This is what we did (spoiler: no pacemaker) We connect the openvpn-hosts via tinc (could also be openvpn but tinc is more flexible when servers both initiate the connection) and put these tunnels into a bridge (with stp). Then all these nodes have openvpn with server-certificates from the same ca and all have the client-definitions in a ccd. You can't use the dhcp-like mode of openvpn, so we decided to push the ip from the ccd. You could also maybe forward the request to one (or two) real dhcp-servers. These openvpn-tunnels also end in the bridges of the tinc-network. The config is kept in sync with csync2.
That way vpn is working even if only one of the currently three servers is running. And there is no server-side downtime when one server fails, only the time until the clients reconnect to a different server. And it works with different servers in different datacenters and only needs normal internet-connections, no dedicated links. Yes, I consider non-interactive protocols that fail on connection-reset to be broken. Interactive protocols (like ssh+screen, rdesktop, x2go) all survive a reset because the user can re-instantiate the connection and work on as before. Arnold On 10.07.2012 13:01, Arturo Borrero Gonzalez wrote: > Hi there! > > OpenVPN server has an 'management interface' that allows the admin to > delete, add, modify, authorize client connections. > > As far as I know, it doesn't exist any preestablished method for > sharing connections between openvpn servers, so in issues like > failover and/or active-active configurations the behavior is pretty > rudimentary (just using a LSB resource to start and stop the daemon). > > I'm looking for something or someone that previously showed interest > in this topic. > If no, I will investigate the creation of a new RA or maybe a tiny > daemon for deploying in master/slave modes. > I think using netcat i'm able to get all openvpn data and also using > netcat to inject the data in another openvpn server. > > What approach should I have? Any recommendations? > > Best regards. > > -- Dieses Email wurde elektronisch erstellt und ist ohne handschriftliche Unterschrift gültig.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
