Tutorial: How to Set Up an Access Server Cluster
Create a cluster of Access Servers and provide high availability and increased load capacity for your VPN clients and servers.
Overview
This tutorial shows you how to set up a cluster of Access Servers to scale horizontally and provide active-active redundancy. A typical setup consists of multiple Access Servers that store configuration files on a shared database, clients connecting to nodes based on a round-robin DNS record, and VPN connections accessed from one global subscription licensing pool.
For details about the cluster feature, refer to Access Server's Cluster Setup.
At least one installed Access Server.
A subscription license key.
Recommended: a configuration backup if you're converting an existing Access Server.
Caution
The steps here work for Ubuntu/Debian. If you're using a different Linux distribution, ensure you adjust them.
Important
Ensure that all cluster nodes run the same Access Server version.
With a single subscription license key, you can handle the licensing needs for all your cluster's Access Server nodes. The nodes share the available connections from the subscription license as needed. You can adjust your subscription license anytime from the Access Server billing portal.
To purchase a subscription license key, follow the steps here: How to purchase.
Note
We provide example information here for using Amazon RDS and DigitalOcean MySQL. Most other MySQL or MariaDB systems work except for MariaDB 10.4.13, which has a known issue due to a bug in the MariaDB code causing connectivity issues.
Tip
The term cluster applies to fault-tolerant database systems and an active-active setup of multiple Access Servers. To set up a fully fault-tolerant system, you must have both a cluster database setup and an Access Server cluster setup with multiple nodes.
Start by creating a new database server. We provide some brief steps, but for further information, refer to AWS or DigitalOcean for their documentation.
AWS
Create a new managed relational database service (RDS) from the AWS service.
Follow the configuration steps to select options, specify the instance size and fault-tolerance settings, define the DB instance identifier, and Master username and Master password.
Take note of the username and password because you will need them later.
Select your VPN and subnet, public accessibility, optional settings, and complete the launch.
DigitalOcean
Create a new database cluster.
Choose your required cluster configuration, datacenter, and VPC network.
Enter a unique name and select a project.
Once your database server is up and running, you need connection details to set up your first Access Server in the cluster. Get the following information to connect your Access Server nodes to your database server(s):
AWS
Endpoint
Master username
Master password
DigitalOcean
Username
Password
Host
Port
Database
Open the following ports on your Access Server node:
TCP 22: SSH access.
TCP 443: Web interface access and OpenVPN TCP connections.
TCP 943: Web interface access.
TCP 945: Cluster control channel.
UDP 1194: OpenVPN UDP connections.
Caution
These five ports assume you are implementing a standard configuration. If you have changed your ports previously, adjust the installation as necessary. Current OpenVPN appliances on Amazon AWS have a default security group that opens up the standard ports.
Adjust the security of your database server as needed.
Important
If you skip this step, you won’t be able to test any connections to the database server.
AWS
Note that Amazon RDS databases are protected by security groups, an Amazon-specific security system that functions like a firewall. Therefore, you must adjust the security group settings so your Access Server nodes can access the Amazon RDS database.
DigitalOcean
For DigitalOcean, you must adjust the trusted sources to improve the database security and allow incoming connections from each node.
Sign in to your Access Server console and get root privileges.
Install the MySQL and client library packages:
apt-get update apt-get install mysql-client libmysqlclient-dev
Connect to your database instance using the MySQL command-line tool, replacing the values with those from your database connection information when you set up your database instance:
AWS:
mysql -h [Endpoint] -u [Master username] -p
DigitalOcean:
mysql -h [Host] -u [username] -P [port] -D [database] -p
When prompted, provide the Master password (AWS) or password (DigitalOcean).
Tip
For your DigitalOcean user, you may need to edit the password encryption to support Legacy, MySQL 5.x.
Upon successful connection, a message similar to this displays:
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 13 Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
You can now exit with the exit command.
Sign in to the Access Server Admin Web UI using the server's IP address or the custom hostname, if you have configured it, along with /admin. (For example, https://192.0.2.10/admin.)
Click Configuration > Cluster.
For this first step, we are setting up a new cluster.
Click Yes to Set up a New Cluster.
