What's new

Multiple OpenVPN clients: run in parallel, serial or alternative?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

stevieosaurus

Regular Contributor
I searched all over this forum & google but couldn't get one clear, straight answer, so here goes:
If I activate multiple (2 or more) OpenVPN clients in my Merlin router admin interface, do these:

1.
Run in parallel - some clients (local IPs) connect trough one VPN, others trough another VPN, at the same time? Do some request from the same client (local IP) perhaps access one VPN trough the TPC port, and the same machine also accesses another VPN trough UDP?

2. Run in serial - all clients connect to the first VPN, and then they connect trough the secondary VPN, one behind each other?

3. Alternatively/redundantly - each local client tries to go trough the first VPN, and if it fails, tries trough the secondary VPN?

Additionally: what if I activate (switch ON) ALL (5) OpenVPN clients at the same time? I understand this might overload the router CPU, but as a thought experiment, how will local IPs be routed trough these VPNs?
Thank you very much.
 
With most routers, it only makes sense to use PBR (policy based routing) when using multiple, concurrent OpenVPN clients. If you don't, each OpenVPN client will change the default gateway to itself. And which one ultimately becomes the default gateway ends up being arbitrary, and unpredicatable (no one can control which OpenVPN client gets connected and configured before/after the other).

With PBR, no OpenVPN client becomes the default gateway. It remains w/ the ISP. *YOU* decide which clients use which OpenVPN client.
 
I should add, at least in theory, you *could* tunnel one OpenVPN client inside another (for obvious reasons). However, I seriously doubt any of the typical firmware you find on these routers is going to be sophisticated enough to manage that process. Most are pretty dumb, and will let you get into a world of hurt if you assume otherwise. As I said, PBR is usually your best bet. If you need something more sophisticated and controlled, you usually have to manage the OpenVPN clients w/ the CLI (command line interface), assuming that's an option.
 
I think I begin to understand. Thank you for the explanation.
Unfortunately right now the only PBR policy routing available won't let me set fail-over VPN connections running in parallel, which is what I wanted. I have to turn off & on OpenVPN clients in the list as one fails.
 
Stupid question: I still wonder if I run 2 OpenVPN clients: one on UDP and one on TCP, will my local clients switch automatically between them as per TCP/UDP request, or do they need to disconnect & reconnect to a new IP every time in order to switch between these protocols based VPN configurations?
 
The option to use UDP or TCP w/ the OpenVPN client has NOTHING to do w/ the client's use of UDP vs. TCP packets within its own connections. When choosing UDP vs. TCP w/ the OpenVPN client, you're telling the OpenVPN client the protocol *it* should use between itself and the OpenVPN server for managing the tunnel. Regardless which you choose for the OpenVPN client, your clients tunnel *all* their protocols (UDP, TCP, ICMP, whatever) over the VPN.
 
I see. Yes, that makes sense. Thank you for the explanation.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top