How can I accomplish VPN across Dual Wan connections?

Started by shore, July 23, 2019, 07:47:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 23, 2019, 07:47:46 PM Last Edit: July 23, 2019, 10:15:30 PM by shore
Hi

How can I accomplish VPN across Dual Wan connections?
And what is the optimal way..


Look the attachment for bigger/sharper picture.

Idea is to make:

       
  • Site to site VPN.
    Make single connection inside the VPN to use full bandwidth of both wan connections using (Split TCP, Multipath TCP, Bonding or technique x?).
    Make it possible for a Road Warrior to have VPN connection to both sites and have traffic use the optimal speed/route.

Note

       
  • The order for "split/bonding" and VPN might not be in optimal/working order in the plan_for_network_desing picture.
    The wan2 and Road-warriors connections are 4G so they are behind ISP-NAT. So they can "only do" outbound IPv4 connections. Public IPv6-address might be possible.
    The DSL connections have public IPv4 addresses and take incoming connections.
    If the default OPNsense cannot do this alone... I am interested to know how can I accomplish this?
    Maybe add some packages perhaps?

July 25, 2019, 03:19:59 PM #1
Help anyone?

Is Split TCP or VPN tunnel bonding in layer 2(in bandwidth increase way) possible in OPNsense?

Also  Multipath TCP (MPTCP) and MLVPN  look promising technologies, but I don't have experience on them yet. Does OPNsense support them or can they be made to work?

Tinc VPN, looks also promising technology for the road warrior problem, but I don't have experience on  it yet.

What can be done on OPNsense?
Any help?
July 25, 2019, 04:34:15 PM #2 Last Edit: July 25, 2019, 04:55:59 PM by birdpark
Hello. I am newb.
Excuse my ignorance but If this was possible, why didnt the vpn companies already think of this? I could connect to all their servers.
Why dont you setup vpn on both of those networks, and make a script to access the fastest one from your laptop?
Why would you have a part of your connection go through a slower route? Why wouldnt you simply pick the fastest route?
It would make sense only if the ISP was throttling your connection on one of those netowkrs when you use too much data.
In that case, you can set up a limited vpn connection between the two networks, and connect to the one that gives you more data.
Please explain your situation if I dont understand.
July 26, 2019, 10:18:14 PM #3 Last Edit: July 27, 2019, 01:02:19 AM by shore
Quote from: birdpark on July 25, 2019, 04:34:15 PM
Hello. I am newb.
Excuse my ignorance but If this was possible, why didnt the vpn companies already think of this? I could connect to all their servers.
Why dont you setup vpn on both of those networks, and make a script to access the fastest one from your laptop?
Why would you have a part of your connection go through a slower route? Why wouldnt you simply pick the fastest route?
It would make sense only if the ISP was throttling your connection on one of those netowkrs when you use too much data.
In that case, you can set up a limited vpn connection between the two networks, and connect to the one that gives you more data.
Please explain your situation if I dont understand.

This is quite simple really, but I try to open it more...

1 Site-to-site VPN problem:
Exsample
In Site A
Internet connection using ISP1 DSL 10Mbit/sec
Internet connection using ISP2 4G  10Mbit/sec
In Site B
Internet connection using ISP1 DSL 10Mbit/sec
Internet connection using ISP2 4G  10Mbit/sec

Total combined capasity between the sites is 20Mbit up and 20Mbit down.


  • If you only choose to use one of the wan connection you can transfer only at 10Mbit/sec speed between the sites in one direction.
  • If you use bouth of them separately and run at least two separate file transfers you can transfer up to 20Mbit/sec together in one direction.
  • If your application can only benefit from a single tcp-sessions then you need to do some trics like bond the two connection together to get  20Mbit/sec speeds in one direction.
Clearly 20Mbit Single TCP throughput is better than 10Mbit :)

Some ISP's do this alredy. They sell connections that have multiple DSL lines  combined or DSL+4G hybrid lines.
Like mushroomnetworks or Bigleaf.
https://www.mushroomnetworks.com/broadband-bonding-technology/
https://www.bigleaf.net/same-ip-address-failover/#features-menu
(No personal experience on these ISPs, but on others)

There is also solutions that offer this as a redy made products.
PepLink / Speedfusion / PepVPN (No personal experience)
https://www.peplink.com/
https://www.peplink.com/technology/pepvpn/

Or in a Open Source distro like the Zeroshell (Personal experience and it works!)
https://zeroshell.org/
"VPN aggregation is a different story. In this case, balancing of traffic takes place in Layer 2, thus a bandwidth increase is also available for a single TCP/IP connection."
https://forum.netgate.com/topic/14711/dual-wan-bonding/2

And Multipath TCP is related new solution and is used exsample by Apple and the Siri application.
http://blog.multipath-tcp.org/blog/html/2018/12/15/apple_and_multipath_tcp.html
https://www.youtube.com/watch?v=VWN0ctPi5cw
https://www.youtube.com/watch?v=VMdPI9Cfi9k
In MLVPN you can bond your internet links to increase bandwidth (unlimited).
https://github.com/zehome/MLVPN
https://github.com/opnsense/ports/blob/master/net/mlvpn/files/mlvpn.in
Multipath TCP and MLVPN at least in paper looks better than layer 2 bonding/VPN aggregation, but I dont have experience on it yet.

In OPNsense I would like to accomplish what is alredy possible on other platforms

2 Roadwarrior optimal VPN problem.
Tinc VPN (no experience on it yet)
http://www.tinc-vpn.org/
"
- Automatic full mesh routing
--    Regardless of how you set up the tinc daemons to connect to each other, VPN traffic is always (if possible) sent directly to the destination, without going through intermediate hops.
- NAT traversal
-- As long as one node in the VPN allows incoming connections on a public IP address (even if it is a dynamic IP address), tinc will be able to do NAT traversal, allowing direct communication between peers.
"
If you dont have these (like in the traditional VPN) then for optimal performance you need to manually adjust the connections to Site A or Site B depending on where you need to connect.
Or if you only set up a RoadWarrios VPN to site A and what you need to access is in site B. You can automaticly route the traffic true the Site-to-site VPN, but this is a lot less optimal solution than a direct connection.
Tinc VPN promises possible solutions to the problem :)

There is Tinc VPN plugin for OPNsense and I would really like to hear experiences on it.
July 27, 2019, 08:15:31 PM #4 Last Edit: July 27, 2019, 08:24:46 PM by birdpark
Ah ok I get it. I thought you only wanted to increase the bandwidth of your laptop by using two networks as a single proxy.
These guys here say that no vpn solution at all can be combined with multipath TCP.
https://www.viprinet.com/en/technology/viprinet-vs-multipath-tcp
I also found a product for openwrt and debian called OpenMPTCProuter, that could work.
Probably MLVPN could be ported to freebsd/opnsense, as I think it can be popular for some.
I thought tinc was only used for setting up a network of devices connected by VPN.
Sorry I am the only one to reply. I only signed up because I needed some help.
I suggest that you also post in this reddit group until things pick up around here. https://www.reddit.com/r/homelab/
August 12, 2019, 02:58:19 PM #5
GRE Tunnel Bonding Protocol https://tools.ietf.org/html/rfc8157 - "Single flow may use the combined bandwidth of the two connections.
Can this be implemented in OPNsense?

It seems Layer2 bonding is one solution. " since load balancing in bonding takes places in Ethernet frames, even a single TCP/IP connection will enjoy an increased band thanks to the presence of multiple links."
https://zeroshell.org/load-balancing-failover/#vpn-bonding
Can this be implemented in OPNsense?
Print
Go Up Pages1
User actions