2

I have two OpenVPN server, and two machines connecting to them.

Server 1 openvpn address: 10.158.1.1
Server 2 openvpn address: 10.158.2.1

Machine 1 has address 10.158.1.11 on server 1, 10.158.2.11 on server2.
Machine 2 has address 10.158.1.12 on server 1, 10.158.2.12 on server2.

A simple text-based diagram look like:

10.158.1.11 (machine1) <-------(10.158.1.1 server1)-------> 10.158.1.12 (machine2)
10.158.2.11 (machine1) <-------(10.158.2.1 server2)-------> 10.158.2.12 (machine2)

At this point everything is fine, i can ping 1.11 from 1.12, 2.11 from 2.12 so on..

So the machines can reach each other over two VPN interfaces via openvpn server (client-to-client enabled in openvpn server)

What I would like to achieve is to have a bonded interface, to have just one IP to machines talk to each other.

Example: 10.159.0.1 for machine 1, and 10.159.0.2 for machine 2.

Tried to put tap10 and tap20 (openvpn interfaces respectively) in bonding mode active-backup, but if I use mii, obviously it does not sense if vpn interface is down, as openvpn does not put tap interface down if link goes down.
Also tried to use arp monitoring, but then bonding thinks all interface as down, as ARP not working when interfaces were enslaved. Tried to use GRE tunnels (to be more specific, GRETAP, not regular GRE which is only l3) over openvpn taps, but they failed just like normal TAP interfaces.

PS: Machine 2, Server 1 running Debian 9, Server 2 and Machine 1 running Debian 8.
At Debian 8 systems, using backported 2.4 OpenVPN. So OpenVPN versions match.

Any ideas what to do?
Thank You for your input!

WorK
  • 31
  • 4

1 Answers1

1

I would begin to answer this by stating that your strategy won't work. You're not going to get bonding over these interfaces. When you get into routing, you've abandoned the notions of bonding and are now in the realm of advanced routing technologies like BGP or load balancing VPN servers themselves. However, without knowing your requirements I can't make a very solid recommendation.

BGP is very likely to be a potential answer here for possible external networking requirements, as it can route multiple commonly located ISPs together for "internet" link redundancy. You can even use it to dynamically route across geographic regions and provide geo-diverse availability. You might not need that, but if you have two sites under your control for the same purpose you might consider something like that.

If you want to create locally colocated servers clusters for OpenVPN either instead of or in addition to advanced routing, you will need to employ the use of a stateful (application) load balancer for active / active clustering, or utilize Linux HA with Pacemaker to manage resources in a failover cluster.

Both of these suggestions are generally too complicated to expand on to completion via this medium, and are generally meant to act as pointers for you to possibly reconstruct your strategy.

And finally, I hate making product recommendations; they don't age well. However, at the time of this writing "PFSense" is a fantastic out-of-the box product that will help you to cluster OpenVPN into an HA pair and manage BGP traffic. If you're lost on the details and want a working concept or product, this may help you. That firewall appliance takes only a few minutes to get fully functional even in a virtual machine.

Spooler
  • 7,016
  • 16
  • 29
  • My goal is far simpler than that, I would like to have an ip address that always points to another machine, regardless which underlying vpn interface working or not. So if vpn1 goes down reach the machine2 without the software have to handle two connections (two vpn ip's). – WorK Aug 13 '17 at 10:39
  • Have you considered the use of a single VPN on a client that dynamically connects to more than one VPN server? I imagine you would only get failover with that, but I've also never taken such an approach. It seems to me a solid one at first thought, and might meet your spec well. – Spooler Aug 13 '17 at 10:44
  • Nevermind, I see that it's trivial to cluster. Take a look at this document: https://docs.openvpn.net/how-to-tutorialsguides/administration/active-active-high-availability-setup-for-openvpn-access-server/ – Spooler Aug 13 '17 at 10:45
  • I had a thought about that way, and to be honest, I can configure my software to use both ip address to communicate to each other, but it adds complexity and thought that it would be better idea to manage this whole stuff at OS/IP level, so server soft dont have to bother whats going on.. Just talk to each other. – WorK Aug 13 '17 at 10:48
  • In a very specific scenario that might function well, but you also might have to consider how that's going to scale. Keeping as much configuration centrally and as little on client machines generally keeps maintenance costs of your solution down. At least when things fail in that model, you have more consistently one throat to choke in order to solve your problems. In general, what you suggest isn't the model that has been developed for, so you're not going to find many resources on it beyond one-off experiments. I'm not saying it's impossible to do it that way, though. – Spooler Aug 13 '17 at 10:57
  • Actually the machine refers to backend server in this scenario, server acts like a proxy this time. So two internet facing VPS over the world with who physical servers in another countries (machine1, machine2). "Clients" connect to server1 and server2. – WorK Aug 13 '17 at 11:10