Dual OpenVPN sites
Hi Experts,
I am in charge of implementing a infrastructure solution for a system of a web services and web applications in health sector. Currently, I am having the following system:
On the main site, I have my application servers, and database servers, which are accesible to clients through remote access server (which is OpenVPN Access Server). Every client is issued a set of configuration files and certificates, which he uses to connect to production network, and further on work on a web applications, or get a web service.
Now I need to implement a backup location, a rented server with ESXi 5.0 installed on it. I will have all the backup application and database servers virtualized as a backup system, so if anything in my primary location fails, the clients would be redirected to my backup location. One of those servers will be OpenVPN Access Server, which will have to accept incoming connections from clients if the primari VPN server fails. Maybe it is worth to say that these two sites will be connected over site-to-site VPN tunnel.
I would like to know if anyone had a similar problem, and how would it be possible to set it up in a way that all the clients would connect to a primary location, and ONLY connect to backup site if the primary is offline. Also, I need a reliable mechanism for clients to reconnect to primary site as soon as it comes back online.
I know that I could add another "remote xxx.xxx.xxx.xxx" directive to clients, so they will look for second vpn server, but I am not sure whether they will be dispersed between to VPN servers, since I need them to be connected to a primary location 99.99% of time.
Thank you
I am in charge of implementing a infrastructure solution for a system of a web services and web applications in health sector. Currently, I am having the following system:
On the main site, I have my application servers, and database servers, which are accesible to clients through remote access server (which is OpenVPN Access Server). Every client is issued a set of configuration files and certificates, which he uses to connect to production network, and further on work on a web applications, or get a web service.
Now I need to implement a backup location, a rented server with ESXi 5.0 installed on it. I will have all the backup application and database servers virtualized as a backup system, so if anything in my primary location fails, the clients would be redirected to my backup location. One of those servers will be OpenVPN Access Server, which will have to accept incoming connections from clients if the primari VPN server fails. Maybe it is worth to say that these two sites will be connected over site-to-site VPN tunnel.
I would like to know if anyone had a similar problem, and how would it be possible to set it up in a way that all the clients would connect to a primary location, and ONLY connect to backup site if the primary is offline. Also, I need a reliable mechanism for clients to reconnect to primary site as soon as it comes back online.
I know that I could add another "remote xxx.xxx.xxx.xxx" directive to clients, so they will look for second vpn server, but I am not sure whether they will be dispersed between to VPN servers, since I need them to be connected to a primary location 99.99% of time.
Thank you
ASKER
This is interesting post, but I'm affraid it doesn't help in my case, since I'm trying to set up OpenVPN failover between two geographically different sites, which means that not only IP addresses on VPN servers are different, but the servers themselves are physically appart.
hmmm then i think you should try this below link for detail guidance about openVPN.and don't forgot to convey your regards and let me know whether this has solved your problem or not :-)
http://openvpn.net/index.php/open-source/documentation/howto.html
also try this follow links
https://forums.openvpn.net/topic8907.html
https://www.tunnelr.com/faq/index.php/article/printer/openssh-openvpn-dual-accounts
http://openvpn.net/index.php/open-source/documentation/howto.html
also try this follow links
https://forums.openvpn.net/topic8907.html
https://www.tunnelr.com/faq/index.php/article/printer/openssh-openvpn-dual-accounts
ASKER
Well, this doesn't help me much, I've been reading parts of a OpenVPN documentation so many times.
What I wanted to know if someone had a similar setup, and what solution worked the best.
Since I am having OpenVPN Access Server, which keeps all of it's configuration in SQLite database files, one of the options to keep both VPN servers in sync would be to have rsync between the servers for those db files, but my main problem is automating the process of client connections rerouting to the primary location when it's back online. Maybe if someone had a similar problem which required some perl or bash scripting.
What I wanted to know if someone had a similar setup, and what solution worked the best.
Since I am having OpenVPN Access Server, which keeps all of it's configuration in SQLite database files, one of the options to keep both VPN servers in sync would be to have rsync between the servers for those db files, but my main problem is automating the process of client connections rerouting to the primary location when it's back online. Maybe if someone had a similar problem which required some perl or bash scripting.
sorry i never had such issue so do not able to find your query's exact solution but i think you should then refer to this ,
http://forum.pfsense.org/index.php?topic=32429.0;wap2
or if this too not help then i will recommend you to ask you query directly to openVPN consumer support for this use follow link
http://openvpn.net/index.php/support-center.html
http://forum.pfsense.org/index.php?topic=32429.0;wap2
or if this too not help then i will recommend you to ask you query directly to openVPN consumer support for this use follow link
http://openvpn.net/index.php/support-center.html
how about using a F.Q.D.N instead of an IP address, and then just changing the IP address in a DR situation.
ASKER
I was thinking about DNS failover, but the problem is I neeed clients to switch to the other VPN server immediately, but with dns failover they'll have to deal with local dns cache, as well as they ISP's cache.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the post, this was generally what I had on mind.
http://forum.pfsense.org/index.php?topic=32429.0