I set up a few VPN servers in my Beryl router from different providers.
Is it possible to have the internet kill switch activated and if by some reason one VPN server goes down or gets blocked by firewall the Beryl connects to a different VPN?
VPN failover is not implemented now. I know some users have this requirement. But not very easy.
Do you know if this is on the roadmap at all? It would be super super useful if there is downtime on a VPN provider (which does happen from time to time), even if it can only manage the failover on certain providers since that is easier for you to setup?
Thanks so much in advance
One thing we are doing is the allowing one openvpn client and one wireguard client running at the same time.
But multiple vpn connection or failover are still not on the roadmap.
No need for hot failover - a check by e.g. cron that (if failing) did the same actions as clicking [Disconnect], selecting next provider, clicking [Connect] was IMO already a huge progress.
Thats a big shame, but thanks very much for the transparency! I guess the GoodCloud config dashboard doesnt really help if the VPN is down so we definitely need the highest VPN reliability possible!
Going down for a few minutes or so would definitely not be bad, good idea!
So need to write a cron job on the router to do this, which is not too hard on the detection side, though not sure about controlling the VPN and changing provider - will try and do some research unless you have something to hand?
no, not yet and dunno if/when I find time and energy to dig in.
What makes it even harder is that GL-inet used Chinese in at least /etc/init.d/gl_route_policy 
. Just 1 example of many:
hehe, was easier than I thought… Sth for Wireguard (hope you’re doing the scripting around yourself and share it thereafter?):
name your main VPN “primary” and your backup VPn “backup”, then use this script:
/etc/init.d/wireguard stop
cat /etc/config/wireguard | grep "option main_server 'primary'" >NUL && sed -i "s/option main_server 'primary'/option main_server 'temp'/g" /etc/config/wireguard
cat /etc/config/wireguard | grep "option main_server 'backup'" >NUL && sed -i "s/option main_server 'backup'/option main_server 'primary'/g" /etc/config/wireguard
cat /etc/config/wireguard | grep "option main_server 'temp'" >NUL && sed -i "s/option main_server 'temp'/option main_server 'backup'/g" /etc/config/wireguard
/etc/init.d/wireguard start
Works good on my MT1300
HTH!
edit:
Thought it was cleaner/safer to only do sed if the condition is true but having a 2nd thought sed already has/does the conditional execution so this script is shorter and easier to work with:
/etc/init.d/wireguard stop
sed -i "s/option main_server 'primary'/option main_server 'temp'/g" /etc/config/wireguard
sed -i "s/option main_server 'backup'/option main_server 'primary'/g" /etc/config/wireguard
sed -i "s/option main_server 'temp'/option main_server 'backup'/g" /etc/config/wireguard
/etc/init.d/wireguard start
U sure?
When using goodcloud S2S whilst having a WG tunnel running you already do exactly that.
See /etc/config/wireguard (configures wg0) vs. /etc/config/gl_s2s (configures wg1)
It was a rather tiny step from this to several simultaneously running WG tunnels.
Yes it is true that S2S and wireguard client are creating two wireguard tunnels.
The main concern is the routing policy.
You can create many vpn tunnels, but each vpn profile (including wireguard and openvpn) want to change the routing table. This may cause undesirable behaviuors.
Usually metrics take care of a those routing (policy) issues, similar to what you already use in your S2S script:
$IP4 route add ${addr%%/*}/${addr##*/} dev wg1 metric ${metric} > /dev/null 2>&1
This is how it works technically.
The problem is how a user understand it if there is multiple vpn connections.
Regarding this thread (failover) one presented the user the choices “VPN-server” and “Backup VPN-server”.
As said they wouldn’t even need to run in parallel using different metrics if a lil watchdog watched and acted as soon as the main VPN went down.
Really ? Tried it. And I am getting this message : WARNING: Conflicts! All other VPN services must be stopped first.
“Allowing one openvpn and one wireguard to run at the same time” is available in firmware 4.0.
Firmware 4.0 is available for AX1800 and AXT1800.