Community discussions

MikroTik App
 
aleab
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Sat Sep 22, 2018 6:13 pm

dual wan vpn site to site

Wed Dec 01, 2021 11:46 pm

Hello,
i have this situation

HEADQUARTER
MIKROTIK dual wan (pcc configured)
isp1 (on eth1) with public ip (30mbps download / 6 mbps upload)
isp2 (on eth2) with public ip (30mbps download / 6 mbps upload)

BRANCH OFFICE
only 1 isp with dinamic ip (45mbps downloa / 15mbps upload)

i would connect branch office to headquarter (without aggregation) but i would setup a failover vpn...

in other words, if i have a single pc (roadwarrior) i setup a ovpn with file conf both ip/port of both headquarter ip.
so if isp1 not answer openvpn call isp2...

can i setup similar configuration on mikrotik openvpn client?

i write openvpn because i'm familiar with openvpn, but i open to ipsec / l2tp ....

thank you
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: dual wan vpn site to site

Sun Dec 05, 2021 4:47 pm

One approach is that you really allow only one ovpn tunnel to establish at a time, another approach is that you let both of them establish and use routes with different distance value to prefer one of the tunnels. The latter way may provide a faster failover but may not be possible with stock OpenVPN server (I'm not sure whether you can assign the same iroute destination prefixes to two distinct clients and if you can, how to prioritize them).

To prevent the secondary client from actually connecting while the primary one is alive, I'd do the following:

/ip firewall mangle
add chain=input src-address=primary-wan protocol=tcp src-port=1194 action=add-dst-to-address-list address-list=ovpn-blocker address-list-timeout=1m tcp-flags=!rst,!syn,!fin

This rule adds/refreshes an item on and address list each time the server sends a regular packet (carrying some payload or at least an ACK); the address list becomes empty 1 minute after the last useful packet arrives, so there has to be some keepalive traffic - if OpenVPN doesn't generate keepalive traffic autonomously, you have to take care of that.

/ip firewall filter
add chain=output src-address-list=ovpn-blocker dst-address=ip.of.HQ.wan2 protocol=tcp dst-port=1194 action=drop

This rule prevents the OVPN packets from the backup client from being actually sent as long as the address list is not empty, preventing the backup client from connecting and even occupying the uplink bandwidth, but once the connection establishes, it will not actively terminate even when the primary one re-establishes. It has to die away due to some timeout, and until it does, the routing at server side may be confused.

Even if you use scripting to disable and enable the backup client depending on the state of the primary client, this period of uncertainty when both clients are active will be there, as the only way to determine whether the primary server works is to establish a connection. Hence it seems better to me to have both clients active simultaneously, and use route priorities to choose which of the tunnels the client and server will use.

Same approach applies to any kind of VPN except bare IPsec.
 
aleab
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Sat Sep 22, 2018 6:13 pm

Re: dual wan vpn site to site

Mon Dec 06, 2021 10:41 pm

Thank you for reply.
now i'm check your idea and will test...

meanwhile i try to write a script to check if ovpn1 is running and in case switch to secondary profile..

this is a script, i hope this is useful for someone and of course anyone could check/improve it
:local Statusovpn1 [/interface get ovpn-client1 disabled];
:local Statusovpn2 [/interface get ovpn-client2 disabled];
:local Runningovpn1 [/interface get ovpn-client1 running];
:local Runningovpn2 [/interface get ovpn-client2 running];

:if ( $Statusovpn2) do={
:log info "client2 disable is $Statusovpn2" ;
   :if ( $Runningovpn1 ) do={:log info ovpn1-ok; quit;}
   :if ( !$Runningovpn1 ) do={:log info ovpn1-not-running;
    /interface disable ovpn-client1; /ip route disable [/ip route find comment="ovpn-client1"];
    /interface enable ovpn-client2; /ip route enable [/ip route find comment="ovpn-client2"]; quit;
}
}
:local Statusovpn2 [/interface get ovpn-client2 disabled];
:if ( !$Statusovpn2 ) do={
:log info "client2 disable is $Statusovpn2" ;
/interface enable ovpn-client1; /ip route enable [/ip route find comment="ovpn-client1"];
:log info "wait 5 seconds" ;
:delay 5s
:local Runningovpn1 [/interface get ovpn-client1 running];
:log info "client1 running is $Runningovpn1" ;
   :if ( $Runningovpn1 ) do={:log info disable-ovp2;/interface disable ovpn-client2; /ip route disable [/ip route find comment="ovpn-client2"]; quit;}
   :if ( !$Runningovpn1 ) do={
    /interface disable ovpn-client1; /ip route disable [/ip route find comment="ovpn-client1"];
    /interface enable ovpn-client2; /ip route enable [/ip route find comment="ovpn-client2"];
    :log info "client2 running is $Runningovpn2" ;
    quit;
}
}
}

# create script name check-vpn
# scheduler every 5min – interval = 00:05:00
# :execute [/system script run check-vpn]
i don't need absolute uptime, but if wan1 is down on headquarter mikrotik can connect automatic on wan2.

thank you

Who is online

Users browsing this forum: dioeyandika, Joseph and 84 guests