Hi openvpn-users,
Is it possible for multiple VPN clients on the same LAN to expose the same remote subnets to other connected clients?? I would like to run 2 VPN client instances on the same LAN exposing the same subnets (same iroutes) for some level of redundancy/high-availability. I am aware that one can run multiple VPN servers for redundancy and list them as separate `<remote>`s in the client config. I am interested in similar redundancy for VPN clients.
I am running OpenVPN inside Kubernetes. The VPN server runs in multitenant environment along side Kubernetes Control-Plane/Master components on Subnet A while the VPN client(s) runs on Subnet B (10.X.X.X/26). I would like to provide redundant access to Subnet B in the event that my VPN client instance fails. I am using the `--client-to-client` configuration option to allow the clients running in the Kubernetes Master to route traffic to the `worker` client running on Subnet B. The client-config-directory defines the following iroutes for the `worker` client:
10.95.14.64/26 - Worker/VM Subnet
172.30.0.0/16 - K8s Pod CIDR
172.21.0.0/16 - K8s Service CIDR
172.30.0.0/16 - K8s Pod CIDR
172.21.0.0/16 - K8s Service CIDR
I tried starting up 2 VPN clients on 10.95.14.64/26 hoping to achieve an "active"/"passive" setup, but after observing how OpenVPN Server updates its internal routing table I am not so sure we can achieve redundancy with multiple VPN client replicas exposing the same subnets (Pod/Service/Worker CIDRs) connected to the VPN server. The clients can both be connected, but the server only maintains routes for one of them, meaning if the "active" goes down then there are no internal routes so that we can quickly begin using the "backup" connected replica. I tried giving each replica its own CN when connecting, hoping it could keep duplicate routes if clients did not have duplicate CN.
IN CLUSTER:
$ kubectl get pods -n kube-system -o wide | grep vpn
vpn-client-1 1/1 Running 0 61s 172.30.43.2 10.95.14.80 <none> <none>
vpn-client-2 1/1 Running 0 62s 172.30.105.65 10.95.14.77 <none> <none>
vpn-client-1 1/1 Running 0 61s 172.30.43.2 10.95.14.80 <none> <none>
vpn-client-2 1/1 Running 0 62s 172.30.105.65 10.95.14.77 <none> <none>
FROM OPENVPN SERVER:
/etc/openvpn/ccd # ps -a
PID USER TIME COMMAND
1 root 0:05 {openvpn_start.s} /bin/bash /etc/openvpn/openvpn_start.sh
72 nobody 1:27 openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd
PID USER TIME COMMAND
1 root 0:05 {openvpn_start.s} /bin/bash /etc/openvpn/openvpn_start.sh
72 nobody 1:27 openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd
/etc/openvpn/ccd # ls
worker1 worker2
worker1 worker2
/etc/openvpn/ccd # cat worker1
iroute 172.30.0.0 255.255.0.0
iroute 172.21.0.0 255.255.0.0
iroute 10.95.14.64 255.255.255.192
/etc/openvpn/ccd # cat worker2
iroute 172.30.0.0 255.255.0.0
iroute 172.21.0.0 255.255.0.0
iroute 10.95.14.64 255.255.255.192
iroute 172.30.0.0 255.255.0.0
iroute 172.21.0.0 255.255.0.0
iroute 10.95.14.64 255.255.255.192
The VPN server's client list shows two clients have connected to the VPN server:
OpenVPN CLIENT LIST
Updated,Tue Jun 16 14:19:27 2020
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
worker1,172.18.137.0:11887,8154,8479,Tue Jun 16 13:59:35 2020
worker2,172.18.137.0:32826,803828,415606,Tue Jun 16 13:59:36 2020
Updated,Tue Jun 16 14:19:27 2020
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
worker1,172.18.137.0:11887,8154,8479,Tue Jun 16 13:59:35 2020
worker2,172.18.137.0:32826,803828,415606,Tue Jun 16 13:59:36 2020
however OpenVPN server's routing table only contains routes for 172.30.0.0/16, 172.21.0.0/16, and 10.95.14.64/26 for the most recently connected client:
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.95.14.64/26,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.30.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.21.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
Virtual Address,Common Name,Real Address,Last Ref
10.95.14.64/26,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.30.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.21.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.21.202.193C,worker2,172.18.137.0:32826,Tue Jun 16 14:19:25 2020
172.30.54.2C,worker2,172.18.137.0:32826,Tue Jun 16 14:18:58 2020
192.168.255.22,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.30.54.2C,worker2,172.18.137.0:32826,Tue Jun 16 14:18:58 2020
192.168.255.22,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
192.168.255.18,worker1,172.18.137.0:11887,Tue Jun 16 13:59:35 2020
It seems to me OpenVPN just doesn't support multiple clients with the same iroutes. The only other thing I can think of presently would be to have some kind of communication akin to keepalived/heartbeats between the client replicas so that the second replica can initiate a connection to the VPN server only when the first replica stops responding. Is there any other supported way to achieve HA client setup like this via configuration?
Thanks,
Calvin
'--client-to-client' enables Master VPN client to address workload running on Subnet B via the VPN. Would love to be able to run a second VPN client replica on Subnet B
|_master_vpn_client_| |_vpn_server_|
-------/------------------------------------/------ Subnet A
|_worker vpn client 1_| |_worker_vpn_client_2_|
------/-----------------------------------/--------------------- Subnet B -10.95.14.64/26
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
