Skip to main content

Ferry Bring Peoples From Side To Side On Mekong River Of Cambodia

  Ferry Bring Peoples From Side To Side On Mekong River Of Cambodia Hi Friends, Welcome to my blogger "168 168 Never Quit". This is my new video. if you like this video so please comment, share, subscribe. Thank you very much Rorn Entertainment Channel Mix Plants Along The Street

Combining two internet connections into a fast one with linux scripts

This is episode 2 of the VPN bonding series. In the last episode we doubled our internet speed by using two VPN tunnels and bonding two openvpn tap interfaces together. This can be used to increase the internet bandwidth if you live in a rural area where no high-speed Internet is available. The Linux bash scripts for this are on my Github repository. In this second episode of the Linux VPN bonding series we will have a closer technical look at the scripts and the principles that make this possible..

The Linux bash scripts that we use to achieve VPN bonding are heavily inspired by an article on serverfault.com. During my research for this video series I realized that channel bonding and increasing internet speed is a big concern in the community. Many people are asking questions about this in the various forums. 

However, I could not find that many reliable answers that actually solve the problem. Bonding ISO layer 2 devices such as Ethernet devices is nothing new in Linux. In the enterprise this is a quite common solution to increase bandwidth for example to a heavily used file, mail or database server. Sometimes in larger companies the available 1 Gbits are just not enough and a 10 Gbit infrastructure is not available.

Openvpn can use different interface types for VPN tunnels. TAP devices are quite similar to Ethernet devices and act on ISO layer 2. All you have to do in order to switch from tun to tap in openvpn is one single line in the config file of the connection and specify device tapx or tunx. When creating the interface with the mktun option you can specify a device name. If the device name starts with tap or turn then openvpn will chose the right device type for you. If you give the devices a free name then you would need to add the dev-type directive.

Combining two internet connections into a fast one with linux scripts
One catch22 in the bonding configuration is the fact that you cannot bond an interface when it is already up. Therefore we need to first create the tap device using the mktun option, then bond all devices and only then can we actually start the VPN tunnel. So step by step : First load the bonding module, then create the bonding interface, then give it an IP address and then create the tap device for each tunnel and set the bonding interface as the master. Looking at the interface configuration of our system in the Linux shell we now see the interface and the tap1, tap2 and so on interface. Please note that the tap interface has no IP address. And it will not need any as it is ISO layer 2. IP addresses are layer 3.

That means, only the interface will actually get an IP address. Once we have created all tap devices and added them to the bond, we can then bring the device up. So if we do this on both sides we can now already generate a bonded tunnel. At this point all tunnels go over the same interface though on the client side – but remember that what we want is actually aggregate multiple interfaces. By default openvpn starts in no bind mode, that means it would from a client perspective just use the default gateway to get out to the internet. If we wanted to instruct openvpn to use different interfaces, then we have two challenges.

That one actually cost me a couple of hours to figure out…First we need to make sure that the tap device binds to the right physical device. In my example I want tap1 to bind to  and tap2 to bind to I have no way of specifying a physical interface anywhere in openvpn, but I can define a local IP address. And as this local IP address is bound to a specific interface, this is nearly as good as specifying the interface directly. But this brings us to the second challenge. Even though the tap interface is linked to an IP address on the  interface this does not mean that Linux will systematically try to reach the internet through that interface. It would instead go through the default route or rather use the default gateway.

If we look at the available routes on our system we see that Linux has automatically added two routes, one for each interface, but it has assigned different costs or metrics to them. Linux will first try the interface with the lower cost or metric before it would go through the interface with the higher cost. This can be useful for resiliency or fail-over configurations, let’s say use a 3G connection when your DSL is down. But we want load balance over both interfaces, so how can we achieve this ? The solution is called routing tables and rules.

In fact we can tell the operating system to apply different rules for different interfaces. The client installation script has created these rules in the rt_tables file but has left them commented out, because I did not want to have any interference with the default routes as long as the bond is not up. The start bond script removes that comment using this sed command line. In order to have 2 or 3 or 4 similar configurations I am using template files. If you look at the templates you can find values that start with the “at” sign. My script replaces these with the corresponding values for each tunnel. This is again done by a couple of sed commands in the script.

