OpenVPN multiple servers on the same subnet, high availability

high-availabilitynetworkingopenvpnvpn

Hey everyone. Let me start by saying that my Linux experience isn't super awesome but I can usually find my way around things easily.

Over at work we have an OpenVPN setup that's been due for some improvement for a while now. The main server (tap mode) runs in our office, behind a rather slow DSL connection. The main problem is that, since I'm usually out of the office, every time I want to access something on the virtual network I have to go through that server to get anywhere else.

We have two servers up on 100 Mbit connections that we use for development and production purposes, about 3 more servers in the office (one of them behind a different T1 line for VOIP) and about two dozen clients who use the network on a daily basis from various locations.

We've had situations where network routing (outside of our control) would not allow people to reach our main OpenVPN server whilst the other locations were connectable. Also any time someone outside the office wants to fetch something from any of the servers (say, a 500 MB code repository), a whopping 20 KB/s download speed is just unacceptable these days (did I mention slow DSL? ok). We had to implement traffic shaping on this server since maxing out this connection was fairly trivial.

I had the thought of running two (or more) OpenVPN servers in the network. These would have to have the same subnet though, as our application relies on virtual network's IP addresses for some of its core functionality. The clients would also preferably retain the same IP addresses but that's not vital.

For simplicity, lets call the current server office and the second server I'm setting up, cloud. Call the server on the T1 phone.

This proved to be rather complex because as soon as I connect to cloud, I cannot see office. Any routes to a server that would go through office also do not work while I'm connected to cloud (no ping, nothing) and vice-versa. There's no rules for iptables that would be blocking the traffic either.

Recently I came across this article on linuxjournal but the solution they provide seems to only cover the use of two servers and somewhat outdated (can't even find much documentation, their wiki is offline). They also state that adding more servers would be a complex task.

Ideally I would like to keep the existing server office running the virtual network and also run the OpenVPN daemon on the cloud and phone servers (100 Mbit and very reliable connection, respectively) so that we're on safe ground in case of a hardware failure, DSL failure, etc.

So, in essence, I'm looking for a highly available OpenVPN solution (fix, patch, hack, tweak, whatever you want to call it) that will accept connections on multiple hosts (2 or more) whilst keeping the same IP address subnet regardless of the server to which you connect to.

Thanks for reading and sorry for the long post, I hope it gets the point across 😛

EDIT:

Another important part I forgot to mention is that the 3 servers need to have consistent IP addresses on the virtual network because our application logic relies directly on these. The clients are irrelevant, they can have any address but the servers need to communicate between themselves. If you know of a different solution (some sort of dns for the entries within 10.8.0.* perhaps) please include it. Thanks again.

EDIT 2:

Added a network map, it's not great but should get the point across. Note that for any server to communicate with any other server, it must always go through the Office server. This is intended although I would like to change that functionality to Cloud.

Network Map

Best Answer

I played with networking and openvpn quite a lot (10+ years sysadmin in ISP) so how about this simple solution.

Create entry in dns that will have n ip addresses for one host (round-robin way)

In Openvpn client put remote name of host so round robin is achieved

On vpn server have two network cards, one is connected to public ip (round robin address 1), other one is connected to private class. Second server, different public address (round robin address 2), same private class.

Create tap0 interface that will bridge addresses to private interface, have single dhcp that will manage addressing to your clients.

This way i think you can achieve as much redundance you want..

Related Solutions

OpenVPN – Configure Multiple Clients on the Same Host

You would need to elaborate somewhat further what it is you are trying to do. A rough sketch with IP addresses of the hosts involved and a listing of your routing table(s) would help a lot understanding your problem.

my server doesn't seem to configure the tun0 device properly

It is possible for an ifconfig command to fail - maybe you should check the logs for that and post the relevant excerpts.

I want to set up the dual client box such that a computer whose gateway is set to eth0:0 gets all their traffic routed through one OpenVPN tunnel, and a computer whose gateway is set to eth0:1 gets all their traffic routed through a different OpenVPN tunnel

ip rule add from $IP_ETH00 table us_table

That's probably not the best way to achieve what you really want - which seems to be different routes for different clients. While it is possible to add iptables -t mangle rules to mark packets for different criteria, there would be no set of criteria being able to distinguish between eth0:0 and eth0:1 as the input interface (which is due to the way IP aliasing is implemented).

What you can do however is simply set up something like

ip rule add from <ip-of-your-client-for-the-us-table> table us_table

which would eliminate the need for IP aliases in your configuration entirely since the routing decision would be done based on source and destination IP addresses, no matter which interface the packet came in at.

copy_routing_table "us_table"

You've omitted the source of copy_routing_table - if it does what I suspect it does, you would end up with your entire main routing table in us_table. If your main routing table already contains routes potentially conflicting with what you're defining in the script, you might end up using them instead of your newly-added routes. This is especially a concern since you are adding a new default route in your up-script:

 ip route add default via $4 table us_table

As you already have a default route in your "main" table and add another one "via $4" (which is wrong BTW, as $4 would represent a local IP address of the router's own tun interface - you should use "dev $1" instead) without deleting the old route. You should prepend ip route del default table us_table here - and probably something similar for the other routes you add as well.

And this here:

From 192.168.1.133: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.1)

is a message from 192.168.1.133 which is getting the packet for 98.137.149.56 (yahoo.com) and routing it out through 192.168.1.1. Since 192.168.1.133 knows (by evaluation of the interface netmask) that your host is in the same network as 192.168.1.1, you get notified to use 192.168.1.1 directly in the first place.

Openvpn – Have servers behind OpenVPN subnet reach connecting clients

Is the OpenVPN server the same as your router?

If this isn't the case, you have to set static routes to use the OpenVPN server to get to the VPN clients.

So, if the OpenVPN server has IP 192.168.1.100, and the OpenVPN clients are 192.168.50.0/24, then your router will need something like:

route add -net 192.168.50.0 netmask 255.255.255.0 gw 192.168.1.100

or whatever is the appropriate syntax.

Best Answer

Related Solutions

OpenVPN – Configure Multiple Clients on the Same Host

Openvpn – Have servers behind OpenVPN subnet reach connecting clients

Related Topic