Highly Available OpenVPN connection between two offices

When you connect two (or more) offices over internet using VPN,
you depend heavily both on your router’s and service provider’s reliability.
In perfect world, routers never break and provider links never go down.
I wish we all lived in a perfect world, but we all live in a slightly different place. :)
To create a solid infrastructure, which will not betray you in a decisive moment,
you must always remember that every single component is potentially unreliable,
and you must avoid SPOFs (single points of failure) at any cost.

In this scope typical SPOFs are your router and your internet provider’s link.
There are also other SPOFs, like switches and UPSes, but they are far more trivial,
and will be only briefly discussed at the end of this article.

Before starting a main part I would like to thank Cartman,
who not only motivated me, but also done major part of the job
by shaping my style and providing me with real-world working examples.
This is more his story than mine, nevertheless he generously allowed me
to publish it under my name.

Preface
There is only one way to learn how to create highly-available networks:
you must create one yourself and test it, test it, test it…

Imagine we have a company SnakeVenom INC with 2 imaginary offices,
one office is HQ in Canada, and another is Venom Research Lab in Zimbabwe.
For convenience lets call HQ OfficeA and Venom Lab OfficeB.
To achieve real high availability we must have two routers and two ISPs links
in each office and use following [software] technologies to gain an advantage
from redundant hardware:

  • VRRP – while one router dies switch to another.
  • WAN LoadBalancing – balance load between ISP links.
  • OpenVPN – create encrypted tunnels between offices.
  • OSPF – dynamically build routes between office private networks (over VPN).

Take a look at the illustration above:
Full HA connection
In OfficeA, Canada, we have two routers, oa-rt-01 and oa-rt-02,
each has links from two [imaginary] providers, BigBoy Systems and FatCat Telecom.
In OfficeB, Zimbabwe, we also have two routers: ob-rt-01 and ob-rt-02,
each also has two links from two providers, Mugabe Broadband and Zulu Networks.

Each router has 3 ethernet interfaces: eth0 and eth1 for WAN, eth2 for LAN.

BigBoy Systems has network 1.1.1.0/24 and gateway 1.1.1.101.
oa-rt-01 is connected to BigBoy with eth0 1.1.1.201, oa-rt-02 with eth0 1.1.1.202.
FatCat Telecom has network 2.2.2.0/24 and gateway 2.2.2.101.
oa-rt-01 is connected to FatCat with eth1 2.2.2.201, oa-rt-02 with eth1 2.2.2.202.
Mugabe Broadband has network 3.3.3.0/24 and gateway 3.3.3.101.
ob-rt-01 is connected to Mugabe with eth0 3.3.3.201, ob-rt-02 with eth0 3.3.3.202.
Zulu Networks has network 4.4.4.0/24 and gateway 4.4.4.101.
ob-rt-01 is connected to Zulu with eth1 4.4.4.201, ob-rt-02 with eth1 4.4.4.202.

oa-rt-01 and oa-rt-02 are connected to OfficeA local network 10.0.100.0/24
with eth2 having shared virtual VRRP address 10.0.100.254.
ob-rt-01 and ob-rt-02 are connected to OfficeB local network 10.0.200.0/24
with eth2 having shared virtual VRRP address 10.0.200.254.

I think explanations is enough and there is no need to write more empty text. :)
Comrades, fasten your seat belts, we are going to make some real action here!

Initial setup of the routers
Configuration of office router includes many things like DHCP server, Firewall, QoS, etc…
I will not include all these needed but trivial things, rather concentrate on article specifics:
VRRP, WAN LoadBalancing, OpenVPN and OSPF.
Lets load pre-created config.boot files from GitHub:
oa-rt-01: Download!
oa-rt-02: Download!
ob-rt-01: Download!
ob-rt-02: Download!
These files contain all needed stuff, except specific things we will set up ourselves now.
We must download them to /opt/vyatta/etc/config/config.boot on respective routers
and than reboot each router afterwards.
NB!
If you will follow the steps of this scenario, you must have your interface and network setup
similar to mine, or you must change configuration settings according to your own scenario!

VRRP
oa-rt-01
configure
set interfaces ethernet eth2 vrrp vrrp-group 10 priority 150
set interfaces ethernet eth2 vrrp vrrp-group 10 virtual-address 10.0.100.254
set interfaces ethernet eth2 vrrp vrrp-group 10 description "LAN VRRP group A"
set interfaces ethernet eth2 vrrp vrrp-group 10 advertise-interval 1
set interfaces ethernet eth2 vrrp vrrp-group 10 authentication type ah
set interfaces ethernet eth2 vrrp vrrp-group 10 authentication password s0mEpa5s
commit
save

oa-rt-02
configure
set interfaces ethernet eth2 vrrp vrrp-group 10 priority 100
set interfaces ethernet eth2 vrrp vrrp-group 10 virtual-address 10.0.100.254
set interfaces ethernet eth2 vrrp vrrp-group 10 description "LAN VRRP group A"
set interfaces ethernet eth2 vrrp vrrp-group 10 advertise-interval 1
set interfaces ethernet eth2 vrrp vrrp-group 10 authentication type ah
set interfaces ethernet eth2 vrrp vrrp-group 10 authentication password s0mEpa5s
commit
save