Combining two internet connections into a fast one with linux scripts
Talking about sed in order to replace text with Linux, there is a couple of lines we might want to have a closer look at – in order to read out properties of the interfaces I feed the result of the ip command into an array using the read array command. Let’s have a look at this line where I actually want to find out the ip address of the physical interface let’s say . I use ip -br addr, I then grep for the interface name in order to only get the line with the interface I am looking for, then I run sed with this expression in order to replace multiple spaces with just one – that is important for the read array command that can then fill the tumpline variable.

Tumpline contains the interface name, tumpline the state and tumpline the ip4 address. Just a quick remark at this point – the Linux bash scripts are made for IPv4 only at the moment. If you only have an IPv6 address then they won’t work. I might change this in a future version. Now the IP4 address contains the network identifier, that is /8 for a Class A, /16 for a Class B or /24 for a class C net which corresponds to subnet mask 255.255.255.0. Proper subnetting is an art of its own. The line I wanted to draw your attention to is where I remove the slash something from the IP address. Usually you use slashes in regular expressions as a separator, but with sed on Linux you do not have to.

As I am replacing a slash I am just using the “at” sign as a separator. So in fact I am replacing slash something with nothing. I had to look this one up, I didn’t know that I could just use a different character here. So in a nutshell I go through the four template files, fill them with the right values and then call openvpn with that config file. Basically I am doing this at run time because your interface might use DHCP and possibly get a different IP address each time. But let’s get back to our IP rules and routes. Look at the ip rules here. We have standard rules that should be available on any system, namely local, main and default. And you can see here, that they apply to all interfaces. Now we can add rules for specific destinations or for specific sources.

What we do here is we add a rule that applies for each of the IP addresses that we are using to bind our tap devices to and tell Linux to look up a specific table for this rule. We can look at the routes in that table just by typing in route list table and then the table name. I have named the tables vpn1, vpn2 and so on. We only need one single route per table and that is just telling ip route which gateway to use on this interface, so basically we just tell it the next hop. That’s it. Let’s do this by hand for two interfaces and specify two different routes and then check with traceroute to the same server which route the packets will use. As you can see here, the route to Google’s nameserver 8.8.8.8 is different depending
on the source IP.

Routing with a source IP of the  interface goes over the  interface, specifying a source IP on the eth0 interface goes over my normal LAN connection. Last but not least let’s have a look at the stopbond script. All this does is that it brings the bond interface down, removes it from the system, kills all instances of openvpn and then deletes each route, rule and tap interface. From the comments on the first video I can see a strong interest on VPN performance and especially using Wireguard for this. Guys, at the moment I am not very clear on how to achieve the bonding with Wireguard other than for example using a GRETAP device over Wireguard, because Wireguard is ISO layer 3.

Combining two internet connections into a fast one with linux scripts
So in order to increase performance I thought – hey, why not just remove the encryption from the VPN ? Now before you tell me that I am mad – let’s take a step back and ask the question why we are using a VPN at all for this. We are not using a VPN for the sake of privacy or using a VPN as such, we just do because we need to – in other words, our main concern here is speed, not encryption. 

And I am not saying that we remove the authentication part. That remains. We just remove the encryption. Also let’s keep in mind that a malicious man in the middle would need to read all data streams in order to read the whole traffic. But in our case they go over many different routes. Let’s do some tests here. Let’s open a VPN connection from this router to another router and watch the CPU utilization as we put some load on it.

First with encryption – here we go – then without encryption – here we go – you can clearly see the difference. Perfect – let me repeat my call to action from the last episode here. I do need your feed-back. Where should we take this next ? Having had a look at the various comments and feed backs from you and the issues you and I have ran into I would suggest the following: We will not evaluate Wireguard for the time being, but rather make OpenVPN encryption optional.

Second, I will work on a script version for OpenWRT, meaning that you could run this transparently on an openWRT router. Third, I will add options for fail over and resiliency by doing a couple of things – Making the balance strategy an option and running a watchdog that checks the latency and availability of the lines and would dynamically remove or add interfaces to the bond.



