blog

Lately, I had to provide access to a private network over the internet using openvpn. For redundancy reasons, it had to be accessible via two separate gateways, so that whenever one failed, the private network would still be accessible using the alternative gateway. I'm skipping a lot of headache requirements / givens and just describe the solution core.

The main problem is that, when we're supposed to handle traffic for two separate internet gateways, we'll have to handle multiple default gateways. When a packet arrives from a remote IP, we have no way of telling which of the two gateways we'll have to send the reply to. To solve this, the openvpn gateway linux VM was connected via separate NICs to each of the gateways. I set up two openvpn server processes, each listening on one of the NICs. In order to implement two “default gateways” on a single machine, two additional route tables – “rt01” and “rt02” are created, each having their own default gateway 10.0.1.1 and 10.0.2.1:

echo 10 rt01 >> /etc/iproute2/rt_tables
echo 11 rt02 >> /etc/iproute2/rt_tables

ip route add default via 10.0.1.1 table rt01
ip route add default via 10.0.2.1 table rt02

Now we'll tell the routing policy database that all packages from our first openvpn server running on 10.0.1.10 should use rt01, while the other one should use rt02:

ip rule add from 10.0.1.10 table rt01 
ip rule add from 10.0.2.10 table rt02

This helps working around the issue that openvpn always determines the default gateway on startup and always uses this for any outgoing communications.