OPNsense Forum

English Forums => General Discussion => Topic started by: robvh on September 08, 2017, 07:00:56 pm

Title: simultaneous VPN clients
Post by: robvh on September 08, 2017, 07:00:56 pm
Suppose you needed a connection to hosts in Australia and the US, via VPN.  It would be silly to use only 1 VPN end-point, no?  So I define a VPN client with an end-point in AUS and another in the US, with the same VPN provider.  It turns out that they always push a route-gateway address 10.8.8.1 so openvpn issues

/sbin/route add -net 10.8.8.0 10.8.8.1 255.255.255.0

and the second openvpn client issues: ERROR: FreeBSD route add command failed: external program exited with error status: 1

In https://airvpn.org/topic/9518-faking-static-local-vpn-addess-using-client-nat-and-ifconfig/?p=10449 I found an idea to use the client-dnat command to present a unique address for each of the 2 gateways, so I added in the advanced client properties of my 1st client:

route-gateway 10.8.5.1
ifconfig 10.8.57.2 10.8.5.1
client-nat dnat 10.8.5.1 255.255.255.255 10.8.8.1
client-nat dnat 10.8.5.0 255.255.255.255 10.8.8.0

and the 2nd client uses:

route-gateway 10.8.21.1
ifconfig 10.8.57.2 10.8.21.1
client-nat dnat 10.8.21.1 255.255.255.255 10.8.8.1
client-nat dnat 10.8.21.0 255.255.255.255 10.8.8.0

That means, my GATEWAY definitions refer to the 10.8.5.1 and 10.8.21.1 "virtual" gateway addresses, and I can have both active at the same time.  With geo-filter aliases in the FW rules, my traffic goes through the right tunnel.

Except... gateway monitoring does not work.  apinger tells me that he cannot reach the monitor addresses that I specified (both of which used to work, one at a time, when I did not have the dnat parameters).

1. how is apinger running, so that it does not use the "virtual" gateway addresses?
2. is there a better way to have multiple openvpn clients (for the same VPN provider, that pushes the same route-gateway) active?

Edit: after I upgraded to 17.10.1, apinger is able to ping the monitor addresses through the "virtual" gateways.