-
Notifications
You must be signed in to change notification settings - Fork 109
Using Glorytun with 2 ISP
In this article, i will not touch on many issues on client/server optimization, security, i will write only the basic and most necessary (important) instructions for create a tunnel connection with Glorytun with 2 ISP at the same time, nevertheless, i will describe the main points for troubleshooting and checking its performance.
Client (Router) and Server (VPS) both using Ubuntu LTE 18.04 x64, you may use other linux distro's
Client hardware configuration: 3 NIC, 512 Ram, 2 Ghz cpu, 32gb usb flash drive for install os, you may use old pc..
- 1 nic enp2s0 with ip 10.10.10.1 connected to lan/router
- 2 nic enp6s0 with ip 192.168.1.100 and 3 nic enp6s1 with ip 192.168.2.100 connected with ISP cable from isp router, also it's may be modems with ethernet interfaces
for best results, both of your connections with your Internet service providers should be as similar as possible, on technical characteristics like ping, bandwidth, upload/download (rx/tx) and etc, it is very important!
Server hardware configuration: 1 Gigabit NIC with 1 IPv4 address, 512 Ram, 1-2 Ghz cpu, 10gb ssd, based on kvm or xen or vmware virtualizator
- 1 nic eth0 with ip 195.245.103.245 connected to internet
for best results, both of your connections with your Internet service providers should have minimal ping to your server, this is very important!
Installation
I assume that you have already installed the Ubuntu OS on the client and buy & prepare VPS server, configured ssh access to your client and server, if your workplace from Windows OS, better use Bitvise SSH Client for work with ssh, and we will proceed to installation and configure Glorytun
We be use pre-compiled version of glorytun 0.2.2, for client and server, all commands need to run directly from ssh with root user rights
login to your VPS with SSH as root user
download glorytun binare file
wget https://github.com/angt/glorytun/releases/download/v0.2.2/glorytun-0.2.2-x86_64-linux-musl.bin
rename it
mv glorytun-0.2.2-x86_64-linux-musl.bin glorytun
make executable
chmod +x glorytun
Now configuring glorytun
first create encryption key
./glorytun keygen > gt.key
see gt.key file content with this command, and save it for use with client
cat gt.key
73C658C12F77FD5B60AD1A03E3FEFFAA74C46674F6503DB1D8FADD775965DB28
run glorytun with bind server ip 195.245.103.245 and port 55055 and tun0 interface (if need), i use chacha encryption, aes my client is not support, you may don't indicate port and tun interface:
./glorytun bind 195.245.103.245 55055 dev tun0 keyfile gt.key chacha &
after running this command, press the "Enter" key again, so that the Glorytun continues to run as background-process
now adding ip v4 address to tun0 interface:
ifconfig tun0 10.0.1.1 pointopoint 10.0.1.2 up
also we need route traffic from glorytun tunnel (tun0) to internet (eth0):
masqarade traffic from glorytun tunnel network to internet:
iptables -t nat -I POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
accept by server input traffic from tun0 (glorytun) interface:
iptables -I INPUT -i tun0 -j ACCEPT
enable forwarding traffic between tun0 (glorytun) and eth0 (internet) interfaces:
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
Now, we need to configure Ubuntu OS to using 2 ISP, for this we turn to LARTC (Linux Advanced Routing & Traffic Control), there are many different articles on this topic on the Internet, i will give one worked example of this configuration, so login to your router with SSH as root user ssh root@router
Routing tables:
edit file /etc/iproute2/rt_tables and adding two lines about our 2 ISP in system route table, you may use pre-installed in Ubuntu nano editor for edit files, with this command:
nano /etc/iproute2/rt_tables
#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
101 isp1 #<---------add this string to file rt_tables
102 isp2 #<---------add this string to file rt_tables
after edit, for save file press keyboard shortcut Ctrl+O, and Ctrl+X for exit, it's simple!
Create this script for builds a traffic routing table:
nano /root/dual_isp.sh
note: you may copy & paste this script with Bitvise SSH Client from Windows OS to Ubuntu OS, directly in Nano editor window
#script path: /root/dual_isp.sh
#script for dual isp connection (linux, ubuntu, debian)
#!/bin/sh
#!/bin/bash
# LAN interface
IF0="enp2s0"
# ISP interface 1
IF1="enp6s0"
# ISP interface 2
IF2="enp6s1"
