redundant openvpn configuration
I have two openbsd nat/firewall boxes with carp for failover / high availability purposes. What would be the best possible practice to ensure that OpenVPN, which I plan on running on these boxes, fails over gracefully as well?
OpenVPN doesn't support any kind of state sharing between two different daemon instances, so no, you can't have seamless failover.
But, you can always configure your clients to handle a server failure gracefully. If this kind of redundancy meets your needs, you can achieve it by combining two features that OpenVPN does actually have:
1) automatically re-trying after getting disconnected from the server, AND 2) connecting to a randomly-chosen server on each attempt, from a pre-defined list.
The basic idea is that you can run two (or three, or more) OpenVPN servers, and add all of their IP addresses or hostnames to your VPN client configurations. Also, the client should re-try quickly in order to minimize the downtime experienced by the user. When one server fails, the client rotates to the next address in its connect-to list, and the connection gets re-established in pretty short order.
The documentation is available at:
- http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html
In particular, you'll probably want to look at these configuration options:
- remote
- connect-retry
- connect-retry-max
- remote-random
- ifconfig-pool-persist
You should be able to add these options, client-side, on top of any combination of other client/server options you might already be using. Just remember to keep 'connect-retry' low, and 'connect-retry-max' high (possibly even infinite), and it should work pretty well.
Without losing the current session?
Anyways you could always use ifstated(8) to sense the a CARP demotion and start the OpenVPN server.
Actually I don't know if there would be any issues with the MASTER and SLAVE running at the same time the OpenVPN server.