How to use it for load balancing of openvpn?

How to use it for load balancing of openvpn? I have an openvpn link with dual wan ports. Can I balance the load of the two wan ports to achieve the load balance of openvpn? Or do you have to use multiple openvpn links to do load balancing? Please give me a typical configuration

wait for your answer

Read docs: https://docs.vyos.io/en/latest/configuration/loadbalancing/index.html

thanks, but i want to know how to (openvpn+loadbalance) .
that article is only load balance

OpenVPN is a stateful tunnel which maintains an active connection, so for your use case I believe you would need 2 tunnels. Use NAT to route each tunnel via a different interface, and then apply load balancing across the 2 tunnels.

Alternatively you may find that a stateless tunnel such as WireGuard gives you the ability to have a single tunnel interface across 2 underlying LB connections. I’ve tested that myself and it certainly works from a failover perspective, albeit I’m not sure how accurately it load balances when both connections are up. If each of your LB connections has a different IP though, then the remote peer may require 2 tunnels anyway (if it’s VyOS at the remote end, peer matching is done on IP).

thx, give me help~
let me have a try!

Hi, you should be able to use “policy based routing” to use OpenVPN on two interfaces. Wireguard will be much faster though, if you have the option.

I use a basic configuration with two instances of OpenVPN interfaces going to the same ExpressVPN server. I can see traffic is load balanced pretty well across the interfaces, not perfectly 50/50, but not bad!! (It won’t load balance a single connection, of course, but multiple connections do get load balanced.)

Here’s the important part of the config. My internal network is on eth1 so that’s where I have the policy attached.

vyos@vyos# show policy route VPN-FOR-YOU-ROUTING 
 interface eth1

 rule 100 {
     description "Use ExpressVPN"
     set {
         table 90
     }
 }

vyos@vyos# show protocols static table 90
 route 0.0.0.0/0 {
     interface vtun1 {
     }
     interface vtun2 {
     }
 }

vtun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 500
    link/none 
    inet 10.xx.yy.zz peer 10.xx.yy.zz/32 scope global vtun1
       valid_lft forever preferred_lft forever

    RX:        bytes   packets  errors  dropped  overrun       mcast
         43533721787  43381061       0        0        0           0
    TX:        bytes   packets  errors  dropped  carrier  collisions
          5306904099  18989724       0     7191        0           0
vtun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 500
    link/none 
    inet 10.xx.yy.z2 peer 10.xx.yy.z2 scope global vtun2
       valid_lft forever preferred_lft forever

    RX:        bytes   packets  errors  dropped  overrun       mcast
         35486715517  38278105       0        0        0           0
    TX:        bytes   packets  errors  dropped  carrier  collisions
          6361950994  22441783       0     1258        0           0

I highly recommand to set vpn loading balance with ospf and bgp to let them works.

Ooops… I see I replied to a really old post last night that popped up as “related” to what I was reading

Thanks for the suggestion!! Everything I know about routing I learned from trying to use Vyos over the last couple of years. Which means I’m still a total n00b.

Would BGP work with two peers that were just OpenVPN interfaces? Do I need OSPF to maintain the status of the links, and BGP to actually route? Do you have any suggested tutorials to read?

I read this one but I didn’t totally understand it all … Especially given that with my OpenVPN connection, I have no control over the remote side.

Does this look like a decent start? I’m really unsure of the right BGP remote side setting.

set protocols ospf interface vtun1 area 1
set protocols ospf interface vtun2 area 1
set protocols ospf parameters router-id 10.10.1.2

set protocols bgp local-as '4200000000'
set protocols bgp neighbor vtun1 remote-as 4200000001
set protocols bgp neighbor vtun2 remote-as 4200000002

I’ll try to set it up in a test environment with a VPS vyos so I don’t screw up anything my real VPN provider.

Personally I would go for BGP with private AS (as your example) along with BFD to detect status of physical paths.

Thanks for the suggestion! BFD looks cool. But my OpenVPN connections are to ExpressVPN, so I don’t have a fixed client IP or next-hop router IP. I thought OSPF might work because I could specify the interface.

For example, I am running two instances of Vyos in XCP-NG, both with identical configurations for routing out the VPN connections using PBR.

vyos@vyos# ip route
default nhid 21 via 99.164.xx.y dev eth0 proto static metric 20 
10.66.0.205 dev vtun1 proto kernel scope link src 10.66.0.206 
10.66.0.209 dev vtun2 proto kernel scope link src 10.66.0.210 

default nhid 20 via 192.168.1.254 dev eth0 proto static metric 20 
10.43.2.201 dev vtun1 proto kernel scope link src 10.43.2.202 
10.66.2.5 dev vtun2 proto kernel scope link src 10.66.2.6 

I can’t ping the ExpressVPN router IPs, either. As I recall, I had this problem with PfSense to monitor the VPN connections. I tried Vyos because I wanted to be cool but mostly because I found OpenVPN connections in Vyos have been rock-solid and in PfSense they would hang up every a 3-6 weeks. I really enjoyed the “command line” of Vyos so I never looked back.

I’d love to get a more flexible routing working for my VPN connections, so I could more easily throw into the mix a private Vultr-based VPN, etc. But since I have no control… It doesn’t seem like I have any cool options???