 

Comments

Popular posts from this blog

The AdLib Gold Experience

Greetings folks, and today on LGR I am proud to present the fabled AdLib Gold 1000 Stereo Sound Adapter. An IBM PC-compatible sound card which, after multiple delays, launched at a suggested price of $299 in the US sometime in late 1992. More or less, its release is a bit complicated but we’ll get to that. For now lemme just go ahead and say how much I’m freak in’ out with excitement recording this footage. Cuz dude, seeing an AdLib Gold in person, still in the box, unused? Among retro PC enthusiasts, that’s like finding a golden unicorn that craps diamonds, it’s just not a thing. Yet here it is, looking’ spiffy! And it’s all thanks to Trixter, aka Jim Leonard of The Old-school PC, Check out his YouTube channel if you’re into this kind of thing too, the man’s a fountain of knowledge and some of the items in his collection are literally one of a kind. Not the least of which being this pristine AdLib Gold 1000, a card that I’ve been wondering about ever since I was eight years old lookin...

Apple Keyboard Evolution 1983-2015

I don’t have a Lisa Keyboard, and they’re quite rare and expensive. But here’s what it looked like, it was quite large and clunky. Although not really any wider than a modern Apple keyboard . So, this is the original Macintosh keyboard. It’s kind of tall, and notice that it has no arrow keys, no function keys and no number pad. Apparently, Steve Jobs believed that everybody would use the mouse for everything, except typing. It uses an RJ-11 type connector, similar to a phone cord. The mouse actually had its own separate connector, and did not connect to the keyboard at all. This is about as basic as it gets. I can plug my telephone into it, for some reason. So, one thing I noticed about this is that there are no indicators on where to put your fingers. I’ve never heard a keyboard echo before. It’s not real springy or anything. It does have… …metallic kind of noise to it. But, DAVID: This is the Apple Desktop Bus keyboard. As the name suggests, this was the first keyboard to use the new...

IBM 8516 Touchscreen CRT Monitor

Greetings and welcome to LGR Oddware where were taking a look at hardware and software that is odd, forgotten, and obsolete! And today it is the IBM 8516 CRT touchscreen from the beginning of the 1990s. And yeah you can touch and draw and do all kinds of things that you would normally do with a mouse or light pen or whatever else -- just with your fingers! And so let’s see what this thing is and what it can do. All right so this is the IBM PS/2 Model 8516 13-inch CRT touchscreen monitor first introduced in June of 1991 for a suggested retail price of $1695 US dollars, holy crap. That would be almost $3,100 at the time of this recording, not a cheap price for a 13-inch VGA monitor back then.  It was built by IBM to be compatible with PCs running DOS, Windows 3 -- and IBM OS/2 of course, because they were still pushing it rather hard when this came out. And as advanced and awesome as it was for its time it was not the first of its kind as far as touchscreen CRTs, not by a long shot....

The best gaming laptop for MS-DOS games

The other day, I used to be reading this old Computes Gazette magazine from 1983. and that I saw this card you'll send off for more information. happen if I filled it out and sent it off? Well, stick around till the top and I'll show you the result. Most of the time, stepping into Retro Gaming are often quite challenge. Even the old Atari 2600 her, for instance, it are often very challenging to seek out a contemporary TV or monitor that you simply. On the brilliant side, the games are pretty easy to affect. All you've got to try to to is locate them online, or thrift shop, or whatever and you purchase the sport, and you recognize, But, things get even harder once you start watching old computers. For instance, the Commodore 64 uses a disk format that's essentially foreign today.  It's no means to attach to the web, and albeit you've got a pile of blank disks, getting the games copied over to them from the web could be a nightmare. Now, if you fast forward just a...

