What's new

Multiple OpenVPN clients: run in parallel, serial or alternative?

stevieosaurus

Occasional Visitor
I searched all over this forum & google but couldn't get one clear, straight answer, so here goes:
If I activate multiple (2 or more) OpenVPN clients in my Merlin router admin interface, do these:

1.
Run in parallel - some clients (local IPs) connect trough one VPN, others trough another VPN, at the same time? Do some request from the same client (local IP) perhaps access one VPN trough the TPC port, and the same machine also accesses another VPN trough UDP?

2. Run in serial - all clients connect to the first VPN, and then they connect trough the secondary VPN, one behind each other?

3. Alternatively/redundantly - each local client tries to go trough the first VPN, and if it fails, tries trough the secondary VPN?

Additionally: what if I activate (switch ON) ALL (5) OpenVPN clients at the same time? I understand this might overload the router CPU, but as a thought experiment, how will local IPs be routed trough these VPNs?
Thank you very much.
 

eibgrad

Senior Member
With most routers, it only makes sense to use PBR (policy based routing) when using multiple, concurrent OpenVPN clients. If you don't, each OpenVPN client will change the default gateway to itself. And which one ultimately becomes the default gateway ends up being arbitrary, and unpredicatable (no one can control which OpenVPN client gets connected and configured before/after the other).

With PBR, no OpenVPN client becomes the default gateway. It remains w/ the ISP. *YOU* decide which clients use which OpenVPN client.
 

eibgrad

Senior Member
I should add, at least in theory, you *could* tunnel one OpenVPN client inside another (for obvious reasons). However, I seriously doubt any of the typical firmware you find on these routers is going to be sophisticated enough to manage that process. Most are pretty dumb, and will let you get into a world of hurt if you assume otherwise. As I said, PBR is usually your best bet. If you need something more sophisticated and controlled, you usually have to manage the OpenVPN clients w/ the CLI (command line interface), assuming that's an option.
 

stevieosaurus

Occasional Visitor
I think I begin to understand. Thank you for the explanation.
Unfortunately right now the only PBR policy routing available won't let me set fail-over VPN connections running in parallel, which is what I wanted. I have to turn off & on OpenVPN clients in the list as one fails.
 

stevieosaurus

Occasional Visitor
Stupid question: I still wonder if I run 2 OpenVPN clients: one on UDP and one on TCP, will my local clients switch automatically between them as per TCP/UDP request, or do they need to disconnect & reconnect to a new IP every time in order to switch between these protocols based VPN configurations?
 

eibgrad

Senior Member
The option to use UDP or TCP w/ the OpenVPN client has NOTHING to do w/ the client's use of UDP vs. TCP packets within its own connections. When choosing UDP vs. TCP w/ the OpenVPN client, you're telling the OpenVPN client the protocol *it* should use between itself and the OpenVPN server for managing the tunnel. Regardless which you choose for the OpenVPN client, your clients tunnel *all* their protocols (UDP, TCP, ICMP, whatever) over the VPN.
 

stevieosaurus

Occasional Visitor
I see. Yes, that makes sense. Thank you for the explanation.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top