Solved

Openvpn Failover

Posted on 2011-02-27
8
1,534 Views
Last Modified: 2012-05-11
Hello,

I have openvpn access server installed on server 1 at a datacenter.

I am wanting to setup a seoncd one as backup but want to do this at a different location (in fact country).

Openvpn acess server failover works well via the LAN model (UCARP-based failover) when its in the same subnet (using a virtual ip) but these servers will be in differnet subnets - basicly I want it to work how it does with the way it copies the config and users to the secondary node but I want both nodes to be active all the time - users will only connect to the second server if the first one is down due to DNS setup - not UCARP - based failover.

Can this be done in the access server? or if not what about the free version?
0
Comment
Question by:AUCKLANDIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 450 total points
ID: 34999462
Hello AUCKLANDIT,

Let's look at your question from a protocol perspective:
To make an OpenVPN connection to a server, you will connect to an IP address usually referenced by a DNS name.
So in that first step, using DNS to "failover" to the backup server will work fine -- but it cannot be an "automatic" faliover, as DNS doesn't work that way.
Let's say server1.domain.com is at 1.1.1.1 and server2.domain.com is at 2.2.2.2,. You want users to primarily connect to server1, so you create a DNS CNAME (or A record) called openvpn.domain.com that points to server1 (or 1.1.1.1).

If you create a second CNAME (or A record) in DNS pointing to server 2, the nature of DNS will cause the two servers to be "load balanced"

Therefore, your failover will need to either use a different method, have some kind of automated DNS change, or be manual in nature.

====

The second part of the OpenVPN protocol will be much easier to accomplish -- the authentication. By synchronizing (or backing up) your "primary" openvpn site to the backup, you can virtually guarantee that the server's credentials will match, as well as the keys that the clients will use to connect.  -- But don't overlook this point. For your backup openvpn server to act properly, it MUST use the same public/private key pair, and must similarly use the same public/private key pairs for the client systems (or users, if you're using something like a usb-drive to house the openvpn executable and keys).

I hope this helps...

Dan
IT4SOHO
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34999591
You know already that OpenVPN's "remote" switch allows for multiple addresses and different distribution methods (round-robin/random, or on fail only)?
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000386
Thanks Dan - I tryed this last night and it works.. I will post the backup sh soon..

Olemo - no? is this the Openvpn Access Server you are talking about - or the open source one?
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000541

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@192.168.1.80 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000555

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@SERVER2 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 35001725
AUCKLANDIT,

Not sure what your code snippets are trying to accomplish, except the transfer of license data... but instead of the tar & ssh, might I suggest rsync over ssh?

Dan
IT4SOHO
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35001741
that is what I used to transfer the data, except licence data which you can not copy as need own licences on each server.  Yes rsync is better.
0
 
LVL 19

Assisted Solution

by:Gabriel Orozco
Gabriel Orozco earned 50 total points
ID: 35004101
I have done what you want to do using dnsmadeeasy.

In fact I believe you can use any dns allowing you to use an update mechanism like dns-sec or something simmilar.

you can update the "A" record if using a DDNS server like dnsmadeeasy, or a CNAME, like in the code I show.

Then the only you need to do is a keepalive on the secondary. if the secondary is unable to communicate with the primary, launch the update
"updatedns server2" and that's it.

Have done it with the free version.

you can use a more mature tool for the failover. ping has worked for me.




server1   A      1.1.1.1
server2   A      2.2.2.2
$TTL 5m
vpn       CNAME  server1

Open in new window

0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question