Hi Colin,
My nat rule are correct. To ensure this, when I switch on the firewall
to redirect
it to the address I connect .253.
In my server.conf not know the "local" policy, as stated by you.
Follow my server.conf
proto udp
port 1194
dev tun0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/ntc_vpn_server.crt
key /etc/openvpn/easy-rsa/2.0/keys/ntc_vpn_server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.2.100.0 255.255.255.0
local 192.168.20.253
keepalive 10 120
comp-lzo
persist-key
persist-tun
push "route 192.168.20.0 255.255.255.0"
route 192.168.30.0 255.255.255.0
route 192.168.40.0 255.255.255.0
client-config-dir /etc/openvpn/easy-rsa/2.0/ccd
status /var/log/openvpn/openvpn.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 6
Will be something missing?
Thanks!
2013/12/17 Colin Ryan <col...@caveo.ca>
> Christiano...
>
>
> I assume your your reference to heartbeat is actually the floating VIP
> that is the fail-over IP between the cluster nodes.
>
> And your firewall's allow UDP access to only the .20.24
>
> Have you told your OpenVPN instance ( you didn't post your config file ;-)
> ) to bind specifically to the 20.24 via the "local" directive.
>
> As well as far as .253/254 goes OpenVPN and your firewalls
> Port-Forwards/NAT whatever don't need to know or do anything with these.
> They are physical addresses for the systems only. As far as any OpenVPN
> bit's go the 20.24 VIP is all that matters.
>
> You might also want to have Openvpn start stop in your cluster failover
> scripts.
>
> I have HA running very well with simple UCARP and rsync sync'ed openvpn's
> --- didn't bother with drbd in my case not enough config
> changes to bother.
>
> Hope this helps.
>
> Colin Ryan
>
>
>
> On 12/17/2013, 8:49 AM, Christiano Liberato wrote:
>
> Hi,
>
> I have two openvpn servers in cluster with heartbeat + drbd.
>
> server01 ip: 192.168.20.253
> server02 ip: 192.168.20.254
> heartbeat ip: 192.168.20.24
>
> I like working with high availability, my external connections arrive at
> the firewall on port 1194 udp and are redirected to 192.168.20.24, so if the
> first server goes down, the second takes and my clients can connect to the
> vpn again.
>
> Then I'm in trouble: to redirect to 192.168.20.253 or 192.168.20.254, I
> connect. When I redirect to 192.168.20.24, not connects and displays the
> following errors:
>
> root@tst01:~# tail -f /var/log/openvpn/openvpn.log
> Tue Dec 17 10:52:19 2013 us=548026 MULTI: multi_create_instance called
> Tue Dec 17 10:52:19 2013 us=548189 187.52.xx.xx:1194 Re-using SSL/TLS
> context
> Tue Dec 17 10:52:19 2013 us=548251 187.52.xx.xx:1194 LZO compression
> initialized
> Tue Dec 17 10:52:19 2013 us=548532 187.52.xx.xx:1194 Control Channel MTU
> parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
> Tue Dec 17 10:52:19 2013 us=548558 187.52.xx.xx:1194 Data Channel MTU
> parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
> Tue Dec 17 10:52:19 2013 us=548657 187.52.xx.xx:1194 Local Options String:
> 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher
> BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
> Tue Dec 17 10:52:19 2013 us=548682 187.52.xx.xx:1194 Expected Remote
> Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto
> UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
> Tue Dec 17 10:52:19 2013 us=548737 187.52.xx.xx:1194 Local Options hash
> (VER=V4): '530fdded'
> Tue Dec 17 10:52:19 2013 us=548757 187.52.xx.xx:1194 Expected Remote
> Options hash (VER=V4): '41690919'
> Tue Dec 17 10:52:19 2013 us=548831 187.52.xx.xx:1194 UDPv4 READ [14] from
> [AF_INET]187.52.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0
> DATA len=0
> Tue Dec 17 10:52:19 2013 us=548872 187.52.xx.xx:1194 TLS: Initial packet
> from [AF_INET]187.52.xx.xx:1194, sid=51d4af94 061b712f
> Tue Dec 17 10:52:19 2013 us=548937 187.52.xx.xx:1194 UDPv4 WRITE [26] to
> [AF_INET]187.52.xx.xx:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ]
> pid=0 DATA len=0
> Tue Dec 17 10:52:21 2013 us=742407 187.52.xx.xx:1194 UDPv4 READ [14] from
> [AF_INET]187.52.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0
> DATA len=0
> Tue Dec 17 10:52:21 2013 us=742509 187.52.xx.xx:1194 UDPv4 WRITE [26] to
> [AF_INET]187.52.xx.xx:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ]
> pid=0 DATA len=0
> Tue Dec 17 10:52:25 2013 us=221336 187.52.xx.xx:1194 UDPv4 WRITE [14] to
> [AF_INET]187.52.xx.xx:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0
> DATA len=0
>
>
> root@tst01:~# ifconfig
> eth0 Link encap:Ethernet Endereço de HW 00:0c:29:64:d0:f6
> inet end.: 192.168.20.253 Bcast:192.168.20.255
> Masc:255.255.255.0
> endereço inet6: fe80::20c:29ff:fe64:d0f6/64 Escopo:Link
> UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
> RX packets:17989 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9894 errors:0 dropped:0 overruns:0 carrier:0
> colisões:0 txqueuelen:1000
> RX bytes:2774612 (2.6 MiB) TX bytes:3576338 (3.4 MiB)
>
> eth0:0 Link encap:Ethernet Endereço de HW 00:0c:29:64:d0:f6
> inet end.: 192.168.20.24 Bcast:192.168.20.255
> Masc:255.255.255.0
> UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
>
> lo Link encap:Loopback Local
> inet end.: 127.0.0.1 Masc:255.0.0.0
> endereço inet6: ::1/128 Escopo:Máquina
> UP LOOPBACKRUNNING MTU:16436 Métrica:1
> RX packets:13 errors:0 dropped:0 overruns:0 frame:0
> TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
> colisões:0 txqueuelen:0
> RX bytes:1144 (1.1 KiB) TX bytes:1144 (1.1 KiB)
>
> tun0 Link encap:Não Especificado Endereço de HW
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> inet end.: 10.2.100.1 P-a-P:10.2.100.2 Masc:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Métrica:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> colisões:0 txqueuelen:100
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> Does OpenVPN supports connections to virtual interfaces?
>
> Thanks!
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Openvpn-users mailing
> listOpenvpn-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
