Solved

Openvpn Failover

Posted on 2011-02-27
8
1,491 Views
Last Modified: 2012-05-11
Hello,

I have openvpn access server installed on server 1 at a datacenter.

I am wanting to setup a seoncd one as backup but want to do this at a different location (in fact country).

Openvpn acess server failover works well via the LAN model (UCARP-based failover) when its in the same subnet (using a virtual ip) but these servers will be in differnet subnets - basicly I want it to work how it does with the way it copies the config and users to the secondary node but I want both nodes to be active all the time - users will only connect to the second server if the first one is down due to DNS setup - not UCARP - based failover.

Can this be done in the access server? or if not what about the free version?
0
Comment
Question by:AUCKLANDIT
8 Comments
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 450 total points
ID: 34999462
Hello AUCKLANDIT,

Let's look at your question from a protocol perspective:
To make an OpenVPN connection to a server, you will connect to an IP address usually referenced by a DNS name.
So in that first step, using DNS to "failover" to the backup server will work fine -- but it cannot be an "automatic" faliover, as DNS doesn't work that way.
Let's say server1.domain.com is at 1.1.1.1 and server2.domain.com is at 2.2.2.2,. You want users to primarily connect to server1, so you create a DNS CNAME (or A record) called openvpn.domain.com that points to server1 (or 1.1.1.1).

If you create a second CNAME (or A record) in DNS pointing to server 2, the nature of DNS will cause the two servers to be "load balanced"

Therefore, your failover will need to either use a different method, have some kind of automated DNS change, or be manual in nature.

====

The second part of the OpenVPN protocol will be much easier to accomplish -- the authentication. By synchronizing (or backing up) your "primary" openvpn site to the backup, you can virtually guarantee that the server's credentials will match, as well as the keys that the clients will use to connect.  -- But don't overlook this point. For your backup openvpn server to act properly, it MUST use the same public/private key pair, and must similarly use the same public/private key pairs for the client systems (or users, if you're using something like a usb-drive to house the openvpn executable and keys).

I hope this helps...

Dan
IT4SOHO
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34999591
You know already that OpenVPN's "remote" switch allows for multiple addresses and different distribution methods (round-robin/random, or on fail only)?
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000386
Thanks Dan - I tryed this last night and it works.. I will post the backup sh soon..

Olemo - no? is this the Openvpn Access Server you are talking about - or the open source one?
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000541

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@192.168.1.80 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000555

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@SERVER2 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 35001725
AUCKLANDIT,

Not sure what your code snippets are trying to accomplish, except the transfer of license data... but instead of the tar & ssh, might I suggest rsync over ssh?

Dan
IT4SOHO
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35001741
that is what I used to transfer the data, except licence data which you can not copy as need own licences on each server.  Yes rsync is better.
0
 
LVL 19

Assisted Solution

by:Gabriel Orozco
Gabriel Orozco earned 50 total points
ID: 35004101
I have done what you want to do using dnsmadeeasy.

In fact I believe you can use any dns allowing you to use an update mechanism like dns-sec or something simmilar.

you can update the "A" record if using a DDNS server like dnsmadeeasy, or a CNAME, like in the code I show.

Then the only you need to do is a keepalive on the secondary. if the secondary is unable to communicate with the primary, launch the update
"updatedns server2" and that's it.

Have done it with the free version.

you can use a more mature tool for the failover. ping has worked for me.




server1   A      1.1.1.1
server2   A      2.2.2.2
$TTL 5m
vpn       CNAME  server1

Open in new window

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can't connect to LDAP over SSL (port 636) 6 55
Can I point more than one domain name to an instance on AWS? 4 79
Windows 10 VPN? 6 72
l2tp tunnel from pc to router 14 73
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now