Hi,
On 19/06/20 00:02, Calvin Zachman wrote:
Hi openvpn-users,
Is it possible for multiple VPN clients on the same LAN to expose the
same remote subnets to other connected clients?? I would like to run 2
VPN client instances on the same LAN exposing the same subnets (same
iroutes) for some level of redundancy/high-availability. I am aware
that one can run multiple VPN servers for redundancy and list them as
separate `<remote>`s in the client config. I am interested in similar
redundancy for VPN clients.
I am running OpenVPN inside Kubernetes. The VPN server runs in
multitenant environment along side Kubernetes Control-Plane/Master
components on Subnet A while the VPN client(s) runs on Subnet B
(10.X.X.X/26). I would like to provide redundant access to Subnet B in
the event that my VPN client instance fails. I am using the
`--client-to-client` configuration option to allow the clients running
in the Kubernetes Master to route traffic to the `worker` client
running on Subnet B. The client-config-directory defines the following
iroutes for the `worker` client:
10.95.14.64/26 - Worker/VM Subnet
172.30.0.0/16 - K8s Pod CIDR
172.21.0.0/16 - K8s Service CIDR
I tried starting up 2 VPN clients on 10.95.14.64/26 hoping to achieve
an "active"/"passive" setup, but after observing how OpenVPN
Server updates its internal routing table I am not so sure we can
achieve redundancy with multiple VPN client replicas exposing the same
subnets (Pod/Service/Worker CIDRs) connected to the VPN server. The
clients can both be connected, but the server only maintains routes
for one of them, meaning if the "active" goes down then there are no
internal routes so that we can quickly begin using the "backup"
connected replica. I tried giving each replica its own CN when
connecting, hoping it could keep duplicate routes if clients did not
have duplicate CN.
IN CLUSTER:
$ kubectl get pods -n kube-system -o wide | grep vpn
vpn-client-1 1/1 Running 0 61s
172.30.43.2 10.95.14.80 <none> <none>
vpn-client-2 1/1 Running 0 62s
172.30.105.65 10.95.14.77 <none> <none>
FROM OPENVPN SERVER:
/etc/openvpn/ccd # ps -a
PID USER TIME COMMAND
1 root 0:05 {openvpn_start.s} /bin/bash
/etc/openvpn/openvpn_start.sh
72 nobody 1:27 openvpn --config /etc/openvpn/openvpn.conf
--client-config-dir /etc/openvpn/ccd
/etc/openvpn/ccd # ls
worker1 worker2
/etc/openvpn/ccd # cat worker1
iroute 172.30.0.0 255.255.0.0
iroute 172.21.0.0 255.255.0.0
iroute 10.95.14.64 255.255.255.192
/etc/openvpn/ccd # cat worker2
iroute 172.30.0.0 255.255.0.0
iroute 172.21.0.0 255.255.0.0
iroute 10.95.14.64 255.255.255.192
The VPN server's client list shows two clients have connected to the
VPN server:
OpenVPN CLIENT LIST
Updated,Tue Jun 16 14:19:27 2020
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
worker1,172.18.137.0:11887,8154,8479,Tue Jun 16 13:59:35 2020
worker2,172.18.137.0:32826,803828,415606,Tue Jun 16 13:59:36 2020
however OpenVPN server's routing table only contains routes for
172.30.0.0/16, 172.21.0.0/16, and 10.95.14.64/26 for the most recently
connected client:
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.95.14.64/26,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.30.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.21.0.0/16,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
172.21.202.193C,worker2,172.18.137.0:32826,Tue Jun 16 14:19:25 2020
172.30.54.2C,worker2,172.18.137.0:32826,Tue Jun 16 14:18:58 2020
192.168.255.22,worker2,172.18.137.0:32826,Tue Jun 16 13:59:36 2020
192.168.255.18,worker1,172.18.137.0:11887,Tue Jun 16 13:59:35 2020
It seems to me OpenVPN just doesn't support multiple clients with the
same iroutes. The only other thing I can think of presently would be
to have some kind of communication akin to
keepalived/heartbeats between the client replicas so that the second
replica can initiate a connection to the VPN server only when the
first replica stops responding. Is there any other supported way to
achieve HA client setup like this via configuration?
AFAICT OpenVPN does not support multiple (internal) iroutes to the same
subnet - which is what you'd need to achieve this. The only way I think
of to achieve this is to use a heartbeat detection (and/or us
--explicit-exit-notify in UDP mode) and when the client to which the
current iroute is pointing goes down, restart *another* client to make
the openvpn server pick that one to use for that particular iroute.
Tricky but should be doable using a client-connect/client-disconnect
script in combination with the management interface to restart a client.
Of course, you're also welcome to contribute a patch to support multiple
iroutes to the same subnet ;)
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