ob-rt-01
configure
set interfaces ethernet eth2 vrrp vrrp-group 20 priority 150
set interfaces ethernet eth2 vrrp vrrp-group 20 virtual-address 10.0.200.254
set interfaces ethernet eth2 vrrp vrrp-group 20 description "LAN VRRP group B"
set interfaces ethernet eth2 vrrp vrrp-group 20 advertise-interval 1
set interfaces ethernet eth2 vrrp vrrp-group 20 authentication type ah
set interfaces ethernet eth2 vrrp vrrp-group 20 authentication password 50mepAs5
commit
save

ob-rt-02
configure
set interfaces ethernet eth2 vrrp vrrp-group 20 priority 100
set interfaces ethernet eth2 vrrp vrrp-group 20 virtual-address 10.0.200.254
set interfaces ethernet eth2 vrrp vrrp-group 20 description "LAN VRRP group B"
set interfaces ethernet eth2 vrrp vrrp-group 20 advertise-interval 1
set interfaces ethernet eth2 vrrp vrrp-group 20 authentication type ah
set interfaces ethernet eth2 vrrp vrrp-group 20 authentication password 50mepAs5
commit
save

WAN LoadBalancing and static routes
oa-rt-01 and oa-rt-02
configure
set protocols static route 0.0.0.0/0 next-hop 1.1.1.101 distance 10
set protocols static route 0.0.0.0/0 next-hop 2.2.2.101 distance 20
set protocols static route 3.3.3.201/32 next-hop 1.1.1.101
set protocols static route 4.4.4.202/32 next-hop 1.1.1.101
set protocols static route 3.3.3.202/32 next-hop 2.2.2.101
set protocols static route 4.4.4.201/32 next-hop 2.2.2.101

set load-balancing wan interface-health eth0 failure-count 3
set load-balancing wan interface-health eth0 nexthop 1.1.1.101
set load-balancing wan interface-health eth0 success-count 2
set load-balancing wan interface-health eth0 test 10 resp-time 5
set load-balancing wan interface-health eth0 test 10 target 3.3.3.201
set load-balancing wan interface-health eth0 test 10 ttl-limit 1
set load-balancing wan interface-health eth0 test 10 type ping
set load-balancing wan interface-health eth0 test 20 resp-time 5
set load-balancing wan interface-health eth0 test 20 target 4.4.4.202
set load-balancing wan interface-health eth0 test 20 ttl-limit 1
set load-balancing wan interface-health eth0 test 20 type ping

set load-balancing wan interface-health eth1 failure-count 3
set load-balancing wan interface-health eth1 nexthop 2.2.2.101
set load-balancing wan interface-health eth1 success-count 2
set load-balancing wan interface-health eth1 test 10 resp-time 5
set load-balancing wan interface-health eth1 test 10 target 3.3.3.202
set load-balancing wan interface-health eth1 test 10 ttl-limit 1
set load-balancing wan interface-health eth1 test 10 type ping
set load-balancing wan interface-health eth1 test 20 resp-time 5
set load-balancing wan interface-health eth1 test 20 target 4.4.4.201
set load-balancing wan interface-health eth1 test 20 ttl-limit 1
set load-balancing wan interface-health eth1 test 20 type ping

set load-balancing wan rule 100 description "Exclude Class A private networks"
set load-balancing wan rule 100 destination address 10.0.0.0/8
set load-balancing wan rule 100 exclude
set load-balancing wan rule 100 inbound-interface eth2
set load-balancing wan rule 100 protocol all

set load-balancing wan rule 110 description "Exclude Class B private networks"
set load-balancing wan rule 110 destination address 172.16.0.0/12
set load-balancing wan rule 110 exclude
set load-balancing wan rule 110 inbound-interface eth2
set load-balancing wan rule 110 protocol all

set load-balancing wan rule 120 description "Exclude Class C private networks"
set load-balancing wan rule 120 destination address 192.168.0.0/16
set load-balancing wan rule 120 exclude
set load-balancing wan rule 120 inbound-interface eth2
set load-balancing wan rule 120 protocol all

set load-balancing wan rule 1000 description "Default Load Balancer"
set load-balancing wan rule 1000 destination address 0.0.0.0/0
set load-balancing wan rule 1000 inbound-interface eth2
set load-balancing wan rule 1000 interface eth0 weight 2
set load-balancing wan rule 1000 interface eth1 weight 1
set load-balancing wan rule 1000 protocol all
set load-balancing wan rule 1000 source address 10.0.100.0/24
commit
save

ob-rt-01 and ob-rt-02
configure
set protocols static route 0.0.0.0/0 next-hop 3.3.3.101 distance 10
set protocols static route 0.0.0.0/0 next-hop 4.4.4.101 distance 10
set protocols static route 1.1.1.201/32 next-hop 3.3.3.101
set protocols static route 2.2.2.202/32 next-hop 3.3.3.101
set protocols static route 1.1.1.202/32 next-hop 4.4.4.101
set protocols static route 2.2.2.201/32 next-hop 4.4.4.101

