Back to article
Bonded VPNs for Higher Throughput and Failover with Zeroshell Linux
Configuring Remote VPN access
July 20, 2009
In the past few months, we've discovered ZeroShell, a Linux-based open source Live CD that can turn your old PC into a router and LAN server. We've done the initial setup, configured the RADIUS server for 802.1X/PEAP authentication, played around with the AP features, and experimented with the captive portal functions.
Now we're going to look into the VPN features. First we're going to set up VPN access for remote users using OpenVPN's client. Then we're going to configure LAN-to-LAN VPN tunnels to create links between offices via the Internet.
Next we'll step it up a notch and configure duplicate LAN-to-LAN VPN tunnels (through different Internet connections) between the same two offices. By bonding the two VPN tunnels together, you'll have higher throughput on transfers between the networks. Plus you'll have redundancy if you choose two different providers, such as a DSL line and a cable connection. If one Internet connection goes down, the other will still be there to keep the connection between offices.
Configuring users for remote VPN access
By default, the Host-to-LAN (OpenVPN) server and interface is preconfigured. This gives remote users the ability to encrypt their connections from other networks, such as when on unsecured Wi-Fi hotspots, and to securely access the network shares and services. To start the server, click the VPN link from the main ZeroShell menu, select the Enabled checkbox (see Figure 1), and hit the Save button.
Then to connect to the ZeroShell VPN server, you must download OpenVPN onto the users' computers. If they are using Windows, download the Windows installer and install with the default settings. Then you need to download the ZeroShell OpenVPN Client configuration file to the C:\Program Files\OpenVPN\config directory and replace zeroshell.example.com with the IP address of your ZeroShell machine. If connecting remotely over the Internet, this would be your Internet IP.
You also need to put the ZeroShell CA certificate (CA.pem) file into the OpenVPN/config directory. From the VPN tab of the ZeroShell Web GUI, click the Trusted CAs button in the X.509 Configuration section, select the ZeroShell Example CA certificate, click the Export button (see Figure 2), and save as CA.pem to the C:\Program Files\OpenVPN\config directory.
OpenVPN client configuration has instructions for configuring clients on Linux, Mac, and Windows, and the Creating configuration files for server and clients on the OpenVPN site is helpful.
Finally, you can connect to the VPN server: Open the OpenVPN GUI application, double-click on the icon in the system tray, and enter your username and password when prompted. The default admin account will work. You can add more accounts from ZeroShell's Web-based GUI.
Configuring the multiple Internet connections
Next, setup both locations (the ZeroShell machines) with their two separate Internet connections. Then on each ZeroShell machine, you need to configure load balancing and fail-over for the two connections. Click the Net Balancer link (see Figure 3), and Add each Internet connection's interface. After you enable Net Balancer, it will begin to balance outgoing WAN/Internet traffic. In addition to increased bandwidth for local users accessing the Internet, it will provide a fail-over. For instance, if one Internet connection goes down, the other connection can still provide Internet access.