[Pacemaker] OpenVPN in HA, sharing client connections

Arnold Krille arnold at arnoldarts.de
Tue Jul 10 16:40:12 EDT 2012 

This is what we did (spoiler: no pacemaker)

We connect the openvpn-hosts via tinc (could also be openvpn but tinc is
more flexible when servers both initiate the connection) and put these
tunnels into a bridge (with stp).
Then all these nodes have openvpn with server-certificates from the same
ca and all have the client-definitions in a ccd. You can't use the
dhcp-like mode of openvpn, so we decided to push the ip from the ccd.
You could also maybe forward the request to one (or two) real
dhcp-servers. These openvpn-tunnels also end in the bridges of the
tinc-network.
The config is kept in sync with csync2.

That way vpn is working even if only one of the currently three servers
is running. And there is no server-side downtime when one server fails,
only the time until the clients reconnect to a different server.

And it works with different servers in different datacenters and only
needs normal internet-connections, no dedicated links.


Yes, I consider non-interactive protocols that fail on connection-reset
to be broken. Interactive protocols (like ssh+screen, rdesktop, x2go)
all survive a reset because the user can re-instantiate the connection
and work on as before.


Arnold

On 10.07.2012 13:01, Arturo Borrero Gonzalez wrote:
> Hi there!
> 
> OpenVPN server has an 'management interface' that allows the admin to
> delete, add, modify, authorize client connections.
> 
> As far as I know, it doesn't exist any preestablished method for
> sharing connections between openvpn servers, so in issues like
> failover and/or active-active configurations the behavior is pretty
> rudimentary (just using a LSB resource to start and stop the daemon).
> 
> I'm looking for something or someone that previously showed interest
> in this topic.
> If no, I will investigate the creation of a new RA or maybe a tiny
> daemon for deploying in master/slave modes.
> I think using netcat i'm able to get all openvpn data and also using
> netcat to inject the data in another openvpn server.
> 
> What approach should I have? Any recommendations?
> 
> Best regards.
> 
> 

-- 
Dieses Email wurde elektronisch erstellt und ist ohne handschriftliche
Unterschrift gültig.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20120710/041626b9/attachment-0003.sig>

More information about the Pacemaker mailing list