Hi All,
I am trying to make Dual-ISP failover / load-balancing work (more reliably) and I had an idea... I'm hoping the collective expertise of this group can help me avoid wasting a ton of unnecessary time... either by poking holes in the idea (if it is not possible with OPNsense) or by pointing me to the documentation sections relevant and any tips you all have had, if you've done something similar...
Does anyone know if opnsense can use two L2L VPNs, one from each WAN/ISP interface, terminating on an internet endpoint I control (in this case, a VPS server with root access)... and have the two VPN links act as two, equal-priority WAN links, so that the connections can provide failover and also increased bandwidth (connection-based-semi-load-balanced, not simple packet-round-robin)?
I figure with two static, public IPv4 addresses on the VPS, I can set a static-default-route on each WAN interface pointing to one of those two static IPs on the VPS, with no other default route outbound. That way, all traffic would only be able to make it out to the net once at least one VPN session was up.
I figured openvpn setup on the VPS twice (once for each of the static, public IPs) would be all that is needed there... but I'm also wondering if there might be an easier way with wireguard or tailscale, perhaps... with less cumbersome configuration (such as making the two VPN connections act as a single, logical interface, like an ether-channel, so the firewall did not need specific rules pointing to one interface or the other, the VPNs would handle the traffic distribution transparently...)
I'm eager to hear anyone's experiences if they have successfully configured something similar to this, and how they approached it, any road-blocks/solutions they found, how well it worked, etc.
Thanks for reading!
-Sean
OPNsense can handle dual VPNs, and it's possible to use two L2L VPNs for failover/load balancing with separate ISPs. Your idea of using static routes and a VPS with two public IPs seems solid. Both OpenVPN and WireGuard are viable options for VPNs, but I'd lean towards WireGuard for simplicity and better performance, especially if you want a more streamlined setup with less overhead.
To set up dual ISP load balancing and failover using L2L VPNs to an external VPS, I suggest that you dedicate a VPN for each connection. That way, you have more control over the individual ISPs, and it can give you better performance and reliability, especially if one connection goes down. You could use BGP to manage the routing between the two ISPs and automatically switch to the backup if the primary ISP fails. It's a bit of work setting it all up, but once it's running, it's super smooth. I'd also recommend monitoring your connections regularly to ensure everything works as expected. A dedicated vpn (https://ishosting.com/en/vpn) helps keep things stable.