OPNsense Forum
English Forums => High availability => Topic started by: archibaldo on January 23, 2024, 09:25:52 pm
-
Hi, everyone!
As the tittle says, I wonder if is possible to have 3 (or more) Opnsense instances (all active), with Openvpn configured and synced between instances, behind a load balancer in order to have many many devices connected via VPN to this instances. I researched in many forums, included this one, Google, and of course, the Opnsense documentation, but only found configuration for HA, with one node active and other for backup. In my case I a need a cluster with all instances active.
If is possible?
Regards,
Archibaldo.
-
Hi, anyone knows if is this possible?
-
OPNsense HA is built on top of three parts:
- synchronisation of config settings
- synchronisation of pf (packet filter/firewall) state
- CARP for IP address failover
Sync of pf state works over multicast, so possibly it can synchronise a complete N node cluster. But for a VPN concentrator you could theoretically do without any complex firewall rules at all. Once users are authenticated to the frontend service, no additional packet filtering takes place in many common scenarios. Does that match your requirements?
Synchronisation of configuration is the main problem to tackle here. Unfortunately the OPNsense cluster mechanism supports only one secondary firewall system to which the active primary node syncs all settings.
So you would need an off-cluster mechanism like scripting via API to push configuration changes to all the nodes.
Once the nodes are in sync - configuration wise - the load balancer on the outside "just" needs to schedule the connections to all nodes with session persistence, probably based on client IP address. So a session never changes the backend OPNsense server.
The last part is how systems on the inside communicate with the VPN sessions. You cannot use CARP because that would single out one system out of the entire cluster to do all the work. Depending on your application you could NAT all incoming VPN connections to the IP address of the particular OPNsense system in some transfer/infrastructure network.
It is certainly doable, but IMHO part of a larger consulting project with lots of testing and step-by-step development involved. I am confident I could create a setup like this - depending on your needs - but would definitely ask you to go through my sales department and hire me as part of my company. This is too big for some flick-of-the-wrist forum help.
Kind regards, HTH,
Patrick
-
I know the point of the request is opnsense, but...
If it were me, I'd do it with Linux nodes and then use RADIUS for central authentication. Even with round robin DNS, I found it was 'good enough' i.e equal enough that I didn't require a load balancer.
Obviously RR DNS doesn't account for node failures, but with all IPs explicitly specified in the configuration (instead of using DNS), remote-random set and/or resolv-retry set to infinite (if using RR DNS/hostnames), OpenVPN itself will then try other server IPs.
-
I know the point of the request is opnsense, but...
If it were me, I'd do it with Linux nodes and then use RADIUS for central authentication. Even with round robin DNS, I found it was 'good enough' i.e equal enough that I didn't require a load balancer.
Obviously RR DNS doesn't account for node failures, but with all IPs explicitly specified in the configuration (instead of using DNS), remote-random set and/or resolv-retry set to infinite (if using RR DNS/hostnames), OpenVPN itself will then try other server IPs.
Hi, iMx! Thanks for you response. I'll give a look to see it fits my needs.
Synchronisation of configuration is the main problem to tackle here. Unfortunately the OPNsense cluster mechanism supports only one secondary firewall system to which the active primary node syncs all settings.
Hi, Patrick! Thanks for you response. I think to is posible to sync more nodes in the following way:
node A with B
node B with C
node C with D ... and so on.
I will try with that.
Regards,
Archibaldo