[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN Server redundency


  • Subject: Re: [Openvpn-users] OpenVPN Server redundency
  • From: "Jan Mulders" <lastchancehotel@xxxxxxxxx>
  • Date: Thu, 31 May 2007 00:25:15 +0100

I haven't tried to (mainly because for my application it is unneccassary), but it is indeed an interesting problem.

We'd need some way of sharing the SSL/TLS sessions between the two hosts - if I remember correctly Apache manages to do this for distributed SSL serving of pages over HTTPS (it keeps track of the userid/encryption key in a distributed database). As far as my limited internal knowledge of OpenVPN goes, there is no facility to access the encryption keys in OpenVPN - someone would have to break open and modify the SSL/TLS handling modules/functionality and bolt a bunch of scripts or something onto it, that makes OpenVPN look for a cached user session before making a new one.

This sounds like it will either a) be a complete one-off hack, or b) a complete ball-ache to get working perfectly in 100% of cases (ie shipping it with the production code) - I suppose it comes down to 'how much do you need it', and indeed 'why do you need it?'. If your application's transactions aren't atomic (either complete, or don't complete - no half-way-finished transactions), then perhaps you should be looking towards your own code for a resolution.

It'd be nice to have, though!

Jan



On 30/05/07, Felix Kronlage <fkr@xxxxxxxxxxxxxxxxxxx > wrote:
On Mon, May 28, 2007 at 10:09:57AM -0400, Matt Shields wrote:

> I have 2 servers setup and use rsync to mirror the config.  Only one
> is active and I'm using Linux Virtual Server (heartbeat) to manage
> which one is active.  So if server 1 dies, server 2 takes over the
> virtual IP and starts up openvpn server.

we've been doing the same thing, just with OpenBSD and CARP'ed PF.
Works perfectly. The setup has one minor annoyance:

unlike with IPSec and sasyncd, there is (to my knowledge) currently
no way to keep 2 (or more) OpenVPN Servers in sync regarding the currently
active clients. Means: if the master dies, the client has to reconnect
to the (former slave) new master.

has anyone tried to tackle this?

felix

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users