Do VPNs (commercial: PIA, Windscribe, etc) work with ECMP configuration?

[ghostlight]

Hello all! New member here but long time viewer of LTT on YouTube. I was wondering, and cannot wrap my head around a doubt. I have surfed through multiple forums but cannot find a credible enough answer, so I decided to try here as well. 

Basically, my setup includes but is not limited to: 1 MikroTik router, multiple vlans, one unraid server (with the usuals for movies, tv series and torrent handler. Will not go into detail, but if you know, you know). And finally two ISPs. I have failover configured and it works properly. What I want to know is this: 

 

1. Will the VPN tunnel to Windscribe, in this particular case, leak packets (of the torrents) out of the tunnel if I configure ECMP on the router to bind both ISP speeds? 

2. Do commercial VPNs connect from one origin IP (let's say, ISP1) to their VPN servers on whatever city, and country it might be? 
3. Should I just route torrent traffic through one ISP and forget about torrenting through ECMP and do a kill switch configuration on the router when failover? This would be considering that ECMP will be configured but torrenting will just go through one ISP with marked packets. 

 

Please, I'm requesting everybody's knowledge come into play in this one post. If additional information is needed to clear doubts, say no more and I'll provide what I have and what I do know. 
 

Thanks all . 

[brwainer]

You won’t be able to use ECMP to split a single tunnel over multiple ISPs because the public IP is different on each ISP. Half your packets would have one source IP and half your packets the other. The tunnel wouldn’t even get through the connection process.

 

To use both ISPs, you would need at least two VPN connections, do some configuration (route marking) to pin one to each ISP, and then configure your torrent and other software to make connections using both, if they have such options.

 

Product/services which allow you to “combine” multiple ISPs work by making one tunnel per ISP, all connected to a single server in a single datacenter. The two ends have to run the same software that splits and recombines connections over the tunnels, so that you get the combined bandwidth to/from the datacenter with a single source IP at the datacenter.

[ghostlight]

Thank you for replying, brwainer. Would you recommend to just run the tunnel through one ISP with marked packets and kill swtich on failover, but with ECMP running on the router then? I'm aware torrent packets won't go through ECMP, hence the marked packets previously through just one ISP while everything else goes through the ECMP config.

[brwainer]

7 hours ago, ghostlight said:

Thank you for replying, brwainer. Would you recommend to just run the tunnel through one ISP with marked packets and kill swtich on failover, but with ECMP running on the router then? I'm aware torrent packets won't go through ECMP, hence the marked packets previously through just one ISP while everything else goes through the ECMP config.

As long as you have different public IPs with each ISP (as long as you don’t have a public subnet of /24 or larger that you can use through both ISPs at the same time via BGP) then ECMP has the negative effect that any time the routing table changes, which will happen at least every 10 minutes, there is a chance connections will swap ISPs and thus die. The better method for this is PCC: https://help.mikrotik.com/docs/display/ROS/Firewall+Marking#FirewallMarking-Example3(PCC) because the assignment of connections to one ISP or the other is based on hash, not on chance.