Thanks for your reply, I wondered about keepalive but wasn't sure what happened in point-to-point so that needs to be fixed. I realize I am facing a challenge and your point about deadlock added confirmation. Four connections introduces its own complexity as you mentioned in "play with the routing metrics" and that concerns me as well. I've done further thinking about this and right now am leaning toward Site 1 being servers and Site 2 being clients given our situation. Currently we're using keepalived for fail over (not to be confused with OpenVPN's keepalive - see http://keepalived.org/) at Site 1, scripts "move" OpenVPN (shut it down on one system, bring it up on the other) between systems if a failover occurs. Fortunately configuration is simple and static so synchronizing that for both systems isn't an issue. If we did the same at Site 2 (the backup system shuts down OpenVPN) then only one system would be a client and only one system would be a server. Admittedly the transition would be complex but that lasts only a few seconds which is acceptable. It does mean converting from point-to-point to client-server. Other than adding "client" to one configuration, what else is needed? Is conversion of cryptography (ca cert, client cert/key, possibly crl and other files) necessary? If a comparison of the two configurations is availalbe please point me to it, the one hit I found didn't address my issue. And, again, given the challenge, I'm open to any and all input I can receive on this approach.
-----Original Message----- From: Jan Just Keijser <[email protected]> To: Leroy Tennison <[email protected]>; openvpn-users <[email protected]> Sent: Mon, Nov 12, 2018 4:43 am Subject: Re: [Openvpn-users] "Point to point" vpn fail over configuration Hi, On 09/11/18 23:05, Leroy Tennison wrote: I need to set up a "point to point" VPN between two sites, I use the term "point to point" loosely since the endpoint systems on each end aren't really a system but a fail over pair of systems. We had a true point-to-point connection but then setup a fail over pair of servers at "Site 1". When we failed over we couldn't get "Site 2" to reconnect. Our first obvious mistake was we didn't have an additional 'remote...' statement in the Site 2 configuration. We added that (one "remote..." for each Site 1 Internet address) and restarted openvpn. It reconnected. However, we then "failed back" at Site 1 and Site 2 did not reconnect, our experience is that Site 2 only reconnected if we restarted the Site 2 openvpn. It occurred to me later that possibly point-to-point configurations couldn't have more that one "remote..." statement but I don't know if that is true. your site 2 config is missing a keepalive 10 60 statement (or 10 120), while site 1 does have it. In client/server mode, the server pushes these keepalive settings to its client automatically, but in point-to-point mode nothing is pushed or pulled. The next phase of this project is to set up fail over systems at Site 1 so things are only going to get more complicated. I've listed the "sanitized" (changed IP addresses) configurations for Site 1 and Site 2 below for reference. I'm open to almost any suggestion. Thanks for the help. If you set up failover using multiple remote statements on both ends then there is the chance of a deadlock: site 2.a is trying to connect to site 1.a but site 1.a is down; in the mean time site 1.b is trying to connect to site 2.b which is also down. Site 2 then fails over to site 1.b but site 1 fails over to site 2.a , etc. Depending on the cost of your (internet) connections I'd use failover differently: if you have 2 servers at site 1 (1a + 1b) and 2 servers at site 2 (2a + 2b) I'd set up 4 continous connections: site 1a to site 2a site 1b to site 2a site 1a to site 2b site 1b to site 2b so that would be 4 separate openvpn configurations; I'd then routing and play with the routing metrics to ensure that the right routes are used/chosen (e.g. increase the routing metrics from top to bottom) HTH, JJK
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
