Unbonding VPNs when one of them goes down

Bond with two tunnels

As I wrote here, there is a problem with detecting a link drop when you run a bonded VPN setup, there is no way for the bonding driver to know that one of the tunnels is down.

I thought that I will need to code a monitoring daemon for this, but I could manage with openvpn scripts alone. Here is what I’ve got.

OpenVPN config changes:

#on the "client"
script-security 2
down "./bond.sh down"
ipchange "./bond.sh ipchange"
up-restart
#and on the "server"
script-security 2
ipchange "./bond.sh ipchange"
down "./bond.sh down"
up-restart

What the changes above do, is launching a script when openvpn detects a disconnect or it connects back. This is the script I use to manage my bond:

#!/bin/bash
#interface name
BOND=bond0
#local ip address/mask
BONDIP=10.1.1.2/30
STATE=$1
IFACE=$2
function dettach {
isbondup || return 0
isattached || return 0
echo -n Dettaching $dev ...
ifenslave -d $BOND $dev
[ $? -eq 0 ] && echo ok || echo fail
}
function attach {
if ! isbondup ; then
ifconfig bond0 up
ip addr add $BONDIP dev $BOND
for i in $dev $BOND; do
ip link set dev $i multipath off
done
fi
if ! isattached; then
echo -n Attaching $dev ...
ifenslave $BOND $dev
[ $? -eq 0 ] && echo ok || echo fail
fi
}
function isbondup {
ip link show $BOND | grep -q 'state UP'
return $?
}
function isattached {
grep -q "Slave Interface: $dev" /proc/net/bonding/$BOND
return $?
}
case "$STATE" in
"ipchange")
echo "Called ipchange on $dev" | logger -t bond
attach $IFACE
;;
"down")
dettach $IFACE
;;
*)
echo Cannot do $@ on $dev | logger
;;
esac

M	T	W	T	F	S	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

Unbonding VPNs when one of them goes down

Post Navigation