Show Posts
1
General Discussion / simultaneous VPN clients
« on: September 08, 2017, 07:00:56 pm »
Suppose you needed a connection to hosts in Australia and the US, via VPN. It would be silly to use only 1 VPN end-point, no? So I define a VPN client with an end-point in AUS and another in the US, with the same VPN provider. It turns out that they always push a route-gateway address 10.8.8.1 so openvpn issues
/sbin/route add -net 10.8.8.0 10.8.8.1 255.255.255.0
and the second openvpn client issues: ERROR: FreeBSD route add command failed: external program exited with error status: 1
In https://airvpn.org/topic/9518-faking-static-local-vpn-addess-using-client-nat-and-ifconfig/?p=10449 I found an idea to use the client-dnat command to present a unique address for each of the 2 gateways, so I added in the advanced client properties of my 1st client:
route-gateway 10.8.5.1
ifconfig 10.8.57.2 10.8.5.1
client-nat dnat 10.8.5.1 255.255.255.255 10.8.8.1
client-nat dnat 10.8.5.0 255.255.255.255 10.8.8.0
and the 2nd client uses:
route-gateway 10.8.21.1
ifconfig 10.8.57.2 10.8.21.1
client-nat dnat 10.8.21.1 255.255.255.255 10.8.8.1
client-nat dnat 10.8.21.0 255.255.255.255 10.8.8.0
That means, my GATEWAY definitions refer to the 10.8.5.1 and 10.8.21.1 "virtual" gateway addresses, and I can have both active at the same time. With geo-filter aliases in the FW rules, my traffic goes through the right tunnel.
Except... gateway monitoring does not work. apinger tells me that he cannot reach the monitor addresses that I specified (both of which used to work, one at a time, when I did not have the dnat parameters).
1. how is apinger running, so that it does not use the "virtual" gateway addresses?
2. is there a better way to have multiple openvpn clients (for the same VPN provider, that pushes the same route-gateway) active?
Edit: after I upgraded to 17.10.1, apinger is able to ping the monitor addresses through the "virtual" gateways.
/sbin/route add -net 10.8.8.0 10.8.8.1 255.255.255.0
and the second openvpn client issues: ERROR: FreeBSD route add command failed: external program exited with error status: 1
In https://airvpn.org/topic/9518-faking-static-local-vpn-addess-using-client-nat-and-ifconfig/?p=10449 I found an idea to use the client-dnat command to present a unique address for each of the 2 gateways, so I added in the advanced client properties of my 1st client:
route-gateway 10.8.5.1
ifconfig 10.8.57.2 10.8.5.1
client-nat dnat 10.8.5.1 255.255.255.255 10.8.8.1
client-nat dnat 10.8.5.0 255.255.255.255 10.8.8.0
and the 2nd client uses:
route-gateway 10.8.21.1
ifconfig 10.8.57.2 10.8.21.1
client-nat dnat 10.8.21.1 255.255.255.255 10.8.8.1
client-nat dnat 10.8.21.0 255.255.255.255 10.8.8.0
That means, my GATEWAY definitions refer to the 10.8.5.1 and 10.8.21.1 "virtual" gateway addresses, and I can have both active at the same time. With geo-filter aliases in the FW rules, my traffic goes through the right tunnel.
Except... gateway monitoring does not work. apinger tells me that he cannot reach the monitor addresses that I specified (both of which used to work, one at a time, when I did not have the dnat parameters).
1. how is apinger running, so that it does not use the "virtual" gateway addresses?
2. is there a better way to have multiple openvpn clients (for the same VPN provider, that pushes the same route-gateway) active?
Edit: after I upgraded to 17.10.1, apinger is able to ping the monitor addresses through the "virtual" gateways.