OpenVPN Load Balancing
From ImageStream Router Documentation
- In this example, multiple OpenVPN tunnels are load balanced across ADSL links using equal-cost multipath routing and OSPF.
- This configuration requires ImageStream Linux 4.4.0-96 or later, multiple ADSL links with statically or dynamically assigned IP addresses and a block of publicly routable IP addresses for the tunnel endpoints.
Head end configuration
- This ImageStream router is the aggregator. A block of publicly routable IP addresses will be assigned to the Loopback0 interface for use as static tunnel endpoints. These addresses allow the remote router a way to guarante tunnel traffic will be transmitted on the proper ADSL connection. One IP address is needed per tunnel. We also disable encryption and compression to minimize overhead. The head end will be originating a default route in OSPF. Since the tunnels all have the same cost OSPF will use ECM (equal-cost multipath) and create a per-flow load balanced route on the remote. Any routes that the remote router announces will also have an ECM route added from the head end.
interface Loopback0 ip address 22.214.171.124 255.255.255.255 ip address 126.96.36.199 255.255.255.255 ! interface Ethernet0 ip address 188.8.131.52 255.255.255.0 ! interface Tunnel0 description DSL1 from Remote1 bandwidth 2512000 tunnel mode openvpn tunnel options --passtos --cipher none no tunnel compression tunnel source 184.108.40.206 4450 tunnel destination 0.0.0.0 4450 tunnel key df0590f214a2eaf9a638f43838132f67 ip address 192.168.24.1 255.255.255.252 pointopoint address 192.168.24.2 ! interface Tunnel1 description DSL2 from Remote2 bandwidth 2512000 tunnel mode openvpn tunnel options --passtos --cipher none no tunnel compression tunnel source 220.127.116.11 4451 tunnel destination 0.0.0.0 4451 tunnel key df0590f214a2eaf9a638f43838132f67 ip address 192.168.24.5 255.255.255.252 pointopoint address 192.168.24.6 !
router ospf network 192.168.24.0/24 area 0.0.0.0 default-information originate always !
- This ImageStream router uses an Ethernet DHCP assigned interface as one ADSL link and a PPPoE interface as the second ADSL link. We bind each tunnel to its ADSL link using the public IP addresses we allocated on the head end router. Since we are receiving our default route via ospf we must not install a default route via DHCP or PPPoE. Also if we want to be able to communicate with other machines in the ADSL provider's DHCP network we must change the netmask on the DHCP interface to a /32 which forces the use of the default route. We also add blackhole routes with a high metric to prevent tunnels from using the default route to establish communications to the head end. We also must be careful and filter our OSPF announcements to avoid announcing our DHCP and PPPoE assigned IP addresses over the tunnels which will result in a very bad loop.
interface Ethernet0 # Specify a /32 netmask to force all traffic out the tunnels ip address dhcp ignore-default netmask 255.255.255.255 ! interface Ethernet1 ip address 172.16.0.1 255.255.255.0 ! interface ADSL0 protocol pppoe adsl device Ethernet0 ppp pap sent-username dsl-username password dsl-password ip address negotiated ! interface Tunnel0 description DSL Tunnel0 bandwidth 2512000 tunnel mode openvpn tunnel options --passtos --cipher none no tunnel compression tunnel destination 18.104.22.168 4450 tunnel source 0.0.0.0 4450 tunnel key df0590f214a2eaf9a638f43838132f67 ip address 192.168.24.2 255.255.255.252 pointopoint address 192.168.24.1 ! interface Tunnel1 description DSL Tunnel1 bandwidth 2512000 tunnel mode openvpn tunnel options --passtos --cipher none no tunnel compression tunnel destination 22.214.171.124 4451 tunnel source 0.0.0.0 4451 tunnel key df0590f214a2eaf9a638f43838132f67 ip address 192.168.24.6 255.255.255.252 pointopoint address 192.168.24.5 ! # The next 4 routes ensure Tunnel0 traffic uses the ADSL0 connection # and Tunnel1 uses the Ethernet0 connection ip route add blackhole 126.96.36.199 metric 15 ip route add blackhole 188.8.131.52 metric 15 ip route 184.108.40.206 255.255.255.255 ADSL0 ip route 220.127.116.11 255.255.255.255 Ethernet0 !
- Be sure you don't redistribute the connected interface routes for your ADSL interfaces.
router ospf network 192.168.24.0/24 area 0.0.0.0 redistribute connected distribute-list 10 out connected ! access-list 10 permit 172.16.0.0 0.0.0.255 access-list 10 deny any