OpenVPN multiple servers on the same subnet, high availability

networking vpn openvpn high-availability

Solution 1:

I played with networking and openvpn quite a lot (10+ years sysadmin in ISP) so how about this simple solution.

Create entry in dns that will have n ip addresses for one host (round-robin way)

In Openvpn client put remote name of host so round robin is achieved

On vpn server have two network cards, one is connected to public ip (round robin address 1), other one is connected to private class. Second server, different public address (round robin address 2), same private class.

Create tap0 interface that will bridge addresses to private interface, have single dhcp that will manage addressing to your clients.

This way i think you can achieve as much redundance you want..

Solution 2:

If it's acceptable for clients to get different addresses depending on the server to which they're connected, this is pretty easy to set up. You haven't directly addressed the number of clients you have connected nor the size of your address space (nor whether your VPN is on a dedicated network or whether it shares the same address space as the rest of your office), so I'm making a bunch of assumptions that may very well not be correct. Feel free to reply with corrections.

I'm going to assume:

  • You want to set up three OpenVPN servers, all on the 192.168.1.0/24 network.
  • The OpenVPN servers are the only servers using this address space.
  • Your "internal" network is 10.10.10.0/24.
  • You want at least 20 clients to be able to connect simultaneously to any single server.

You split your VPN network into multiple /27 networks, each associated with a single server. This gives you:

  • Server 1
    • Network: 192.168.1.0/27
    • Server IP: 192.168.1.1
  • Server 2
    • Network: 192.168.1.32/27
    • Server IP: 192.168.1.33
  • Server 3
    • Network: 192.168.1.64/27
    • Server IP: 192.168.1.65

An OpenVPN configuration for the first of these servers would include the following:

server 192.168.1.0 255.255.255.224
push "route 192.168.1.0 255.255.255.0"
push "route 10.10.10.0 255.255.255.0"

For the second, it would include:

server 192.168.1.32 255.255.255.224

..and so forth.

Your network infrastructure will need to have routes to all three servers. That would be something along the lines of:

route add 192.168.1.0/27 gw 192.168.1.1
route add 192.168.1.32/27 gw 192.168.1.33
route add 192.168.1.64/27 gw 192.168.1.65

From the point of view of your applications, any connected client is on the same /24 network. You get three OpenVPN servers (with room for adding more since you're only using addresses up to 192.168.1.95 with this arrangement), or with room for more clients per server.

This is a brief overview of how you would set things up. If something here doesn't make sense or if you want me to go into more detail in a particular area let me know.

NB: written after too much glögg, so may need some syntax and/or fact checking.

Related

Import a 260GB csv file into MySQL
How can I redirect an already running process's stdout/stderr?
Determine if file on NFS share is in use
Backing up a MySQL database - while it is still in use
Granting user privilege to create/drop database of specific name
IIS 7.5, Encryption Keys, and HRESULT: 0x80090005
run shell command as other user called by PHP
Hyper-V Cluster with failover - NETWORKING
Where can I download the SharePoint 2010 PowerShell Snap-in?
What is the best file system (used by an Amazon EBS volume) for a lucene index?
How to use Catalina window snapping feature?
Push text files between my phone and my laptop using native OS/apps, not third party installs?