Convert the Access Server default SQLite3 database to a MySQL-type database
Enter the Node Name.
This unique name displays on the Status Overview page after you complete your cluster configuration — it automatically populates with the existing node name of your Access Server.
Enter your database connection information into the MySQL Settings fields.
The MySQL Hostname or IP Address is the endpoint (AWS) or host (DigitalOcean).
The MySQL Port is set to 3306 by default. Change it to the port noted above for DigitalOcean.
The MySQL Username is the Master username (AWS) or username (DigitalOcean).
The MySQL Password is the Master password (AWS) or password (DigitalOcean).
Click Save Settings.
The local SQLite3 databases are converted to the new MySQL-type databases. Access Server takes a few minutes or more for this conversion. If your user base is large, the conversion will take longer.
Once completed, Access Server restarts automatically.
Once the Access Server is restarted, sign back into your Admin Web UI.
The Cluster Overview displays your single node. With a cluster setup, some Admin Web UI pages are modifiable for the entire cluster, and others require you to click View/Edit Node to make changes on individual nodes. For example, a node-specific setting is the software license for that node.
Important
When you convert your Access Server to a cluster configuration, any existing user certificates and settings are converted and stored in the new database. You can only do this conversion once — you can’t repeat this to combine multiple different Access Servers with users and settings into one cluster. The first Access Server you use to create your cluster is the master data set. Any additional Access Server nodes use that data set. Any changes you make after creating your cluster architecture are applied to the central database used by all cluster nodes.
Important
When adding new Access Server nodes to the cluster, you must ensure that security is in place to connect to the database. For example, you’ll need to set up security groups in AWS or add each new DigitalOcean droplet as a trusted source to your database server.
Sign in to the Admin Web UI of the new node.
Click Configuration > Cluster.
Select Join existing cluster.
Enter the database connection details and click Save to join the cluster.
Warning
Access Servers added to an existing cluster lose their own users and configuration and instead inherit these from the cluster’s centralized database. However, Access Server creates an automatic local backup before joining the cluster, so if you have lost your data due to this action, this backup can be retrieved from the node’s filesystem.
You can create DNS A records for each Access Server node that resolve to a single hostname. Another option is to use a more intelligent DNS service, such as Route 53, which can manage DNS records based on health checks or geolocation data.
However, a DNS round-robin is the simplest solution, giving your users a single address to use for connections. Each VPN client tries each IP address in the DNS round-robin record in sequential order until it successfully connects. Should a server fail, a temporary connection failure occurs for any clients connected to that server until they automatically connect to another server in the cluster.
To set up DNS A records:
Add a new DNS record with your web hosting provider.
Select Type A.
Enter the Hostname (For example, “VPN” or “cluster”).
Enter the IP address of the first node in the cluster.
Change the TTL if desired.
Click Save.
Repeat these steps to add each Access Server node as an IP address assigned to the same Hostname. Multiple A records on the same subdomain automatically become a round-robin DNS record in almost all DNS management systems.
Example DNS round-robin setup
A setup with four nodes might look like this:
Hostname | IP Address |
---|---|
cluster(.yourcompany.com) | 192.0.2.10 |
cluster(.yourcompany.com) | 192.0.2.20 |
cluster(.yourcompany.com) | 192.0.2.30 |
cluster(.yourcompany.com) | 192.0.2.40 |
Note
In our documentation, we use example IPv4 addresses and subnets reserved for documentation, such as 192.0.2.0/24
, 198.51.100.0/24
, and 203.0.113.0/24
.
Ensure you replace them with valid IPv4 addresses and subnets for your network(s).
The Admin Web UI displays differently when your Access Servers run in a cluster.
Sign in to the Admin Web UI for any node.
The Cluster Overview page displays your node names, IP addresses, versions, VPN connections, and which nodes are active.
Click More Info for one of the nodes.
More node details display: the activation type, user authentication, IP addresses accepting VPN connections, ports for VPN client connections, OSI layer model, and the server cipher.
Click Restart for one of the nodes.
That node is restarted.
Click Remove for one of the nodes.
You remove the node from the cluster.
Click View/Edit Node.
You can make changes to the specific node in the UI you're redirected to.