OpenVPN HA Setup on AWS

amazon-web-services openvpn high-availability

We are using Paid version of OpenVPN on AWS. Now we want to setup HA but we could not find any proper solution for OpenVPN HA on AWS. Tried OpenVPN document but it doesn't meet the requirement of HA on AWS. Can anyone share/suggest best solution for OpenVPN HA ON AWS


Solution 1:

Start two OpenVPN Access Server instances, assign an Elastic IP to each of them. Configure them for LDAP authentication, so that you don't need to create all accounts twice and keep them sync'ed across the two instances.

Open the admin interface on ip:443/admin and click LDAP -> Set LDAP:

https://openvpn.net/index.php/access-server/docs/admin-guides/190-how-to-authenticate-users-with-active-directory.html

You can deploy your own LDAP service or you can use:

https://aws.amazon.com/directoryservice

Now you have to decide how you want clients to connect to these instances.

The easiest way is to add to the client config both OpenVPN Access Servers:

remote-random
remote hostname-of-instance1
remote hostname-of-instance2

Alternatively you could create a round robin record in AWS Route53 with both IP addresses and have Route53 monitor the reachability of the nodes and remove the unreachable instance when needed:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html

In this case you only need:

remote round-robin-record

in your OpenVPN clients config file.

Alternatively you could deploy an AWS ELB, choose the number of instances that you want in execution at any time and let the ELB spawn and retire instances as required, whenever they die or become unreachable.

In this case your OpenVPN clients would be connecting to the IP address/hostname of the ELB itself.

EDIT: When one of the OpenVPN servers goes down, your clients will get disconnected and most likely you want them to automatically reconnect to the surving OpenVPN server. You can achieve this by adding:

keepalive 10 120

to the OpenVPN config file. More info on: https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

With this setting, clients and servers will ping each other every 10 secs. If no traffic is seen by one party for longer than 120 secs, the tunnel is shutdown + restarted.

EDIT2:

If you don't want OpenVPN to prompt the user to re-enter his login/password everytime he reconnects, ask him to add this to his OpenVPN client config file:

auth-user-pass auth.txt

Then create a file called auth.txt in the same dir of the config file, with just two lines:

mylogin
mypassword

Make sure the file is adequately protected.

Related

VirtualBox and Windows 10: can't connect to a server hosted on VirtualBox
Kubernetes: relation between Service IP's and pod IP's
2 node cluster (active-passive) with Windows Server 2016
Is dhparam really required if only using ECDHE?
Local intranet zone sites opening in IE instead of Edge
Windows 10 Always On VPN, Split DNS, NRPT, and how to configure which DNS server is used?
python get-pip.py not working behind proxy
bind: loading from master file failed: file not found
Nginx variable in proxy pass does not work
How to implement partial mirroring in nginx?
Increase the ZFS partition to use the entire disk
ZFS - Use a file as l2arc cache