Dual OpenVPN sites

Hi Experts,

I am in charge of implementing a infrastructure solution for a system of a web services and web applications in health sector. Currently, I am having the following system:

On the main site, I have my application servers, and database servers, which are accesible to clients through remote access server (which is OpenVPN Access Server). Every client is issued a set of configuration files and certificates, which he uses to connect to production network, and further on work on a web applications, or get a web service.

Now I need to implement a backup location, a rented server with ESXi 5.0 installed on it. I will have all the backup application and database servers virtualized as a backup system,  so if anything in my primary location fails, the clients would be redirected to my backup location. One of those servers will be OpenVPN Access Server, which will have to accept incoming connections from clients if the primari VPN server fails. Maybe it is worth to say that these two sites will be connected over site-to-site VPN tunnel.

I would like to know if anyone had a similar problem, and how would it be possible to set it up in a way that all the clients would connect to a primary location, and ONLY connect to backup site if the primary is offline. Also, I need a reliable mechanism for clients to reconnect to primary site as soon as it comes back online.

I know that I could add another "remote xxx.xxx.xxx.xxx" directive to clients, so they will look for second vpn server, but I am not sure whether they will be dispersed between to VPN servers, since I need them to be connected to a primary location 99.99% of time.


Thank you
LVL 6
slakicAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

d4durveshCommented:
check this ,this may help you,

http://forum.pfsense.org/index.php?topic=32429.0
0
slakicAuthor Commented:
This is interesting post, but I'm affraid it doesn't help in my case, since I'm trying to set up OpenVPN failover between two geographically different sites, which means that not only IP addresses on VPN servers are different, but the servers themselves are physically appart.
0
d4durveshCommented:
hmmm then i think you should try this below link for detail guidance about openVPN.and don't forgot to convey your regards and let me know whether this has solved your problem or not :-)

http://openvpn.net/index.php/open-source/documentation/howto.html 

also try this follow links

https://forums.openvpn.net/topic8907.html
https://www.tunnelr.com/faq/index.php/article/printer/openssh-openvpn-dual-accounts
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

slakicAuthor Commented:
Well, this doesn't help me much, I've been reading parts of a OpenVPN documentation so many times.

What I wanted to know if someone had a similar setup, and what solution worked the best.
Since I am having OpenVPN Access Server, which keeps all of it's configuration in SQLite database files, one of the options to keep both VPN servers in sync would be to have rsync between the servers for those db files, but my main problem is automating the process of client connections rerouting to the primary location when it's back online. Maybe if someone had a similar problem which required some perl or bash scripting.
0
d4durveshCommented:
sorry i never had such issue so do not able to find  your query's exact solution but i think you should then refer to this ,

http://forum.pfsense.org/index.php?topic=32429.0;wap2

or if this too not help then i will recommend you to ask you query directly to openVPN consumer support for this use follow link
http://openvpn.net/index.php/support-center.html
0
ArneLoviusCommented:
how about using a F.Q.D.N instead of an IP address, and then just changing the IP address in a DR situation.

0
slakicAuthor Commented:
I was thinking about DNS failover, but the problem is I neeed clients to switch to the other VPN server immediately, but with dns failover they'll have to deal with local dns cache, as well as they ISP's cache.
0
ArneLoviusCommented:
well you can have server set via preference, but you'll need to find a way of preventing access to the secondary unless the primary is down

http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html#loadbalance
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slakicAuthor Commented:
Thanks for the post, this was generally what I had on mind.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.