Forcing tunnels out specific WAN interfaces

Hello, I’m attempting to force a vtun1 out wan1, and vtun2 out wan2. If wan1 disconnects I need to make sure that vtun1 doesn’t failover to wan2.

With the below configuration vtun1 uses wan1 and vtun2 uses wan2. However, if you disconnect one of the WAN ports the tunnel will failover and use the other WAN connection out.

image759×408 22 KB

eth0 (wan1): 192.168.0.6/24
eth1: (wan2): 192.168.1.244/24
vtun1: 192.168.202.1
vtun2: 192.168.203.1

Config
dualvpn.txt (1.7 KB)

On the Slack channel I got some support to use this IP rules configuration:
sudo ip rule add from 192.168.0.6 lookup 100
sudo ip rule add from 192.168.1.244 lookup 101

Routes
S>* 0.0.0.0/0 [1/0] via 192.168.0.1, eth0, 00:25:46
S 0.0.0.0/0 [2/0] via 192.168.1.254, eth1, 00:29:02
S>* 2.2.2.2/32 [1/0] is directly connected, eth1, 00:42:30
S>* 1.1.1.1/32 [1/0] is directly connected, eth0, 00:25:46
C>* 192.168.0.0/24 is directly connected, eth0, 00:25:46
C>* 192.168.1.0/24 is directly connected, eth1, 00:42:30
C>* 192.168.202.2/32 is directly connected, vtun1, 00:26:54
C>* 192.168.203.2/32 is directly connected, vtun2, 00:28:25

Version 1.2.6-S1
Thanks in advance,

One solution it blackhole the route to 1.1.1.1 with a distance 254.

set protocols static interface-route 1.1.1.1/32 next-hop-interface eth0
set protocols static route 1.1.1.1/32 blackhole distance '254'

Thus, the route will not go outside the router if eth0 will be “down”

You could also put your tunnel interfaces in different VRFs. …but if you need dynamic routing you may need to wait for VyOS 1.4 to mature.