[Firewall] Multirouting over vpn tunnels

Gustin Johnson gustin at meganerd.ca
Fri Sep 25 00:05:52 CEST 2015

I have used the multiroute plugin but never with interfaces on the same
segment, let alone having the same IP.

What the OP described does not make sense to me, unless he has two physical
connections that he is trying to stitch together with tunnels to a common
endpoint.  This is not what multiroute is designed for.  If this is indeed
what you are trying to do Link Aggregation is what you want to google for
(IIRC the linux module is called bonding, other vendors/OSs may refer to
this as trunking, which gets kind of confusing).

This is possible but there are some serious downsides.  Each physical link
will have different latencies, especially if you are using two different
ISPs (still a problem with 2 links from the same ISP).  What this means is
that you have a logical connection where the packets will arrive out of
order.  This is not usually too terrible with TCP based protocols and
latency insensitive applications, but real time applications particularly
those that use UDP will suffer.  This will include things like Skype, SIP,
the vast majority of online games, and some streaming media.  In short the
only reason to do this is if you *only* care about raw TCP throughput which
is rarely the case.

A lot more detail from the OP would really help.  In particular, answering
these questions would be a great starting place:

1) What are you trying to do?
2) What is the problem you are trying solve by implementing the answer to
question 1?
3) Why are you trying the particular solution (whatever it may be) over the
alternatives (if any)?

On Thu, Sep 24, 2015 at 3:21 PM, Lonnie Abelbeck <lists at lonnie.abelbeck.com>

> Hi Erik,
> I'll first qualify my response that I have not used the multiroute plugin,
> but possibly I can add something...
> First, in order to "max out my connection speed" understand where the
> weak-link (so to speak) is.  Usually the OpenVPN tunnel is limited by the
> slowest endpoint's crypto speed, so unless the remote endpont's crypto
> speed is the weak-link no amount of routing tricks will fix that.
> So let's presume that your OpenVPN remote endpont's are the limiting
> factor, and multi-routing between two different endpoints will improve your
> overall VPN speed.
> So in your example, the MULTIROUTE_EXT_IP1 / MULTIROUTE_EXT_ROUTER1 pair
> must both be on the same subnet, MULTIROUTE_EXT_IP1 is the local tun1
> address and MULTIROUTE_EXT_ROUTER1 is the remote (next-hop) gateway
> address, which depends on the OpenVPN "Topology" setting.  The key point
> here is both IP addresses must be in the realm of the "tun" interface.
> Ditto for the second OpenVPN tunnel.
> Just guessing, if you can't find an example of doing this via Google, it
> probably doesn't work.
> This might be useful reading:
> HOWTO: Multirouting with Linux
> https://lukecyca.com/2004/howto-multirouting-with-linux.html
> Lonnie
> On Sep 24, 2015, at 2:54 PM, Erik Norman Stetter <e.n.stetter at gmail.com>
> wrote:
> > Hello,
> >
> > I'm trying to set up the multiroute plugin for usage with multiple vpn
> tunnels, to max out my connection speed.
> >
> > I have two tun-adapters, tun1 and tun2, created by openvpn, each having
> the same external ip of course.
> > So I configure the plugin like this:
> >
> > # Settings for the first interface:
> > #
> ------------------------------------------------------------------------------
> > MULTIROUTE_EXT_ROUTER1=<IP of the first vpn server>
> > MULTIROUTE_EXT_IP1=<the external ip of my tun adapters>
> >
> > # Settings for the second interface:
> > #
> ------------------------------------------------------------------------------
> > MULTIROUTE_EXT_ROUTER2=<IP of the second vpn server>
> > MULTIROUTE_EXT_IP2=<the external ip of my tun adapters>
> >
> > When I start the firewall the plugin puts out:  Error: either "to" is
> duplicate, or "equalize" is a garbage.
> >
> > Which is right because "to", is indeed a duplicate.
> >
> > Why can't I use the plugin the way I intend to? Is there a solution to
> this, or does any of you know an alternative way of doing this?
> >
> >
> >
> > --
> > Erik Norman Stetter
> >
> > e.n.stetter at gmail.com
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20150924/a903c7d5/attachment.html>

More information about the Firewall mailing list