Strangest Computer Designs of the '80s

OMG Mr. LGR!!! You made my day showing the Seiko computer watch series. I collect these things and Have almost  the entire lineup up including the weird UC-2200. The only one I'm missing is the "wrist mac" which was essentially a Seiko RC4400 but marketed and sold for Apple. It could be considered the first apple watch! That design for the Elwro-800 actually seems pretty good and I wish I had it for the C64 back in the day. That wire holder could have been used for holding a computer magazine with a user made program which they always had in the magazines back in the day. Even now it would be good for data input from a written copy, or even writers who like to get their pre-writing done on paper. They were the machines we were taught Turing language on -- and compiling even a tiny Turing program on them was unbelievably slow.  I really liked the GUI on them though, but we never really used the GUI much; all the programming we did was in a text file run through a compiler ...

The Advantech I.Q. Unlimited with BASIC and a Z80 CPU.

Hello, and welcome back to the 8-Bit Guy. In this episode, I want to show you this bizarre little computer known as the IQ Unlimited by Advantech. Now, you might be wondering “What is this company Advantech?” Well, if you turn the computer over you’ll see it was actually produced by Video Technology Electronics, otherwise known as V-Tech.” Yes, that’s the same V-Tech that has produced tons of cordless telephones, kids learning computers, baby monitors, and a variety of other things. They are also the ones that built the Laser 128, which was an Apple II clone, along with the matching Laser XT which was a PC clone. They also produced the laser line of portable computers, and even a series of proprietary desktop computers that carried the laser brand name. So, needless to say V-Tech is no stranger to making computers. But, I think this may be the strangest one they ever made. The front of the box claims it to be complete, powerful, simple, and affordable. They are also those that built th...

Words of Krom Ngoy

Words of Kram Ngoy This Brahma song is translated to tell Khmer men and women To be mindful should be diligent. Do not be lazy, do not be too stupid, try to learn numbers, learn the alphabet Learn all the virtues, supernatural wisdom combined with ideas. Born to see through, even from afar           Really good at thinking about everything. Fools do not wake up like blind people on both sides           There is no image of a cheap sinner born ignorant. The human race, though high and low, descended from the Pao clan.           Evil, good, black and white, cut off descendants like ancestors. Ignorant people are not venerated as a religion           The monks know the Dharma, the students study hard. The ignorant breed is not very wise, the crooked breed is not very gentle           Straight seed until the true seed does not disappear. Innoc...

Fast roaming OpenWrt Wi-Fi Access points

Before we start let me do a test. I have my  phone here which measures my Wi-Fi speed and  another phone which I use as a camera in  the other hand. I start on the 2nd floor  where I have an access point. As you can see speed  is quite OK. It won’t go much higher because I  capped it. I’ll explain in a second. Let me start  moving towards the staircase to the 1st floor.  As I do that you can see that the speed goes  down while I walk down the stairs until it starts  moving back up because I picked up the signal  from the 2nd access point here on the first floor.  Let me keep moving down to the basement. It’s  all concrete here so Wi-Fi gets weakened a lot.   But it doesn’t take long until I  get closer to the 3rd access point  here in the basement and speed picks up.  Walking back upstairs - same scenario.  How do I do that so seamlessly without  interruption of signal ? Is it a  Mes...

Will Kill Your Computer

Hey guys, this is Austin, and this is the USB Killer. Now, it might not look like much, however this will straight up kill your computer. So, this is a device that’s used to test hardware, so while it looks like an ordinary USB device, instead, there’s a series of capacitors inside. So, if you plug it into a computer, it will charge those capacitors up, and once they’re full it turns around and releases all of that power at 240 volts straight back into the computer, in theory killing it. It doesn’t take much to be able to pop this thing open. Now, before we proceed: Do not try this at home. Seriously. Not only is it very possible for this thing to kill electronics, but it’s also. And by being careful, I mean don’t try this at home. We have an Asus Chrome book.  Now, USB Killer claims that this is going to work on around 95 percent of computers, and the reason for that is that while some computers have properly capped USB ports, most have completely unprotected ports, which means th...

Ferry Bring Peoples From Side To Side On Mekong River Of Cambodia

  Ferry Bring Peoples From Side To Side On Mekong River Of Cambodia Hi Friends, Welcome to my blogger "168 168 Never Quit". This is my new video. if you like this video so please comment, share, subscribe. Thank you very much Rorn Entertainment Channel Mix Plants Along The Street