Multipath TCP Site-to-Site VPN (2x Bandwidth + Instant Failover)

Ever wondered how to combine the bandwidth of multiple internet connections for a single TCP stream? Traditional bonding (like LACP) or Layer 3 ECMP routing falls short because they pin individual flows to a single interface. Enter Multi-Path TCP (MPTCP)—an incredible technology baked directly into the mainline Linux kernel since 2020 that dynamically splits and aggregates a single TCP connection across multiple physical links. In this video, we build a fully encrypted, high-performance Site-to-Site VPN tunnel from the ground up using sing-box (Shadowsocks 2022 + BLAKE3) over MPTCP. We explore why standard static routes fail to balance single streams, dive into the mechanics of Layer 4 ECMP port hashing, configure MPTCP subflows, and implement a production-ready setup—even when both nodes are dual-homed behind a 1:1 NAT. 🚀 GitHub Repository (Code & Configurations): 👉 https://github.com/filip-lebiecki/mptcp 📌 What You Will Learn The architectural limits of LACP and Layer 3 ECMP for single-stream optimization. How to use Linux routing primitives (ip nexthop and nexthop groups). How to configure MPTCP limits, signal endpoints, and subflow paths via ip mptcp. Forcing MPTCP capability on standard apps using mptcpize. Deploying a transparent Layer 4 site-to-site tunnel using sing-box over a TUN interface. Overcoming 1:1 NAT environments using public IP path-pinning. ⏱️ Video Timestamps 00:00 - Intro: Breaking the 1-Gbps Barrier with a Single TCP Stream 02:06 - Architecture Diagram & Topology Overview 03:09 - The Limits of Static Routes & Why LACP Fails at Layer 3 06:23 - Deep Dive into Linux Nexthops 09:28 - Nexthop Groups 11:23 - ECMP Routing, FIB Hashing, and Layer 4 Port Entropy Limitations 14:23 - Introduction to MPTCP: Subflows & Data Sequence Numbers (DSN) 15:29 - Minimal MPTCP Demo (ip mptcp endpoints, limits & mptcpize) 20:20 - Transparent Tunneling Architecture with sing-box (gVisor Netstack) 22:13 - Configuring the sing-box Site-to-Site VPN Tunnel 26:05 - Testing TCP & UDP Throughput (with Auto-Failover Demo) 26:59 - Real-World Deployment: Dual-Homed Servers Behind a 1:1 NAT 31:49 - Outro: Firewalls, Middleboxes, and Troubleshooting (MSS Clamping) #Linux #Networking #MPTCP #SysAdmin #DevOps #VPN #SingBox #Shadowsocks #ECMP #HomeLab