Hi, I didn’t find any related article on this subject, and decided to open this topic, if one already exist guide me ))
Lest asume I have two routerOS devices and each of them have their own wan. (R1 - 1.1.1.1, R2 - 2.2.2.2 two provider-dependent addresses)
R1 and R2 will have a link for VRRP, and a local net ex: 192.168.88.0/24.
Now there are 50 clients that would need to connect to VPN to have acces to local network.
And the question is how to make this redundant, if fails one of routers or one of providers, what is the best practice.
I have only the idea of two VPN connections on each client PC, and tell them to connect to any, one should work, but wondering for a more elegant solution.
UPD1: I found the idea of an VPS (3.3.3.3) that is connected with VPN to both routers, and configure all clients to that ip address (3.3.3.3).
UDP2: Found the idea of an script that would update router ip to an DDNS service like cloudns.net with an low TTL, so the clients would connect to vpn.company.com (that would have two A type records and two ip address) so the clients will randomly connect to one of routers, and when one of the routers will fail it will stop updating DDNS and that record will have only one ip so the clients will have just to reconnect. (but this probably should be tested .. how fast this will be updated)
Where would that VPS run? If anywhere else than at the client PC, it would itself become the SPOF.
All the VPN protocols are stateful, so even if you create a virtual router from a pair of 'Tiks using VRRP and let the clients connect to the virtual IP, as soon as the currently active 'Tik breaks and the standby one takes over, the existing VPN connections will fail. Even MOBIKE (RFC4555) does not address context synchronisation between different hosts acting as VPN gateways, so that the stanby router could take over established VPN connections without a renegotiation.
I don’t know a VPN client software which would reconnect automatically after a failure, but you can use PowerShell on Windows and shell scripting on Linux/MacOS to overcome this.
Yes that VPS on some data-center will be SPOF. (that was just one idea)
There is no problem if the connection will be lost, this just need to be redundant, that the client could reconnect after disconnection and work further.
The idea of a script that could check connectivity and that connect to online device is probably an workaround.
The only VPN client that I know to have reconnect is OpenVPN, in client config should be added remote vpn1.company.com and after that remote vpn2.company.com and the client will use the second one only if first fails, but OpenVPN do not support multiple cores and OpenVPN with udp will be available only in RouterOS 7… so its not scalable/effective but for some cases probably an workaround.