Hello,

I currently have an MPLS setup between my location and a remote location, in a perfect world this connection would never cease to exist, unfortunately the world is not perfect, and occasionally the MPLS will go down. The solution to this is to have an OpenVPN gateway setup that utilizes the internet connection between the two sites. Which seems to work well, the problem is, anytime we have to switch between the MPLS and the OpenVPN setup, we have to change the routes on a whole bunch of machines. So, I was thinking wouldn't it be nice if we could automate this process, that is why I'm writing here today. I was inquiring if anyone has actually attempted to do this, or if they would have any insight on how to do this.. I can break it down that we could use two end points on each side that negotiated which route to take (as in the internal machines have no idea what route they're taking, either 10.10.10.1, or 192.168.x.1), and it would be the 10.10.10.1, and the 192.168.x.1 machine that would negotiate whether to take the MPLS route or the Internet route. I thought about writing a ping script, which would work from one side, but what about the other side? Does anyone know of a good tool that does this automatically, or at least a better solution other than a simple "ping" script that I came up with, it just seems to me that a simple ping script wont work good in this situation, because ultimately it should never stay on OpenVPN, if the MPLS has actually returned. Feedback greatly appreciated, thanks.

what's wrong with a simple ping? icmp packets rule the world... I would say ping is about the best way to do this. Your MPLS connection will hopefully have a CPE address at each site which should *only* be reachable via the MPLS link. as such if you statically route those specific IP's across the WAN link and then run a cron to ping the opposite site every minute. if it's there, ensure there's a route that way for the data networks as well. if not, wop it out and in that case let it use a permanent route of a higher metric to fall back to.

Nothing is wrong with a ping script, my only worriment is if I setup an openvpn bridge, could I end up pinging the CPE addresss through the OpenVPN bridge? if that was the case when on OpenVPN, it would never switch back to the MPLS, the configuration we have is this:

home office is: 10.10.0.0/16 network (MPLS router is 10.10.10.25)
sites are: 192.168.x.0/24 networks (the x denotes different sites.)

All the the sites route through 192.168.x.1 to get to the 10.10.0.0/16 network.

So what I was thinking was just to do ping -I 192.168.x.y 10.10.10.25, if un-reachable -> start openvpn, otherwise, ensure openvpn isn't running.

The problem is, how do inform the router in our central office to route through the openvpn network instead of 10.10.10.25, I can do a similar thing on the central office side (for each site,- but that doesn't seem optimal, as their are multiple sites... (6 and counting).

Mm, the more I think about this question, maybe I should've posted in Linux - Programming/Scripting or something, but it is very network related, so not really sure...

i would try to find an IP that is only reachable via MPLS. the WAN side IP addresses of the CPE are normally in the telco's address space, not yours, so they are typically unique. I would personally leave openvpn permanently connected for maximum availability. what if you need to use it and it doesn't come up? i'd again force *some* nominal traffic over that link too to ensure that it's functional should you need it. This does potentially depend on your architecture though, and you've not really described what that is, but hopefully these two routes diverge at a point where you can have them both active bar routing as much as possible.

That sounds like a good idea, my only question is do the internal ip addresses of the MPLS routers change at all, or will they always be static? I can get them using a traceroute to a site, but I would hate to have to do that every time, I want to ping for connectivity.. I'm rather much a newb when it comes to stuff like MPLS, most of my network experience is mostly just lan stuff...

a wan provider would generally never change them. they'd typically put a portion of private address space aside to use for the internal nodes of each MPLS label they implement for each customer, so they'd never change normally. best to ask them though.