Solved

Openvpn Failover

Posted on 2011-02-27
8
1,468 Views
Last Modified: 2012-05-11
Hello,

I have openvpn access server installed on server 1 at a datacenter.

I am wanting to setup a seoncd one as backup but want to do this at a different location (in fact country).

Openvpn acess server failover works well via the LAN model (UCARP-based failover) when its in the same subnet (using a virtual ip) but these servers will be in differnet subnets - basicly I want it to work how it does with the way it copies the config and users to the secondary node but I want both nodes to be active all the time - users will only connect to the second server if the first one is down due to DNS setup - not UCARP - based failover.

Can this be done in the access server? or if not what about the free version?
0
Comment
Question by:AUCKLANDIT
8 Comments
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 450 total points
ID: 34999462
Hello AUCKLANDIT,

Let's look at your question from a protocol perspective:
To make an OpenVPN connection to a server, you will connect to an IP address usually referenced by a DNS name.
So in that first step, using DNS to "failover" to the backup server will work fine -- but it cannot be an "automatic" faliover, as DNS doesn't work that way.
Let's say server1.domain.com is at 1.1.1.1 and server2.domain.com is at 2.2.2.2,. You want users to primarily connect to server1, so you create a DNS CNAME (or A record) called openvpn.domain.com that points to server1 (or 1.1.1.1).

If you create a second CNAME (or A record) in DNS pointing to server 2, the nature of DNS will cause the two servers to be "load balanced"

Therefore, your failover will need to either use a different method, have some kind of automated DNS change, or be manual in nature.

====

The second part of the OpenVPN protocol will be much easier to accomplish -- the authentication. By synchronizing (or backing up) your "primary" openvpn site to the backup, you can virtually guarantee that the server's credentials will match, as well as the keys that the clients will use to connect.  -- But don't overlook this point. For your backup openvpn server to act properly, it MUST use the same public/private key pair, and must similarly use the same public/private key pairs for the client systems (or users, if you're using something like a usb-drive to house the openvpn executable and keys).

I hope this helps...

Dan
IT4SOHO
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34999591
You know already that OpenVPN's "remote" switch allows for multiple addresses and different distribution methods (round-robin/random, or on fail only)?
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000386
Thanks Dan - I tryed this last night and it works.. I will post the backup sh soon..

Olemo - no? is this the Openvpn Access Server you are talking about - or the open source one?
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000541

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@192.168.1.80 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000555

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@SERVER2 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 35001725
AUCKLANDIT,

Not sure what your code snippets are trying to accomplish, except the transfer of license data... but instead of the tar & ssh, might I suggest rsync over ssh?

Dan
IT4SOHO
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35001741
that is what I used to transfer the data, except licence data which you can not copy as need own licences on each server.  Yes rsync is better.
0
 
LVL 19

Assisted Solution

by:Redimido
Redimido earned 50 total points
ID: 35004101
I have done what you want to do using dnsmadeeasy.

In fact I believe you can use any dns allowing you to use an update mechanism like dns-sec or something simmilar.

you can update the "A" record if using a DDNS server like dnsmadeeasy, or a CNAME, like in the code I show.

Then the only you need to do is a keepalive on the secondary. if the secondary is unable to communicate with the primary, launch the update
"updatedns server2" and that's it.

Have done it with the free version.

you can use a more mature tool for the failover. ping has worked for me.




server1   A      1.1.1.1
server2   A      2.2.2.2
$TTL 5m
vpn       CNAME  server1

Open in new window

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now