Hi,
I have trouble understanding the concept of HA and OpenVPN. I currently use HA for all Interfaces besides OpenVPN, working great. My "normal" implemenation for a certain interface is creating a Virtual IP address like 192.168.22.100 for CARP and assigning on the individual machines for the interfaces a static IP like 192.168.2.2 for the first machine and 192.168.22.3 for the second machine.
However, for OpenVPN I have to define the IP upcon creating the VPN server. But, upon creating the only option given to me is to set the IP like "192.168.22.0/24" and the explanation is "This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the .1 address of the given network for use as the server-side endpoint of the local TUN/TAP interface".
So, I cannot use the same VPN subnet on the first and second machines since they are automatically assigned the same server IP 192.168.22.1. I understand that I would have to set the server IP like 192.168.2.2 for the first machine and 192.168.22.3 for the second machine. That would follow my general logic?
So, how can HA be implement here? Please note that I'm not interested in seamless VPN operation in case of HA switching the firewalls. It just serves to simply setup of common firewall rules and VPN servers on the machines.
Thank you!
Use identical configuration of both OpenVPN servers - a client will always ever be connected to one and the tunnel networks are strictly "virtual". You will not experience any address conflict, because they are not connected to each other but local to each node.
Then use the CARP address of the cluster as the OpenVPN endpoint for your clients.
Thank you. What do you mean by
QuoteThen use the CARP address of the cluster as the OpenVPN endpoint for your clients.
The clients connect from the internet to the Firewall which has the respective Openvpn port open?
Yes, but they should use a HA (CARP) address to connect to the active node.
yes, sure. But this is already ensured due to all other Interfaces also exposed to the WAN.
Hmmm, under virtualIP - status the Openvpn Carp is reported as "Disabled". Not sure what the problem is? I tried everything that came to my mind. Whenever I choose a VPN interface for CARP, the result is that the status is "DISABLED" and the virtual IP is NOT assigned to the respective VPN interface.
(I create per Server a respective VPN Interface to which I try to assign the CARP address). What am I doing wrong?
Update : I also tried to use the field "Bind address" and input the Virtual Carp IP of WAN. The result is
TCP/UDP: Socket bind failed on local address [AF_INET6]fe80::1:1:1196: Can't assign requested address (errno=49) :(