1

I have a setup with an openvpn server and many clients connected to it. All those clients have fixed ip addresses, derived from their certificate name.

Behind the openvpn server, I have a management server, that needs to connect to the clients (to monitor/perform some remote commands).

                 |-C1
                 |-C2
A -- VPN server -|
                 |-C3
                 |-C4

Server A can connect to C1-4 through the VPN, using fixed ips.

What I want to do is expand the setup to multiple VPN servers (to handle server outages, and spread the load), while still having a simple way for A to find any specific remote client.

                  |-C1
                  |-C2
--- VPN server 1 -|
|
A
|
--- VPN server 2 -|
                  |-C3
                  |-C4

I know how to configure the clients to pick one of the openvpn servers at random, what I don't know is how to manage ip allocation.

Should I keep a single subnet for the servers? In that case, how does A know behind which server an ip is? Should I have one subnet per openvpn server? In that case, how does A know which IP address to contact?

I've looked a bit into dynamic routing systems, but I would have to manage one route per client ip, which seems very wrong... Another option would be to keep a DNS (or DNS-like) service updated with the mapping {client-name => current ip address}, but that seems complicated, and I'm not sure all our software stack can adapt to it.

How are this kind of failover setups usually handled?

Matt Benzene
  • 153
  • 8

1 Answers1

1

a DNS (or DNS-like) service updated with the mapping {client-name => current ip address}

Handing this on the OpenVPN server(s) is relatively easy with a --client-connect script on the OpenVPN servers. The client connect script is passed the IP address of the new connection. You can then use that to call nsupdate to adjust your DNS records.

Here is an old script I have that logged the external address of the connecting client. Which isn't what you want, but I am sure you can find the right variables if you review the Environmental Variables section of the man page.

#!/bin/sh

# expects variables like from openvpn
#common_name=server1.example.org
#trusted_ip=192.168.47.1

dnssrv="192.168.0.1"
zone="vpn.example.org"
ttl="7200"

record=`echo ${common_name} | sed -e 's/example.org/vpn.example.org/'`

echo "client-connect.sh ${common_name} ${trusted_ip} ${record}" | logger

(
 echo "server ${dnssrv}"
 echo "zone ${zone}"

 echo "update delete ${record} A"
 echo "update add ${record} ${ttl} A ${trusted_ip}"
 echo "send"
) | /usr/bin/nsupdate
Community
  • 1
Zoredache
  • 128,755
  • 40
  • 271
  • 413