On Fri, Jun 19, 2020, 01:35 Calvin Zachman <calvin.zach...@ibm.com> wrote:
> Hi openvpn-users,
>
> Is it possible for multiple VPN clients on the same LAN to expose the same
> remote subnets to other connected clients?? I would like to run 2 VPN
> client instances on the same LAN exposing the same subnets (same iroutes)
> for some level of redundancy/high-availability. I am aware that one can run
> multiple VPN servers for redundancy and list them as separate `<remote>`s
> in the client config. I am interested in similar redundancy for VPN clients.
>
> I am running OpenVPN inside Kubernetes. The VPN server runs in multitenant
> environment along side Kubernetes Control-Plane/Master components on Subnet
> A while the VPN client(s) runs on Subnet B (10.X.X.X/26). I would like to
> provide redundant access to Subnet B in the event that my VPN client
> instance fails. I am using the `--client-to-client` configuration option to
> allow the clients running in the Kubernetes Master to route traffic to the
> `worker` client running on Subnet B. The client-config-directory defines
> the following iroutes for the `worker` client:
>
> 10.95.14.64/26 - Worker/VM Subnet
> 172.30.0.0/16 - K8s Pod CIDR
> 172.21.0.0/16 - K8s Service CIDR
>
> I tried starting up 2 VPN clients on 10.95.14.64/26 hoping to achieve an
> "active"/"passive" setup, but after observing how OpenVPN Server updates
> its internal routing table I am not so sure we can achieve redundancy
> with multiple VPN client replicas exposing the same subnets
> (Pod/Service/Worker CIDRs) connected to the VPN server. The clients can
> both be connected, but the server only maintains routes for one of them,
> meaning if the "active" goes down then there are no internal routes so that
> we can quickly begin using the "backup" connected replica. I tried giving
> each replica its own CN when connecting, hoping it could keep duplicate
> routes if clients did not have duplicate CN.
>
> IN CLUSTER:
>
> $ kubectl get pods -n kube-system -o wide | grep vpn
> vpn-client-1 1/1 Running 0 61s
> 172.30.43.2 10.95.14.80 <none> <none>
> vpn-client-2 1/1 Running 0 62s
> 172.30.105.65 10.95.14.77 <none> <none>
>
> FROM OPENVPN SERVER:
>
> /etc/openvpn/ccd # ps -a
> PID USER TIME COMMAND
> 1 root 0:05 {openvpn_start.s} /bin/bash
> /etc/openvpn/openvpn_start.sh
> 72 nobody 1:27 openvpn --config /etc/openvpn/openvpn.conf
> --client-config-dir /etc/openvpn/ccd
>
> /etc/openvpn/ccd # ls
> worker1 worker2
>
> /etc/openvpn/ccd # cat worker1
> iroute 172.30.0.0 255.255.0.0
> iroute 172.21.0.0 255.255.0.0
> iroute 10.95.14.64 255.255.255.192
>
> /etc/openvpn/ccd # cat worker2
> iroute 172.30.0.0 255.255.0.0
> iroute 172.21.0.0 255.255.0.0
> iroute 10.95.14.64 255.255.255.192
>
> The VPN server's client list shows two clients have connected to the VPN
> server:
>
> OpenVPN CLIENT LIST
> Updated,Tue Jun 16 14:19:27 2020
> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
> worker1,172.18.137.0:11887,8154,8479,Tue Jun 16 13:59:35 2020
> worker2,172.18.137.0:32826,803828,415606,Tue Jun 16 13:59:36 2020
>
> however OpenVPN server's routing table only contains routes for
> 172.30.0.0/16, 172.21.0.0/16, and 10.95.14.64/26 for the most recently
> connected client:
>
> ROUTING TABLE
> Virtual Address,Common Name,Real Address,Last Ref
> 10.95.14.64/26,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
> 172.30.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
> 172.21.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
>
> 172.21.202.193C,worker2,172.18.137.0:32826,Tue Jun 16 14:19:25 2020
> 172.30.54.2C,worker2,172.18.137.0:32826,Tue Jun 16 14:18:58 2020
> 192.168.255.22,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
>
> 192.168.255.18,worker1,172.18.137.0:11887,Tue Jun 16 13:59:35 2020
>
> It seems to me OpenVPN just doesn't support multiple clients with the same
> iroutes. The only other thing I can think of presently would be to have
> some kind of communication akin to keepalived/heartbeats between the client
> replicas so that the second replica can initiate a connection to the VPN
> server only when the first replica stops responding. Is there any other
> supported way to achieve HA client setup like this via configuration?
>
You can definitely setup a simple pacemaker cluster with openvpn as a
running resource. The setup will include identical client nodes in
active/passive mode and will provide the needed redundancy without any
other trick from server side. If you like a network approach I would
investigate options with dynamic routing through ospf.
>
> Thanks,
> Calvin
>
>
>
>
> '--client-to-client' enables Master VPN client to address workload running
> on Subnet B via the VPN. Would love to be able to run a second VPN client
> replica on Subnet B
>
>
> |_master_vpn_client_| |_vpn_server_|
> -------/------------------------------------/------
> Subnet A
>
>
>
>
> |_worker vpn client 1_| |_worker_vpn_client_2_|
> ------/-----------------------------------/---------------------
> Subnet B -10.95.14.64/26
>
>
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
