OpenVPN Load Balancing

From ImageStream Router Documentation

Contents 1 Introduction 2 Requirements 3 Head end configuration 4 Remote configuration

Introduction

In this example, multiple OpenVPN tunnels are load balanced across ADSL links using equal-cost multipath routing and OSPF.

Requirements

This configuration requires ImageStream Linux 4.4.0-96 or later, multiple ADSL links with statically or dynamically assigned IP addresses and a block of publicly routable IP addresses for the tunnel endpoints.

Head end configuration

This ImageStream router is the aggregator. A block of publicly routable IP addresses will be assigned to the Loopback0 interface for use as static tunnel endpoints. These addresses allow the remote router a way to guarante tunnel traffic will be transmitted on the proper ADSL connection. One IP address is needed per tunnel. We also disable encryption and compression to minimize overhead. The head end will be originating a default route in OSPF. Since the tunnels all have the same cost OSPF will use ECM (equal-cost multipath) and create a per-flow load balanced route on the remote. Any routes that the remote router announces will also have an ECM route added from the head end.

interface Loopback0
 ip address 205.159.243.130 255.255.255.255
 ip address 205.159.243.131 255.255.255.255
!
interface Ethernet0
 ip address 205.159.243.1 255.255.255.0
!
interface Tunnel0
 description DSL1 from Remote1
 bandwidth 2512000
 tunnel mode openvpn
 tunnel options --passtos --cipher none
 no tunnel compression
 tunnel source 205.159.243.130 4450
 tunnel destination 0.0.0.0 4450
 tunnel key df0590f214a2eaf9a638f43838132f67
 ip address 192.168.24.1 255.255.255.252
 pointopoint address 192.168.24.2
!
interface Tunnel1
 description DSL2 from Remote2
 bandwidth 2512000
 tunnel mode openvpn
 tunnel options --passtos --cipher none
 no tunnel compression
 tunnel source 205.159.243.131 4451
 tunnel destination 0.0.0.0 4451
 tunnel key df0590f214a2eaf9a638f43838132f67
 ip address 192.168.24.5 255.255.255.252
 pointopoint address 192.168.24.6
!

OSPF Configuration:

router ospf
 network 192.168.24.0/24 area 0.0.0.0
 default-information originate always
!

Remote configuration

This ImageStream router uses an Ethernet DHCP assigned interface as one ADSL link and a PPPoE interface as the second ADSL link. We bind each tunnel to its ADSL link using the public IP addresses we allocated on the head end router. Since we are receiving our default route via ospf we must not install a default route via DHCP or PPPoE. Also if we want to be able to communicate with other machines in the ADSL provider's DHCP network we must change the netmask on the DHCP interface to a /32 which forces the use of the default route. We also add blackhole routes with a high metric to prevent tunnels from using the default route to establish communications to the head end. We also must be careful and filter our OSPF announcements to avoid announcing our DHCP and PPPoE assigned IP addresses over the tunnels which will result in a very bad loop.

interface Ethernet0
 # Specify a /32 netmask to force all traffic out the tunnels
 ip address dhcp ignore-default netmask 255.255.255.255
!
interface Ethernet1
 ip address 172.16.0.1 255.255.255.0
!
interface ADSL0
 protocol pppoe
 adsl device Ethernet0
 ppp pap sent-username dsl-username password dsl-password
 ip address negotiated
!
interface Tunnel0
 description DSL Tunnel0
 bandwidth 2512000
 tunnel mode openvpn
 tunnel options --passtos --cipher none
 no tunnel compression
 tunnel destination 205.159.243.130 4450
 tunnel source 0.0.0.0 4450
 tunnel key df0590f214a2eaf9a638f43838132f67
 ip address 192.168.24.2 255.255.255.252
 pointopoint address 192.168.24.1
!
interface Tunnel1
 description DSL Tunnel1
 bandwidth 2512000
 tunnel mode openvpn
 tunnel options --passtos --cipher none
 no tunnel compression
 tunnel destination 205.159.243.131 4451
 tunnel source 0.0.0.0 4451
 tunnel key df0590f214a2eaf9a638f43838132f67
 ip address 192.168.24.6 255.255.255.252
 pointopoint address 192.168.24.5
!
# The next 4 routes ensure Tunnel0 traffic uses the ADSL0 connection
# and Tunnel1 uses the Ethernet0 connection
ip route add blackhole 205.159.243.130 metric 15
ip route add blackhole 205.159.243.131 metric 15
ip route 205.159.243.130 255.255.255.255 ADSL0
ip route 205.159.243.131 255.255.255.255 Ethernet0
!

OSPF configuration:

Be sure you don't redistribute the connected interface routes for your ADSL interfaces.

router ospf
 network 192.168.24.0/24 area 0.0.0.0
 redistribute connected
 distribute-list 10 out connected
!
access-list 10 permit 172.16.0.0 0.0.0.255
access-list 10 deny any