Using Multiple VPN Connections Simultaneously
Viscosity allows multiple VPN connections to be connected simultaneously. To take advantage of this simply instruct a connection to connect without disconnecting any existing active connections. This allows for scenarios where you may need to connect to two remote networks at once, such as two office locations, or for when you need one VPN connection to connect through another.
However, to use multiple VPN connections at the same time effectively it's necessary to have an understanding of how your computer directs traffic for each VPN connection to ensure that the VPN connections do not clash. This article is designed to cover the basics, however if in doubt please get in touch with your VPN Provider to check whether any configuration changes are necessary to your VPN connections.
IP Routing and VPN Connections
Your typical computer has multiple network interfaces. These are usually a combination of physical network interfaces (such as your computer's Wi-Fi network interface and Ethernet network interface) and virtual network interfaces (such as an interface for each active VPN connection).
To decide which network interface to use when sending a packet of network data, your computer uses its "routing table". The routing table is like an address book for IP addresses, where each entry can be a single IP address (e.g. 10.0.0.1/32 or 10.0.0.1/255.255.255.255) or a range of addresses (e.g. 10.0.0.0/24 or 10.0.0.0/255.255.255.0). An entry in the routing table is known as a "route". Your routing table also has a "default" route, which is the route used when there are no other matches.
When you connect to a VPN connection, it adds certain routes to your computer's routing table to direct traffic into the VPN connection. For your typical workplace connection this may consist of a couple of routes to direct the IP range/s your workplace uses into the VPN connection. On the other hand a typical VPN Service Provider connection may instead specify a new default route, so all network traffic goes through the VPN connection by default.
The operating system will also automatically create a route for the IP range the VPN connection uses (even if no such route is explicitly set by the VPN connection).
Clashes Between Routes
If two routes with identical IP ranges are added to the routing table, you have a routing clash. For example, if you have a route directing 10.8.0.0/24 traffic to Network Interface 1's gateway, but also another directing 10.8.0.0/24 traffic to Network Interface 2's gateway, there is an obvious problem. They both can't be used, and so the operating system will only use one and ignore any others.
In fact, from an OpenVPN connection perspective, the exact behaviour will vary depending on the operating system. On Windows the route with the lowest metric, usually the most recently added, will be the one used, while on macOS the first added route will be the one used. When you disconnect either connection, the route/s will be removed, and the remaining connection may be left in a non-functional state.
This also applies to default routes: if two connections both try to create a default route, only one can be used. When disconnecting one of the connections (causing the default route to be removed) the remaining VPN connection will not be used for all traffic (as the route has been removed).
Those familiar with IP routing may notice that the above behaviour differs somewhat from normal network interfaces. For example, if you connect a computer via both an Ethernet cable and Wi-Fi to the same network, and then disconnect the one it's using, your computer will gracefully fall back to the other network connection. This is through a mechanism known as "interface scoped" routing. OpenVPN does not support interface scoped routes at this time (as not every operating system supports it), but it may in the future.
Common Simultaneous Scenarios
In this section we look at a number of common scenarios for simultaneous connection use, and any recommendations to make the connections work as expected.
"All-Traffic" connections refer to VPN connections that have a default route associated with them so all traffic is directed through them by default, while "Split-Traffic" connections are VPN connections that only have a select number of routes and don't route all traffic through the VPN connection.
Connecting Two Split-Traffic Connections
This situation commonly occurs when connecting to workplaces with more than one office, and you need to have a VPN connection to two or more offices at the same time.
If you have two connections without clashing IP addresses or routes, then they'll work perfectly connected at the same time. For example, if the first VPN connection has an IP address range of 10.1.0.x, while also pushing out a route for 10.2.0.x, and the second connection has an IP address range of 10.3.0.x while also pushing a route of 10.4.0.x, then there are no routing clashes.
If both connections are attempting to use the same IP range (a common one for OpenVPN connections is 10.8.0.x), or push out the same routes, then one of them will need to be changed. This usually involves changing the IP range that the OpenVPN server is using (as well as any conflicting pushed routes). If the IP range can't be changed, then NAT can be used on the server to remap IP ranges.
Connecting a Split-Traffic Connection and a All-Traffic Connection
This situation typically occurs when you are connected to a VPN Service Provider, but also want to connect to a work or home network.
If you want all traffic to go through the All-Traffic VPN connection, and have the Split-Traffic connection connect through the All-Traffic connection, then the All-Traffic connection should be connected first. Once it is established you can connect the Split-Traffic connection.
If however you don't want the Split-Traffic connection to connect through the All-Traffic VPN connection, then you'll need to add an exception to your routes. This can be done by editing the Split-Traffic connection in Viscosity, and then adding a route directing traffic for the Split-Traffic VPN server's IP address to go through the normal network. This can be done by following the steps in the Routing Traffic For Websites & Applications article.
Connecting Two All-Traffic Connections
This situation is common when wanting to connect one VPN Service Provider connection through another VPN Service Provider connection. This is often referred to as connection chaining.
To avoid potential DNS issues and ease of reconnecting one (or both) of the connections, we recommend turning one of the connections into a Split-Traffic connection. This should be the VPN connection you want to have the second VPN connection connect through. This can be accomplished by disabling all traffic going through the VPN connection, and then following the steps in the "Connecting a Split-Traffic Connection and a All-Traffic Connection" section above.