You may be able to do it, my concern would be "route confusion". We have that
situation with OpenVPN and a different VPN offering the same subnet to a
Windows client (two entries to the same subnet via different paths in Windows'
routing table) and it's not working. I have also tried having two clients to
the same OpenVPN server providing the same routes and have found that "the last
will be first" - the OpenVPN status log showed the latter connections replacing
the former connection's routes. In that case the second system was a backup
without full access to its local subnets with the result being predictably
undesirable.
-----Original Message-----
From: Alex K <rightkickt...@gmail.com>
To: Calvin Zachman <calvin.zach...@ibm.com>
Cc: openvpn users list (openvpn-users@lists.sourceforge.net)
<openvpn-users@lists.sourceforge.net>
Sent: Fri, Jun 26, 2020 3:52 pm
Subject: Re: [Openvpn-users] Multiple VPN clients exposing the same remote
subnet
On Fri, Jun 19, 2020, 01:35 Calvin Zachman <calvin.zach...@ibm.com> wrote:
Hi openvpn-users, Is it possible for multiple VPN clients on the same LAN to
expose the same remote subnets to other connected clients?? I would like to run
2 VPN client instances on the same LAN exposing the same subnets (same iroutes)
for some level of redundancy/high-availability. I am aware that one can run
multiple VPN servers for redundancy and list them as separate `<remote>`s in
the client config. I am interested in similar redundancy for VPN clients. I am
running OpenVPN inside Kubernetes. The VPN server runs in multitenant
environment along side Kubernetes Control-Plane/Master components on Subnet A
while the VPN client(s) runs on Subnet B (10.X.X.X/26). I would like to provide
redundant access to Subnet B in the event that my VPN client instance fails. I
am using the `--client-to-client` configuration option to allow the clients
running in the Kubernetes Master to route traffic to the `worker` client
running on Subnet B. The client-config-directory defines the following iroutes
for the `worker` client: 10.95.14.64/26 - Worker/VM Subnet
172.30.0.0/16 - K8s Pod CIDR
172.21.0.0/16 - K8s Service CIDR
I tried starting up 2 VPN clients on 10.95.14.64/26 hoping to achieve an
"active"/"passive" setup, but after observing how OpenVPN Server updates its
internal routing table I am not so sure we can achieve redundancy with multiple
VPN client replicas exposing the same subnets (Pod/Service/Worker CIDRs)
connected to the VPN server. The clients can both be connected, but the server
only maintains routes for one of them, meaning if the "active" goes down then
there are no internal routes so that we can quickly begin using the "backup"
connected replica. I tried giving each replica its own CN when connecting,
hoping it could keep duplicate routes if clients did not have duplicate CN. IN
CLUSTER: $ kubectl get pods -n kube-system -o wide | grep vpn
vpn-client-1 1/1 Running 0 61s
172.30.43.2 10.95.14.80 <none> <none>
vpn-client-2 1/1 Running 0 62s
172.30.105.65 10.95.14.77 <none> <none> FROM OPENVPN SERVER:
/etc/openvpn/ccd # ps -a
PID USER TIME COMMAND
1 root 0:05 {openvpn_start.s} /bin/bash /etc/openvpn/openvpn_start.sh
72 nobody 1:27 openvpn --config /etc/openvpn/openvpn.conf
--client-config-dir /etc/openvpn/ccd /etc/openvpn/ccd # ls
worker1 worker2
/etc/openvpn/ccd # cat worker1
iroute 172.30.0.0 255.255.0.0
iroute 172.21.0.0 255.255.0.0
iroute 10.95.14.64 255.255.255.192
/etc/openvpn/ccd # cat worker2
iroute 172.30.0.0 255.255.0.0
iroute 172.21.0.0 255.255.0.0
iroute 10.95.14.64 255.255.255.192
The VPN server's client list shows two clients have connected to the VPN
server: OpenVPN CLIENT LIST
Updated,Tue Jun 16 14:19:27 2020
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
worker1,172.18.137.0:11887,8154,8479,Tue Jun 16 13:59:35 2020
worker2,172.18.137.0:32826,803828,415606,Tue Jun 16 13:59:36 2020 however
OpenVPN server's routing table only contains routes for 172.30.0.0/16,
172.21.0.0/16, and 10.95.14.64/26 for the most recently connected client:
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.95.14.64/26,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.30.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.21.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.21.202.193C,worker2,172.18.137.0:32826,Tue Jun 16 14:19:25 2020
172.30.54.2C,worker2,172.18.137.0:32826,Tue Jun 16 14:18:58 2020
192.168.255.22,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
192.168.255.18,worker1,172.18.137.0:11887,Tue Jun 16 13:59:35 2020
It seems to me OpenVPN just doesn't support multiple clients with the same
iroutes. The only other thing I can think of presently would be to have some
kind of communication akin to keepalived/heartbeats between the client replicas
so that the second replica can initiate a connection to the VPN server only
when the first replica stops responding. Is there any other supported way to
achieve HA client setup like this via configuration?
You can definitely setup a simple pacemaker cluster with openvpn as a running
resource. The setup will include identical client nodes in active/passive mode
and will provide the needed redundancy without any other trick from server
side. If you like a network approach I would investigate options with dynamic
routing through ospf.
Thanks,
Calvin '--client-to-client' enables Master VPN client to address workload
running on Subnet B via the VPN. Would love to be able to run a second VPN
client replica on Subnet B |_master_vpn_client_|
|_vpn_server_|-------/------------------------------------/------
Subnet A |_worker vpn client 1_|
|_worker_vpn_client_2_|------/-----------------------------------/---------------------
Subnet B -10.95.14.64/26
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
