March 24, 2019

Bonded VPNs for Higher Throughput and Failover with Zeroshell Linux - page 2

Configuring Remote VPN access

  • July 20, 2009
  • By Eric Geier

Next, setup both locations (the ZeroShell machines) with their two separate Internet connections. Then on each ZeroShell machine, you need to configure load balancing and fail-over for the two connections. Click the Net Balancer link (see Figure 3), and Add each Internet connection's interface. After you enable Net Balancer, it will begin to balance outgoing WAN/Internet traffic.

figure 3
figure 3

In addition to increased bandwidth for local users accessing the Internet, it will provide a fail-over. For instance, if one Internet connection goes down, the other connection can still provide Internet access.

Creating the LAN-to-LAN VPN tunnels

First you must configure one of the ZeroShell machines as the LAN-to-LAN VPN server, then you can connect another ZeroShell machine by configuring it as a VPN client.

Click VPN from ZeroShell's Web-based menu, select the LAN-to-LAN tab, and click the New button. See Figure 4 for an example of the window that should pop-up.

figure 4
figure 4

For the Remote Host, enter the IP address of the other ZeroShell machine. If connecting remotely over the Internet, this would be the Internet IP of where the server is located. Make sure the Role is set to Server. The quickest way to get started is to select the Pre-Shared key method for the Authentication. Then you can hit the GenKey button, and copy and paste the automatically generated encryption key into the PSK field. Later you'll have to input this same key into the other ZeroShell machine.

Now move to the ZeroShell machine that you want to set up as the VPN client. Create a new LAN-to-LAN VPN entry like you did for the server machine. Use the IP of the other machine for the Remote Host and set the Role to Client. Plus make sure it's set to Pre-Shared key Authentication and copy the previously generated key into the PSK field. Once you hit Save, it should automatically connect.

If you have two Internet connections at both locations and want redundancy in the links, configure a second LAN-to-LAN VPN tunnel at each location. Make sure each location has two tunnels to the other location using the two different Internet connections. To assign the tunnels to a particular Internet connection, assign a Gateway when configuring the tunnel. The port numbers auto increment, however, make sure the tunnels at each machine match. If you already have one of the tunnels created you can select the existing tunnel and click Configure to edit the Gateway value, and then create the second tunnel.

Creating redundancy in the LAN-to-LAN VPN tunnels

Now to get the load balancing and fail-over functionality for the LAN-to-LAN links, you can bond the two VPN tunnels. This is similar to the Net Balancer feature for Internet connections. Click Setup from ZeroShell's main menu, select the Network tab, and click the New BOND button on the top. Then add the two VPN interfaces to the Bond Components list (see Figure 5) and click Save.

figure 5
figure 5

Now you should be able to connect to the VPN out in the field and be able to securely connect your offices. For even better security on the site-to-site links, you might want to use SSL by setting up certificates. On each machine, export the host certificate and import it into the other machine (remember, the certificate and key are in the same file) and then choose the imported certificate and input the remote site's Common Name (such as zeroshell.example.com) when reconfiguring the tunnels.

Eric Geier is an author of many computing and networking books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007).

Most Popular LinuxPlanet Stories