?
Solved

Openvpn Failover

Posted on 2011-02-27
8
Medium Priority
?
1,575 Views
Last Modified: 2012-05-11
Hello,

I have openvpn access server installed on server 1 at a datacenter.

I am wanting to setup a seoncd one as backup but want to do this at a different location (in fact country).

Openvpn acess server failover works well via the LAN model (UCARP-based failover) when its in the same subnet (using a virtual ip) but these servers will be in differnet subnets - basicly I want it to work how it does with the way it copies the config and users to the secondary node but I want both nodes to be active all the time - users will only connect to the second server if the first one is down due to DNS setup - not UCARP - based failover.

Can this be done in the access server? or if not what about the free version?
0
Comment
Question by:AUCKLANDIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 1800 total points
ID: 34999462
Hello AUCKLANDIT,

Let's look at your question from a protocol perspective:
To make an OpenVPN connection to a server, you will connect to an IP address usually referenced by a DNS name.
So in that first step, using DNS to "failover" to the backup server will work fine -- but it cannot be an "automatic" faliover, as DNS doesn't work that way.
Let's say server1.domain.com is at 1.1.1.1 and server2.domain.com is at 2.2.2.2,. You want users to primarily connect to server1, so you create a DNS CNAME (or A record) called openvpn.domain.com that points to server1 (or 1.1.1.1).

If you create a second CNAME (or A record) in DNS pointing to server 2, the nature of DNS will cause the two servers to be "load balanced"

Therefore, your failover will need to either use a different method, have some kind of automated DNS change, or be manual in nature.

====

The second part of the OpenVPN protocol will be much easier to accomplish -- the authentication. By synchronizing (or backing up) your "primary" openvpn site to the backup, you can virtually guarantee that the server's credentials will match, as well as the keys that the clients will use to connect.  -- But don't overlook this point. For your backup openvpn server to act properly, it MUST use the same public/private key pair, and must similarly use the same public/private key pairs for the client systems (or users, if you're using something like a usb-drive to house the openvpn executable and keys).

I hope this helps...

Dan
IT4SOHO
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34999591
You know already that OpenVPN's "remote" switch allows for multiple addresses and different distribution methods (round-robin/random, or on fail only)?
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000386
Thanks Dan - I tryed this last night and it works.. I will post the backup sh soon..

Olemo - no? is this the Openvpn Access Server you are talking about - or the open source one?
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000541

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@192.168.1.80 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35000555

#!/bin/bash

rm -f openvpn.tar.gz
/etc/init.d/openvpnas stop
tar -pczf openvpn.tar.gz /usr/local/openvpn_as/etc --exclude "/usr/local/openvpn_as/etc/licenses"
/etc/init.d/openvpnas start
scp /root/openvpn.tar.gz SERVER2:/root/openvpn.tar.gz

ssh root@SERVER2 '/etc/init.d/openvpnas stop ; mv openvpn.tar.gz / ; cd / ; tar xvfz openvpn.tar.gz ; /etc/init.d/openvpnas start'

Open in new window

0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 35001725
AUCKLANDIT,

Not sure what your code snippets are trying to accomplish, except the transfer of license data... but instead of the tar & ssh, might I suggest rsync over ssh?

Dan
IT4SOHO
0
 
LVL 1

Author Comment

by:AUCKLANDIT
ID: 35001741
that is what I used to transfer the data, except licence data which you can not copy as need own licences on each server.  Yes rsync is better.
0
 
LVL 19

Assisted Solution

by:Gabriel Orozco
Gabriel Orozco earned 200 total points
ID: 35004101
I have done what you want to do using dnsmadeeasy.

In fact I believe you can use any dns allowing you to use an update mechanism like dns-sec or something simmilar.

you can update the "A" record if using a DDNS server like dnsmadeeasy, or a CNAME, like in the code I show.

Then the only you need to do is a keepalive on the secondary. if the secondary is unable to communicate with the primary, launch the update
"updatedns server2" and that's it.

Have done it with the free version.

you can use a more mature tool for the failover. ping has worked for me.




server1   A      1.1.1.1
server2   A      2.2.2.2
$TTL 5m
vpn       CNAME  server1

Open in new window

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month11 days, 3 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question