Issue
I have following setup: 2 VMs in the same subnet (192.168.178.0/24) in home network
- VM_Gateway with Debian on 192.168.178.100
- VPN_Gateway with Debian on 192.168.178.102 with running VPN
Network Gateway is on 192.168.178.1
Please advice the architecture and solution to solve the following task: The traffic from all home devices entering VM_Gateway. This VM is checking if the VPN_Gateway can be resolved (up and running). If it's ok - all traffic redirects to VPN_Gateway, if no - traffic redirects to Network Gateway on 192.168.178.1
Thanks
Solution
Static Routing
One way to do it would be to use static routing, and a VIP.
Configure something like Keepalive, or Pacemaker/Corosync, on both your VPN Gateway and Network Gateway. Configure a virtual IP, something like 192.168.178.254, shared on both device. If the VPN machine is up, VIP would be assigned to the VPN node, otherwise it would failover to the Network Gateway.
Then, change your VM_Gateway default gateway, pointing to your VIP.
Keepalived may be easier than Pacemaker/Corosync, especially implementing priorities (who gets the IP if both nodes are up)... Or even ensuring that your VPN link is UP, before VPN_Gateway would take over.
Dynamic Routing
Maybe overkill, though could make sense depending on your context ... Using something like OSPF?
VM_Gateway, VPN_Gateway and Network Gateway are all running OSPF (in Debian, you would have Quagga, OpenBSD has its own OSPFd daemon, ...).
VPN_Gateway and Network Gateway would only advertise a default route (quagga doesn't change routing configuration on those hosts). Pointing to your VPN server on one hand, and your actual default gateway on the other hand.
Defining proper link metrics, you should be able to prioritize VPN over regular gateway.
The VM_Gateway would then be able to switch from one to the other.
Answered By - SYN
