tomclegg.net


Diary
Examples
    256-router
    adzap
    apache-double-reverse
    cacti-adodb-php4
    debian-quota
    diskonmodule
    dollarsperbyte
    dynip
    ezmlm-linux
    fbsdhabits
    freebsdclone
    macbook-quantal-sound
    maildirpop3d-awfulhak
    mandy
    md
    mrtg
    net-snmp
    nodefaultroute
    oracle9i
    oracle9i-bsd5
    oracle9i-client
    oracle9i-nat
    php-cgi
    php-commandline
    php-image
    php-kics
    php-mini_httpd
    pinouts
    pizzaperdollar
    plesk-symlink-php
    pxe
    qmail-linux
    qmail-qfilter
    racoon-sonicwall
  >redundant-vpn<
    rewriterule
    seahorse-workaround
    setting-locale-failed
    smalldog
    snmpv3-cacti
    spamassassin
    squid-tproxy
    supfile
    suse73
    svc-nmbd
    svc-smbd
    svc-smtpd
    switch-virtualbox-virsh
    toyotastereo
    vm
    vn-file
    wmp-invalid
    xcode-remote-install
    xen-eth0-renamed
    xen-monowall
    xen3-ubuntu-dapper
    zz-update-grub-fail
Hire Tom
Mostly Mozart
Patches
School
Scrapbook
Software
Telephones




colocation
comments
davidireland
edsgranola
faq
funsites
goodlooking
goodmovies
google-earth-saucy-amd64
houserules
liberating
resume
resume2
scratch
shopping
snacks
todo
university
warisbogus

Provide redundant VPN tunnels using m0n0wall
Posted February 10, 2006

I haven't done this yet, but I'd like to. If you have money to spend on this problem, call me.

Motivation

You have one main office and five remote offices. Each office has an ADSL internet connection. Computers in the remote offices need to connect to a server at the main office. The server needs to connect to print servers at the remote offices. You buy some VPN routers and everything works.

The only problem is that the ADSL connection stops working sometimes. You order cable internet at each office, to use as a backup. You buy some routers from a vendor (perhaps Cisco, SonicWall, Symantec, or Juniper) who promise that their VPN tunnels will automatically switch to the second ISP when the first ISP isn't working.

Unfortunately, the vendor has never been able to make this work. When ADSL fails, the VPN tunnels stop working.

Solution

Each office has three routers.

Router 1 (m0n0wall) uses the ADSL connection to provide internet access and to establish VPN tunnels to the other routers.

Router 2 (m0n0wall) uses the cable internet connection to provide internet access and to establish VPN tunnels to the other routers.

Router 3 (a m0n0wall derivative) continuously tests Router 1 and Router 2 by sending packets through their VPN tunnels to each of the remote subnets. Router 3 maintains its routing table according to which subnets can be reached by Router 1 and which can be reached by Router 2.

Router 3 continuously tests Router 1 and Router 2 for internet connectivity, and adjusts its routing table accordingly.

Devices on the LAN use Router 3 as their default gateway.

A WRAP-based m0n0wall router can be built for under $300 Canadian. The total hardware cost for six offices is under $6000. There are no licensing costs.

Tricky parts

What if ADSL is down at the main office, and cable is down at one of the remote offices? Will remote Router 1 establish a tunnel with main Router 2? If so, when the remote Router 2 comes back up, will the main Router 2 get confused because two authenticated endpoints are fighting for a tunnel for the same subnet?