[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN Server redundency

  • Subject: Re: [Openvpn-users] OpenVPN Server redundency
  • From: "Jan Mulders" <lastchancehotel@xxxxxxxxx>
  • Date: Thu, 31 May 2007 00:25:15 +0100

I haven't tried to (mainly because for my application it is unneccassary), but it is indeed an interesting problem.

We'd need some way of sharing the SSL/TLS sessions between the two hosts - if I remember correctly Apache manages to do this for distributed SSL serving of pages over HTTPS (it keeps track of the userid/encryption key in a distributed database). As far as my limited internal knowledge of OpenVPN goes, there is no facility to access the encryption keys in OpenVPN - someone would have to break open and modify the SSL/TLS handling modules/functionality and bolt a bunch of scripts or something onto it, that makes OpenVPN look for a cached user session before making a new one.

This sounds like it will either a) be a complete one-off hack, or b) a complete ball-ache to get working perfectly in 100% of cases (ie shipping it with the production code) - I suppose it comes down to 'how much do you need it', and indeed 'why do you need it?'. If your application's transactions aren't atomic (either complete, or don't complete - no half-way-finished transactions), then perhaps you should be looking towards your own code for a resolution.

It'd be nice to have, though!


On 30/05/07, Felix Kronlage <fkr@xxxxxxxxxxxxxxxxxxx > wrote:
On Mon, May 28, 2007 at 10:09:57AM -0400, Matt Shields wrote:

> I have 2 servers setup and use rsync to mirror the config.  Only one
> is active and I'm using Linux Virtual Server (heartbeat) to manage
> which one is active.  So if server 1 dies, server 2 takes over the
> virtual IP and starts up openvpn server.

we've been doing the same thing, just with OpenBSD and CARP'ed PF.
Works perfectly. The setup has one minor annoyance:

unlike with IPSec and sasyncd, there is (to my knowledge) currently
no way to keep 2 (or more) OpenVPN Servers in sync regarding the currently
active clients. Means: if the master dies, the client has to reconnect
to the (former slave) new master.

has anyone tried to tackle this?


This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
Openvpn-users mailing list