# IPv4 addresses from ISP interfaces, IP1 for ISP1(IF1) and IP2 for ISP2(IF2), offered by DHCP from isp routers..
IP1="192.168.1.100"
IP2="192.168.2.100"
# gateway 1 of ISP1(IF1)
P1="192.168.1.1"
# gateway 2 of ISP2(IF2)
P2="192.168.2.1"
# LAN netmask of LAN
P0_NET="10.10.10.0/24"
# WAN1 netmask of ISP1(IF1)
P1_NET="192.168.1.0/24"
# WAN2 netmask of ISP2(IF2)
P2_NET="192.168.2.0/24"
#this settings from /etc/iproute2/rt_tables file
TBL1="isp1"
TBL2="isp2"
#also i recommend permanently enable ip v4 forwarding with edit file /etc/sysctl.conf
echo "1" > /proc/sys/net/ipv4/ip_forward
ip route add $P1_NET dev $IF1 src $IP1 table $TBL1 > /dev/null 2>&1
ip route add default via $P1 table $TBL1 > /dev/null 2>&1
ip route add $P2_NET dev $IF2 src $IP2 table $TBL2 > /dev/null 2>&1
ip route add default via $P2 table $TBL2 > /dev/null 2>&1
ip route add $P1_NET dev $IF1 src $IP1 > /dev/null 2>&1
ip route add $P2_NET dev $IF2 src $IP2
#adding default gateway only with ISP1 and it's normal..
ip route add default via $P1 > /dev/null 2>&1
ip rule add from $IP1 table $TBL1 > /dev/null 2>&1
ip rule add from $IP2 table $TBL2 > /dev/null 2>&1
ip route add $P0_NET dev $IF0 table $TBL1 > /dev/null 2>&1
ip route add $P2_NET dev $IF2 table $TBL1 > /dev/null 2>&1
ip route add 127.0.0.0/8 dev lo table $TBL1 > /dev/null 2>&1
ip route add $P0_NET dev $IF0 table $TBL2 > /dev/null 2>&1
ip route add $P1_NET dev $IF1 table $TBL2 > /dev/null 2>&1
ip route add 127.0.0.0/8 dev lo table $TBL2 > /dev/null 2>&1
#masqarade local (lan) traffic to both isp, iptables rules
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s $P0_NET -o $IF1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $P0_NET -o $IF2 -j MASQUERADE
after edit, for save file press keyboard shortcut Ctrl+O, and Ctrl+X for exit
then make our script executable:
chmod +x dual_isp.sh
and run it with this command:
./dual_isp.sh
at this stage, we have completed the preparation Ubuntu OS on the client and proceed to install and configure Glorytun
download glorytun binare file
wget https://github.com/angt/glorytun/releases/download/v0.2.2/glorytun-0.2.2-x86_64-linux-musl.bin
rename it
mv glorytun-0.2.2-x86_64-linux-musl.bin glorytun
make executable
chmod +x glorytun
Now configuring glorytun
first create encryption key identical as on server, with this command or use nano and paste saved from server contents of gt.key file
sudo bash -c 'echo "73C658C12F77FD5B60AD1A03E3FEFFAA74C46674F6503DB1D8FADD775965DB28" > gt.key'
run glorytun with server ip 195.245.103.245 and port 55055 and tun0 interface (if need), i use chacha encryption, aes my client is not support, you may don't indicate port and tun interface
./glorytun bind 0.0.0.0 to 195.245.103.245 55055 dev tun0 keyfile gt.key chacha &
after running this command, press the "Enter" key again, so that the Glorytun continues to run as background-process
adding ip address to client tun0 interface, and up P2P tunnel to server ip 10.0.1.1 as gateway
ifconfig tun0 10.0.1.2 pointopoint 10.0.1.1 up
adding first path with nic enp6s0, where rates tx - upload and rx - download, in this example i use equal values, but you need to use speedtest for more accurate values
./glorytun path up 192.168.1.100 rate tx 50mbit rx 50mbit
checking first path output
./glorytun path
path UP status: OK
adding second path with nic enp6s1, he automaticaly take first status: DEGRADED it's okey, after you try to ping server ip 10.0.1.1, and re-check status, second path change status from DEGRADED to OK, see
./glorytun path up 192.168.2.100 rate tx 50mbit rx 50mbit
checking second path output
./glorytun path
first path is UP and status OK
path UP status: OK
but second path status UP and status DEGRADED
path UP status: DEGRADED
try ping server ip 10.0.1.1 from client with glorytun tunnel, using this command
ping 10.0.1.1 -c4
after ping command is end, re-check glorytun second path output
./glorytun path
first path is UP and status OK
path UP status: OK
second path status UP and status OK
path UP status: OK
now, glorytun on client is fully configured, both path is up, but wget and other http/https traffic still don't work properly, so we need to run some routing commands on the client for use only glorytun tunnel
Create this script to route traffic only through glorytun tunnel:
nano /root/gt_route.sh
note: you may copy & paste this script with Bitvise SSH Client from Windows OS to Ubuntu OS, directly in Nano editor window
#script path: /root/gt_route.sh
#!/bin/sh
#!/bin/bash
#
#remove default route
sudo ip route del default
#add default route with glorytun only
sudo ip route add default via 10.0.1.1 dev tun0
#masqarade local net traffic
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
#enable local traffic route with tunnel
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#forward all local traffic (from bridge or lan network interface enp2s0) to glorytun tunnel
iptables -A FORWARD -i enp2s0 -o tun0 -j ACCEPT
after edit, for save file press keyboard shortcut Ctrl+O, and Ctrl+X for exit
then make our script executable:
chmod +x gt_route.sh
and run it with this command:
./gt_route.sh