HA and OpenVPN

Started by meschmesch, September 22, 2023, 12:34:18 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 22, 2023, 12:34:18 PM
Hi,
I have trouble understanding the concept of HA and OpenVPN. I currently use HA for all Interfaces besides OpenVPN, working great. My "normal" implemenation for a certain interface is creating a Virtual IP address like 192.168.22.100 for CARP and assigning on the individual machines for the interfaces a static IP like 192.168.2.2 for the first machine and 192.168.22.3 for the second machine.

However, for OpenVPN I have to define the IP upcon creating the VPN server. But, upon creating the only option given to me is to set the IP like "192.168.22.0/24" and the explanation is "This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the .1 address of the given network for use as the server-side endpoint of the local TUN/TAP interface".

So, I cannot use the same VPN subnet on the first and second machines since they are automatically assigned the same server IP 192.168.22.1. I understand that I would have to set the server IP like 192.168.2.2 for the first machine and 192.168.22.3 for the second machine. That would follow my general logic?

So, how can HA be implement here? Please note that I'm not interested in seamless VPN operation in case of HA switching the firewalls. It just serves to simply setup of common firewall rules and VPN servers on the machines.

Thank you!
September 22, 2023, 12:48:11 PM #1
Use identical configuration of both OpenVPN servers - a client will always ever be connected to one and the tunnel networks are strictly "virtual". You will not experience any address conflict, because they are not connected to each other but local to each node.

Then use the CARP address of the cluster as the OpenVPN endpoint for your clients.

Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 22, 2023, 01:01:23 PM #2
Thank you. What do you mean by
QuoteThen use the CARP address of the cluster as the OpenVPN endpoint for your clients.

The clients connect from the internet to the Firewall which has the respective Openvpn port open?
September 22, 2023, 01:21:05 PM #3
Yes, but they should use a HA (CARP) address to connect to the active node.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 22, 2023, 02:06:07 PM #4
yes, sure. But this is already ensured due to all other Interfaces also exposed to the WAN.
September 22, 2023, 02:32:24 PM #5 Last Edit: September 23, 2023, 10:46:17 AM by meschmesch
Hmmm, under virtualIP - status the Openvpn Carp is reported as "Disabled". Not sure what the problem is? I tried everything that came to my mind. Whenever I choose a VPN interface for CARP, the result is that the status is "DISABLED" and the virtual IP is NOT assigned to the respective VPN interface.

(I create per Server a respective VPN Interface to which I try to assign the CARP address). What am I doing wrong?

Update : I also tried to use the field "Bind address" and input the Virtual Carp IP of WAN. The result is
Code Select
TCP/UDP: Socket bind failed on local address [AF_INET6]fe80::1:1:1196: Can't assign requested address (errno=49) :(
Print
Go Up Pages1
User actions