• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1622
  • Last Modified:

Openvpn Failover

Hello,

I have openvpn access server installed on server 1 at a datacenter.

I am wanting to setup a seoncd one as backup but want to do this at a different location (in fact country).

Openvpn acess server failover works well via the LAN model (UCARP-based failover) when its in the same subnet (using a virtual ip) but these servers will be in differnet subnets - basicly I want it to work how it does with the way it copies the config and users to the secondary node but I want both nodes to be active all the time - users will only connect to the second server if the first one is down due to DNS setup - not UCARP - based failover.

Can this be done in the access server? or if not what about the free version?
0
AUCKLANDIT
Asked:
AUCKLANDIT
2 Solutions
 
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Hello AUCKLANDIT,

Let's look at your question from a protocol perspective:
To make an OpenVPN connection to a server, you will connect to an IP address usually referenced by a DNS name.
So in that first step, using DNS to "failover" to the backup server will work fine -- but it cannot be an "automatic" faliover, as DNS doesn't work that way.
Let's say server1.domain.com is at 1.1.1.1 and server2.domain.com is at 2.2.2.2,. You want users to primarily connect to server1, so you create a DNS CNAME (or A record) called openvpn.domain.com that points to server1 (or 1.1.1.1).

If you create a second CNAME (or A record) in DNS pointing to server 2, the nature of DNS will cause the two servers to be "load balanced"

Therefore, your failover will need to either use a different method, have some kind of automated DNS change, or be manual in nature.

====

The second part of the OpenVPN protocol will be much easier to accomplish -- the authentication. By synchronizing (or backing up) your "primary" openvpn site to the backup, you can virtually guarantee that the server's credentials will match, as well as the keys that the clients will use to connect.  -- But don't overlook this point. For your backup openvpn server to act properly, it MUST use the same public/private key pair, and must similarly use the same public/private key pairs for the client systems (or users, if you're using something like a usb-drive to house the openvpn executable and keys).

I hope this helps...

Dan
IT4SOHO
0
 
QlemoC++ DeveloperCommented:
You know already that OpenVPN's "remote" switch allows for multiple addresses and different distribution methods (round-robin/random, or on fail only)?
0
 
AUCKLANDITAuthor Commented:
Thanks Dan - I tryed this last night and it works.. I will post the backup sh soon..

Olemo - no? is this the Openvpn Access Server you are talking about - or the open source one?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
AUCKLANDITAuthor Commented:

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@192.168.1.80 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
 
AUCKLANDITAuthor Commented:

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@SERVER2 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
 
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
AUCKLANDIT,

Not sure what your code snippets are trying to accomplish, except the transfer of license data... but instead of the tar & ssh, might I suggest rsync over ssh?

Dan
IT4SOHO
0
 
AUCKLANDITAuthor Commented:
that is what I used to transfer the data, except licence data which you can not copy as need own licences on each server.  Yes rsync is better.
0
 
Gabriel OrozcoSolution ArchitectCommented:
I have done what you want to do using dnsmadeeasy.

In fact I believe you can use any dns allowing you to use an update mechanism like dns-sec or something simmilar.

you can update the "A" record if using a DDNS server like dnsmadeeasy, or a CNAME, like in the code I show.

Then the only you need to do is a keepalive on the secondary. if the secondary is unable to communicate with the primary, launch the update
"updatedns server2" and that's it.

Have done it with the free version.

you can use a more mature tool for the failover. ping has worked for me.




server1   A      1.1.1.1
server2   A      2.2.2.2
$TTL 5m
vpn       CNAME  server1

Open in new window

0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now