I have a site with 2 internet connections, they are both setup with default routes and separate routing marks and mangle etc. We have a dedicated outgoing VPN for remote access/troubleshooting etc. The problem is that sometimes they use all the bandwidth on one of the connections and it gets throttled in to uselessness and means that the VPN is up and working, but is unusable so I cannot get on the router to swap the default route to be the other connection. What I’d like to do is have the same VPN (to 1 IP address) running over both connections, so 2 VPN.
How would I set this up short of using another external IP (on the other end) for the secondary VPN connection?
Do I get you right that the VPN connection is initiated by the router whose primary uplink gets jammed?
And can you provide two VPN accounts for that router so that the two VPN sessions to the remote IP could be established in parallel?
And, equally important, what VPN protocol do you use?
Sorry for the delay, I have somehow missed the notification about your response.
When configuring SSTP, the client side cannot be explicitly told to use a specific local address or interface. So my idea in this case would be to configure a second sstp-client interface, with the second user credentials, to connect to a different port than 443 (like 44443), use a firewall rule in the mangle table to assign one routing mark to packets towards server_ip:443 and another routing mark to packets towards server_ip:44443, then set up two routes to server_ip/32, each checking one of those routing marks, and finally another dst-nat rule in the output chain of the NAT table, changing the dst-port from 44443 back to 443.
However, this thread reveals that RouterOS still does not support the last step needed. So unless you can implement that step at the sstp server side or at some box-in-the-middle instead, I’m afraid there is no way currently.
I’ve recently come across something seemingly loosely similar which has made me have another look at this topic. Although it turned out not to be similar at all, I’ve got an idea which might possibly be helpful.
A premise: it is not important which of the two VPN accounts uses which uplink interface, the only requirement is that each of them uses another one. If that’s true, I would prepare the usual pre-requisites for policy routing:
Then, I would use a set of mangle rules below to make sure that the first SSTP connection to be established would use one WAN interface, and any subsequent SSTP session to be established while the first one is running would use the other WAN interface:
It is important to set the address-list-timeout a second or two higher than the keepalive interval in the SSTP configuration (which must be the same for both accounts).
It might require an additional safety mechanism - a periodically scheduled script checking that there is only one connection marked with vpn-secondary, and if there are two, meaning that both accounts use the same WAN interface, disable one of the SSTP interfaces (thus terminating one of the connections), clear the my-aux-list, and re-enable the account, something like
