|
|
On Mon, 3 Oct 2005, Jason Keltz wrote:
> Erich Titl wrote:
> > Jason Keltz wrote:
> >
> >>Hi everyone,
> >>...
> >>Since various clients are connected to both VPNs at the same time, how
> >>can the file server route back to the proper VPN?
> >
> >
> > Why is a single client connected to both OpenVPN servers?
> > Else just add routes to both OpenVPN subnets.
>
> Hi Erich..
>
> I'm sorry that I wasn't clear.
>
> There are two VPN servers for load balancing/redundancy issues.
> Each client on startup chooses a VPN server to connect to.
> However, a client will only connect to one or the other.
> In the event of a failure, a client will connect to the other VPN server.
>
> In terms of adding routes back to the VPN subnets, that is what I want
> to do, but that is where there is a tricky problem...
>
> When an individual client connects to either VPN server, it will get the
> exact same IP. This is done so that software (like NFS) will be able to
> basically handle a client moving from one VPN to the other if a VPN
> server goes down...
>
> Each VPN server knows how to route packets to its own clients, but since
> there are two servers with the same address space, it doesn't seem
> possible with one route statement to route packets to both VPNs.
>
> I could solve this problem with source NAT. This way, the packets will
> come from the VPN servers, and not from the clients. The NFS server
> could easily talk back to the individual VPN servers. While this would
> "solve" the problem, it creates another one. With Source NAT, all
> entries logged for say, NFS, end up showing as entries coming from the
> VPN servers. This is not desirable as it makes debugging very
> difficult... I wonder if there is a better way to do what I want to do.
I think it would be a worthwhile feature to have a native clustering
capability in OpenVPN.
While the basic load balancing and failover capability provided by putting
multiple "remote" directives on the client is almost a clustering
solution, it falls a bit short when you want (for example) a client to
keep the same IP address even when connecting to a different server, or
when clients are serving as a VPN gateway for a local, private LAN.
To make this work, we need a dynamic routing capability so that when a
user with a given VPN IP address ('IP') connects from server 'A'
to server 'B', the server-side routers will be aware that return packets
to IP must now be routed through server 'B' rather than server 'A'.
One way to make this work would be to use a dynamic routing protocol such
as RIP2 or OSPF. When the user connects to server 'B', a RIP2 message
would be multicast, telling all the local routers of the new gateway for
'IP'.
This would require adding some code to OpenVPN to advertise its internal
routing table to local, neighboring routers using RIP2 or OSPF.
James
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|