Managing the HA passive node over a VPN session that terminates on the cluster

Started by Zugschlus, Today at 12:14:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 12:14:44 PM
Hi,
given an OPNsense HA installation in a datacenter that only protects servers. The administrators use OpenVPN to connect to the site that terminates on the OPNsense cluster as well¹. This works for the active node, but the passive node cannot be access since the passive node has OpenVPN running as well with the routes to the OpenVPN clients pointing into the (inactive) tunnel. Thus, there is no reverse route and communication cannot happen.

Is there a gold standard to solve this? How bad do you find the idea of NATting the Home Office addresses of the admins to the active nodes' internal address when accessing the passive node? Or is it just recommended to always use the management network?

Greetings
Marc

¹ there is out of band access and a dedicated management network that can be accessed through a different channel, but that's clumsy to access.
Marc 'Zugschlus' Haber - St. Ilgen, Germany
Freelance IT Insultant, Debian Developer, Railroad Addict
Today at 01:37:54 PM #1
Quote from: Zugschlus on Today at 12:14:44 PMHow bad do you find the idea of NATting the Home Office addresses of the admins to the active nodes' internal address when accessing the passive node?
This is the recommended way to workaround this issue.
Today at 04:50:09 PM #2
Quote from: viragomann on Today at 01:37:54 PM
Quote from: Zugschlus on Today at 12:14:44 PMHow bad do you find the idea of NATting the Home Office addresses of the admins to the active nodes' internal address when accessing the passive node?
This is the recommended way to workaround this issue.

I'd rather not do that on the productive internal network link, did anybody ever try doing that on the PFSYNC link? Can anyone please share their experience with this issue? I guess it's a rather common setup, and the solution is likely to have well hidden pitfalls, and I'd like to use a wheel that was already invented.

Greetings
Marc
Marc 'Zugschlus' Haber - St. Ilgen, Germany
Freelance IT Insultant, Debian Developer, Railroad Addict
Today at 05:20:41 PM #3
NAT the OpenVPN client network to the internal CARP address of the pair. That will work no matter which node is the active one.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 05:23:42 PM #4
You need to add the rule to the interface, which the traffic is going out.

If you want to access the LAN IP of the secondary, the packets will go out on the LAN interface. If you access the SYNC interface, the packets go out on SYNC.
Its wise to use ever the same IP to access the firewall. So you need the rule only on a single interface.

And of course you should limit the rule to the admin source and to the secondary as destination.
Best to use an alias, which includes both, the IP of the primary and secondary, so you can sync the rules to the secondary and it will also work in case it has the master role.
Print
Go Up Pages1
User actions