancing/fail over using Zeroshell to a Centos V5.1 box (running OpenVPN). However I have struck a few challenges.

    On the Centos box, I’ve simply created two layer 2 virtual adapters (tap0/tap1) and have used the bonding module to bond these together in mode 0 (fail over + round robin load balancing).

    On zeroshell, I’ve followed the guidelines for configuring layer 2 bonding in the net balancing section. I have 2 3G USB modems on two different networks (3 and vodafone), and each VPN config is assigned to each respective PPP adapter for the above modems.

    The problem is, this works fine initially, when the VPN’s first dial up (i.e. they connect via their respective modems), however when a simulated failure takes place, the VPN on the failed PPP adapter re-connects via the other adapter (thus ignoring the setting saying to only connect via the set PPP adapter). This caused two problems.. one it causes packet loss whilst the packets are round-robined across the downed VPN, until it re-negotiates across to the remaining working link, and two, when the failed PPP adapter comes back up, the VPN remains connected on the alternate adapter (so there are effectively two vpn tunnels going down the one interface and nothing on the other).

    I’ve managed to work around this by disabling net balancer, and using static routes to force each VPN to remain on each adapter, regardless (which uses the bonding failover to provide resilience). But this requires 2 IP’s on the Centos box (which is acting as the server). I’m not sure if anyone can shed any light on this behavior? Basically the Net Balancer seems to be causing issues with the fail-over/load balancing of the bonded interface.

    in general though, I’m really impressed with how versatile Zeroshell is!! Many thanks fulvio!!!! 😀

    #47380

    jasonh100
    Member

    Hi gcams. I’m interested in setting up a similar configuration. I have two internet connections at my office that I would like to “bond” together to obtain the best qualities of both. I know I could use netbalancer to utilize both internet connections to some extent, but Ideally I would like two vpn tunnel with both connections to a data center so that I could utilize the cumulative upload and download of both connections with a single network connection. Also services like voip trunking would not be fault tolerant with net balancing (afaik) because they rely so heavily on the ip address staying the same.

    The network connections are as follows:

    3Mbps/3Mbps Broadband Ethernet (high reliability, high upload speed (for this area), relatively slow download speed)

    12Mbps/768Kbps Adsl (low reliability but it would be useful to have the 12Mbps download speed)

    My main priorities for my internet connection are reliability (because it is used for voip trunking) and high upload speed because the type of work that I do requires a large amount of data uploading. I currently have several smaller internet connections (1mbps upload & 768kbps upload) that upload 24/7 every day just to keep up with our off-site backup.

    So basically I had this idea about a year ago to use zeroshell to bond two vpn connections together to a datacenter server…I thought it would be easy but I ended up never trying it because after pausing to think, I came to the same conclusion that fulvio mentioned. I don’t have the option of having a zeroshell box on the other end either. But I do have the option of a variety of linux based operating systems. I’m most familiar with centos.

    Gcams, have you been able to make any improvements with your setup over time?

    Does anyone else have any suggestions?

    Thanks,
    Jason

    #47381

    gcams
    Member

    Hi Jason,

    In short, after many combinations of configurations, I could never get the fail-over to work reliably. I would always end up with packet loss for a period of time until the failed link was marked as “down”, and removed from the routing table. With the VPN running over the net-balanced link, it caused the VPN to hang for this period of time (which wasnt’ acceptable for my use).

    I’ve now done away with the VPN altogether, and have used https to secure my traffic. Not really a solution per se, but it works fine for me.

    Sorry I couldn’t offer a better solution for your situation. I’d be interested if you find a way around the issues I encountered.

    Cheers,
    Graham

    #47382

    ppalias
    Member

    As far as I know, once you bond 2 vpn links, there is no need for netbalancer in the setup. Have you tried the bond and things didn’t work well? You could show us here what you have done and see what may be wrong.

    #47383

    mgb
    Member

    Hi gcams,

    I’ve recently been looking at how to effectively bond a number of ADSL2+ circuits to get a single high-bandwidth connection for the office, and I reckon I’ve been down the same path as you, of discovering zeroshell, realising that hosting a zeroshell instance in a datacenter is hard (but not impossible – I think I have found someone who can host the VMWare appliance version for me as a virtual server), and finally wondering about whether the server end of the setup can be implemented in a general purpose linux VM.

    Simple question – do you mind sharing what your setup was, how it was configured, and how far you got?

    Thanks,

    Matt

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.