In my company we have two offices in two totally different locations. A is the main office, and B is the secondary. There is a VPN server at A office, and every computer access the A network via this OpenVPN server. Last year we had some error with the VPN server and the people couldn't work in the B office because that. My question is there a failover method for OpenVPN? We want to setup an other VPN server, but how we solve the failover part, if something would happen.
Linux – OpenVPN failover
failoverlinuxopenvpnvpn
Best Answer
One of my clients depends heavily on OpenVPN over a multi-site setup, and we take two approaches:
The main OpenVPN service is provided by two machines, in an HA-failover pair using heartbeat/CRM. If one goes down, the other takes over the shared IP addresses, and service continues. Existing sessions will be dropped, but the clients usually reauthenticate automatically, and we have found this is fairly painless for users in practice.
The second site also has a working OpenVPN endpoint, and all users have a second config for backup. If the internet conection to the main site goes down, they can point their OpenVPN clients at the second config, and some semblance of normal life can continue.
If you do this, and you use username/password authentication of the user as well as certificate-based authentication of the endpoint, we've found that it's quite important to federate the authentication environment (eg, authenticate via LDAP). Otherwise users forget their access tokens on the infrequently-used endpoints, or fail to update them everywhere, and any failover triggers a deluge of "my password doesn't work" calls.
The federated service should be provided with a similar degree of resiliency as the OpenVPN servers themselves, otherwise all you've done is upstream your SPOF.