From Secure Computing Wiki
Jump to navigation Jump to search
OpenVPN Topics

GENERAL: RoutingRIP RoutingBridgingFAQFirewallVPN ChainingHigh-AvailabilityTroubleshootingDonationsIRC meetingsDeveloper DocsTester Docs
OS RELATED: FreeBSD Routed FreeBSD Bridged

OpenVPN does not have built-in support for high availability, or HA. Generally, in HA systems, there exists a primary and failover system where, with the failure of the primary, the secondary takes over with no apparent outage to the end users, or traffic passing through the devices. These are common with firewalls in pass-through scenarios. Web servers are an example of end point devices.

OpenVPN does support multiple --remote lines within a client config, allowing the client to automatically try subsequent server entries upon connection loss. During the re-negotiation with the new server, traffic cannot pass across the VPN.

HA Routers

A single OpenVPN server with transit through a pair of HA routers.

Commonly on corporate networks, there will be a pair, or more, of redundant edge routers. These routers are responsible for maintaining the business' connections to the outside world. The two main types of High Availability (HA) is Active-Passive and Active-Active.

In Active-Passive mode, one router, or system, will handle all connections. Only when the primary fails will the secondary take over and begin handling connections. Some firewalls and routers exchange link and connection states, known as connection tracking. The benefit of this is states in a firewall don't need to be reestablished, and there's no perceivable lag during a failover event.

Active-Active mode HA allows both routers or systems to handle traffic. There is still connection tracking, and if either system fails, the other will begin handling it's twin's load. Often, these systems will attempt to spread the load evening amongst members of the HA group.

With the setup, it is simpler to put the OpenVPN server(s) behind the HA edge routers. Failover events will not disrupt the connections to the VPN server.

Multiple OpenVPN Servers

Multiple OpenVPN servers with multiple --remote lines in client config.

Small offices and most homes will only have a single connection to the internet, and redundancy of the edge is an uncommon situation. Even with just a single pipe to the internet, often due to low cost hardware, or hand-me-down systems, it's simple to add fault tolerance to the VPN by adding additional servers. Adding additional --remote lines to the OpenVPN client config will allow the client to cycle through possible servers. OpenVPN connection blocks add additional features and allow systems to become very robust.

HA Routers with Multiple OpenVPN Servers

A combination of HA routers with multiple remote OpenVPN servers.

Finally, on large networks, there may be multiple edge routers with HA, or other setup such as BGP routing, that support multiple WAN links as well as hardware fault tolerance. To further bolster the network survivability in outage conditions, it makes sense to add additional OpenVPN servers behind these robust WAN connections and hardware. Here, simply add the additional --remote lines or connection blocks to the client configs or use DNS round-robin. Just make sure to use separate IP ranges for each VPN server so there's no conflict between your hardened network segments.