[Firewall] Multirouting over vpn tunnels

Erik Norman Stetter e.n.stetter at gmail.com
Fri Sep 25 16:01:02 CEST 2015


Thank you for the fast and detailed answers.
Reading more on the topic and trying the options mentioned, led me to the
conclusion, what I'm trying to do really doesn't work out.
I had a misconception of multirouting in the first place. So I'll head
towards another solution utilizing SSH tunnels.


Regards


2015-09-25 0:05 GMT+02:00 Gustin Johnson <gustin at meganerd.ca>:

> I have used the multiroute plugin but never with interfaces on the same
> segment, let alone having the same IP.
>
> What the OP described does not make sense to me, unless he has two
> physical connections that he is trying to stitch together with tunnels to a
> common endpoint.  This is not what multiroute is designed for.  If this is
> indeed what you are trying to do Link Aggregation is what you want to
> google for (IIRC the linux module is called bonding, other vendors/OSs may
> refer to this as trunking, which gets kind of confusing).
>
> This is possible but there are some serious downsides.  Each physical link
> will have different latencies, especially if you are using two different
> ISPs (still a problem with 2 links from the same ISP).  What this means is
> that you have a logical connection where the packets will arrive out of
> order.  This is not usually too terrible with TCP based protocols and
> latency insensitive applications, but real time applications particularly
> those that use UDP will suffer.  This will include things like Skype, SIP,
> the vast majority of online games, and some streaming media.  In short the
> only reason to do this is if you *only* care about raw TCP throughput which
> is rarely the case.
>
> A lot more detail from the OP would really help.  In particular, answering
> these questions would be a great starting place:
>
> 1) What are you trying to do?
> 2) What is the problem you are trying solve by implementing the answer to
> question 1?
> 3) Why are you trying the particular solution (whatever it may be) over
> the alternatives (if any)?
>
> On Thu, Sep 24, 2015 at 3:21 PM, Lonnie Abelbeck <
> lists at lonnie.abelbeck.com> wrote:
>
>> Hi Erik,
>>
>> I'll first qualify my response that I have not used the multiroute
>> plugin, but possibly I can add something...
>>
>> First, in order to "max out my connection speed" understand where the
>> weak-link (so to speak) is.  Usually the OpenVPN tunnel is limited by the
>> slowest endpoint's crypto speed, so unless the remote endpont's crypto
>> speed is the weak-link no amount of routing tricks will fix that.
>>
>> So let's presume that your OpenVPN remote endpont's are the limiting
>> factor, and multi-routing between two different endpoints will improve your
>> overall VPN speed.
>>
>> So in your example, the MULTIROUTE_EXT_IP1 / MULTIROUTE_EXT_ROUTER1 pair
>> must both be on the same subnet, MULTIROUTE_EXT_IP1 is the local tun1
>> address and MULTIROUTE_EXT_ROUTER1 is the remote (next-hop) gateway
>> address, which depends on the OpenVPN "Topology" setting.  The key point
>> here is both IP addresses must be in the realm of the "tun" interface.
>> Ditto for the second OpenVPN tunnel.
>>
>> Just guessing, if you can't find an example of doing this via Google, it
>> probably doesn't work.
>>
>> This might be useful reading:
>> HOWTO: Multirouting with Linux
>> https://lukecyca.com/2004/howto-multirouting-with-linux.html
>>
>> Lonnie
>>
>>
>> On Sep 24, 2015, at 2:54 PM, Erik Norman Stetter <e.n.stetter at gmail.com>
>> wrote:
>>
>> > Hello,
>> >
>> > I'm trying to set up the multiroute plugin for usage with multiple vpn
>> tunnels, to max out my connection speed.
>> >
>> > I have two tun-adapters, tun1 and tun2, created by openvpn, each having
>> the same external ip of course.
>> > So I configure the plugin like this:
>> >
>> > # Settings for the first interface:
>> > #
>> ------------------------------------------------------------------------------
>> > MULTIROUTE_EXT_IF1=tun1
>> > MULTIROUTE_EXT_ROUTER1=<IP of the first vpn server>
>> > MULTIROUTE_EXT_IP1=<the external ip of my tun adapters>
>> > MULTIROUTE_EXT_WEIGHT1=1
>> >
>> > # Settings for the second interface:
>> > #
>> ------------------------------------------------------------------------------
>> > MULTIROUTE_EXT_IF2=tun2
>> > MULTIROUTE_EXT_ROUTER2=<IP of the second vpn server>
>> > MULTIROUTE_EXT_IP2=<the external ip of my tun adapters>
>> > MULTIROUTE_EXT_WEIGHT2=1
>> >
>> > When I start the firewall the plugin puts out:  Error: either "to" is
>> duplicate, or "equalize" is a garbage.
>> >
>> > Which is right because "to", is indeed a duplicate.
>> >
>> > Why can't I use the plugin the way I intend to? Is there a solution to
>> this, or does any of you know an alternative way of doing this?
>> >
>> >
>> >
>> > --
>> > Erik Norman Stetter
>> >
>> > e.n.stetter at gmail.com
>> > _______________________________________________
>> > Firewall mailing list
>> > Firewall at rocky.eld.leidenuniv.nl
>> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> > Arno's (Linux IPTABLES Firewall) Homepage:
>> > http://rocky.eld.leidenuniv.nl
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>
>
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>



-- 


*Erik Norman Stettere.n.stetter at gmail.com <e.n.stetter at gmail.com>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20150925/e11789ea/attachment.html>


More information about the Firewall mailing list