4

I have two openbsd nat/firewall boxes with carp for failover / high availability purposes. What would be the best possible practice to ensure that OpenVPN, which I plan on running on these boxes, fails over gracefully as well?

imaginative
  • 1,941
  • 9
  • 32
  • 48

2 Answers2

17

OpenVPN doesn't support any kind of state sharing between two different daemon instances, so no, you can't have seamless failover.

But, you can always configure your clients to handle a server failure gracefully. If this kind of redundancy meets your needs, you can achieve it by combining two features that OpenVPN does actually have:

1) automatically re-trying after getting disconnected from the server, AND 2) connecting to a randomly-chosen server on each attempt, from a pre-defined list.

The basic idea is that you can run two (or three, or more) OpenVPN servers, and add all of their IP addresses or hostnames to your VPN client configurations. Also, the client should re-try quickly in order to minimize the downtime experienced by the user. When one server fails, the client rotates to the next address in its connect-to list, and the connection gets re-established in pretty short order.

The documentation is available at:

In particular, you'll probably want to look at these configuration options:

  • remote
  • connect-retry
  • connect-retry-max
  • remote-random
  • ifconfig-pool-persist

You should be able to add these options, client-side, on top of any combination of other client/server options you might already be using. Just remember to keep 'connect-retry' low, and 'connect-retry-max' high (possibly even infinite), and it should work pretty well.

Ryan B. Lynch
  • 2,006
  • 1
  • 12
  • 13
  • 1
    For UDP connections, use `keepalive` on the server, rather than `connect*` – xofer Oct 18 '12 at 23:49
  • Be sure to use the manual for your version: http://openvpn.net/index.php/open-source/documentation/manuals.html – xofer Oct 18 '12 at 23:50
  • 1
    How do clients connected to different server communicate with each other if servers are not connected in some way ? – vaab Sep 18 '14 at 07:21
  • @vaab I think both servers run the exact same configuration, therefore from the clients point of view it doesn't matter which one they connect to to join the network. – Luke Jun 06 '15 at 06:18
2

Without losing the current session?

Anyways you could always use ifstated(8) to sense the a CARP demotion and start the OpenVPN server.
Actually I don't know if there would be any issues with the MASTER and SLAVE running at the same time the OpenVPN server.

Colin
  • 125
  • 1
  • 2
  • 7
  • I don't see any reason why that would be a problem. +1. I don't think it's possible to do without losing the current session... – Antoine Benkemoun Feb 09 '10 at 20:43
  • 1
    What would be the point of waiting until the master fails to start OpenVPN on the slave? Neither OpenVPN instance cares whether the other is running. Really, it sounds like you're suggesting that he handle the failover on the server side, using IP takeover or something similar. That's not how OpenVPN is designed to operate--the client is supposed to handle the failover, not the server. Trying to implement a server-side failover solution strikes me as adding complexity while adding zero additional value. Am I missing something? – Ryan B. Lynch Feb 18 '10 at 21:28