From Secure Computing Wiki
Revision as of 23:25, 9 October 2014 by Ecrist (talk | contribs)
Jump to navigation Jump to search
OpenVPN Topics

GENERAL: RoutingRIP RoutingBridgingFAQFirewallVPN ChainingHigh-AvailabilityTroubleshootingDonationsIRC meetingsDeveloper DocsTester Docs
OS RELATED: FreeBSD Routed FreeBSD Bridged

OpenVPN does not have built-in support for high availability, or HA. Generally, in HA systems, there exists a primary and failover system where, with the failure of the primary, the secondary takes over with no apparent outage to the end users, or traffic passing through the devices. These are common with firewalls in pass-through scenarios. Web servers are an example of end point devices.

OpenVPN does support multiple --remote lines within a client config, allowing the client to automatically try subsequent server entries upon connection loss. During the re-negotiation with the new server, traffic cannot pass across the VPN.

HA Routers

A single OpenVPN server with transit through a pair of HA routers.

Commonly on corporate networks, there will be a pair, or more, of redundant edge routers. These routers are responsible for maintaining the business' connections to the outside world. The two main types of High Availability (HA) is Active-Passive and Active-Active.

In Active-Passive mode, one router, or system, will handle all connections. Only when the primary fails will the secondary take over and begin handling connections. Some firewalls and routers exchange link and connection states, known as connection tracking. The benefit of this is states in a firewall don't need to be reestablished, and there's no perceivable lag during a failover event.

Active-Active mode HA allows both routers or systems to handle traffic. There is still connection tracking, and if either system fails, the other will begin handling it's twin's load. Often, these systems will attempt to spread the load evening amongst members of the HA group.

Multiple OpenVPN Servers

Multiple OpenVPN servers with multiple --remote lines in client config.

HA Routers with Multiple OpenVPN Servers

A combination of HA routers with multiple remote OpenVPN servers.