set load-balancing wan interface-health eth0 failure-count 3
set load-balancing wan interface-health eth0 nexthop 3.3.3.101
set load-balancing wan interface-health eth0 success-count 2
set load-balancing wan interface-health eth0 test 10 resp-time 5
set load-balancing wan interface-health eth0 test 10 target 1.1.1.201
set load-balancing wan interface-health eth0 test 10 ttl-limit 1
set load-balancing wan interface-health eth0 test 10 type ping
set load-balancing wan interface-health eth0 test 20 resp-time 5
set load-balancing wan interface-health eth0 test 20 target 2.2.2.202
set load-balancing wan interface-health eth0 test 20 ttl-limit 1
set load-balancing wan interface-health eth0 test 20 type ping

set load-balancing wan interface-health eth1 failure-count 3
set load-balancing wan interface-health eth1 nexthop 4.4.4.101
set load-balancing wan interface-health eth1 success-count 2
set load-balancing wan interface-health eth1 test 10 resp-time 5
set load-balancing wan interface-health eth1 test 10 target 1.1.1.202
set load-balancing wan interface-health eth1 test 10 ttl-limit 1
set load-balancing wan interface-health eth1 test 10 type ping
set load-balancing wan interface-health eth1 test 20 resp-time 5
set load-balancing wan interface-health eth1 test 20 target 2.2.2.201
set load-balancing wan interface-health eth1 test 20 ttl-limit 1
set load-balancing wan interface-health eth1 test 20 type ping

set load-balancing wan rule 100 description "Exclude Class A private networks"
set load-balancing wan rule 100 destination address 10.0.0.0/8
set load-balancing wan rule 100 exclude
set load-balancing wan rule 100 inbound-interface eth2
set load-balancing wan rule 100 protocol all

set load-balancing wan rule 110 description "Exclude Class B private networks"
set load-balancing wan rule 110 destination address 172.16.0.0/12
set load-balancing wan rule 110 exclude
set load-balancing wan rule 110 inbound-interface eth2
set load-balancing wan rule 110 protocol all

set load-balancing wan rule 120 description "Exclude Class C private networks"
set load-balancing wan rule 120 destination address 192.168.0.0/16
set load-balancing wan rule 120 exclude
set load-balancing wan rule 120 inbound-interface eth2
set load-balancing wan rule 120 protocol all

set load-balancing wan rule 1000 description "Default Load Balancer"
set load-balancing wan rule 1000 destination address 0.0.0.0/0
set load-balancing wan rule 1000 inbound-interface eth2
set load-balancing wan rule 1000 interface eth0 weight 1
set load-balancing wan rule 1000 interface eth1 weight 1
set load-balancing wan rule 1000 protocol all
set load-balancing wan rule 1000 source address 10.0.200.0/24
commit
save

OpenVPN
Following illustration will help to understand our OpenVPN setup:
Full HA connection (OpenVPN)
Generate static keys somewhere:
sudo openvpn --genkey --secret a1-b1.key
sudo openvpn --genkey --secret a1-b2.key
sudo openvpn --genkey --secret a2-b1.key
sudo openvpn --genkey --secret a2-b2.key

Distribute keys across routers:
oa-rt-01: /root/a1-b1.key /root/a1-b2.key
oa-rt-02: /root/a2-b1.key /root/a2-b2.key
ob-rt-01: /root/a1-b1.key /root/a2-b1.key
ob-rt-02: /root/a1-b2.key /root/a2-b2.key
Place everything in /root directory and chmod 0600.

Enable OpenVPN ports:
configure
set firewall name WAN_local rule 400 action accept
set firewall name WAN_local rule 400 description "Accept OpenVPN from fellows"
set firewall name WAN_local rule 400 protocol udp
set firewall name WAN_local rule 400 destination port 1011,1012,1021,1022
commit
save

NB! Firewall must be applied on both public interfaces, eth0 and eth1!
You may also limit access for fellow router IPs only to achieve paranoid security. :)

oa-rt-01
configure
set interfaces openvpn vtun0 description "A1-B1"
set interfaces openvpn vtun0 local-port 1011
set interfaces openvpn vtun0 remote-host 3.3.3.201
set interfaces openvpn vtun0 remote-host 4.4.4.201
set interfaces openvpn vtun0 remote-port 1011
set interfaces openvpn vtun0 local-address 172.30.12.11
set interfaces openvpn vtun0 remote-address 172.30.34.11
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 shared-secret-key-file /root/a1-b1.key
set interfaces openvpn vtun0 openvpn-option "--float"

set interfaces openvpn vtun1 description "A1-B2"
set interfaces openvpn vtun1 local-port 1012
set interfaces openvpn vtun1 remote-host 3.3.3.202
set interfaces openvpn vtun1 remote-host 4.4.4.202
set interfaces openvpn vtun1 remote-port 1012
set interfaces openvpn vtun1 local-address 172.30.12.12
set interfaces openvpn vtun1 remote-address 172.30.34.21
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 encryption aes128
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 shared-secret-key-file /root/a1-b2.key
set interfaces openvpn vtun1 openvpn-option "--float"
commit
save

oa-rt-02
configure
set interfaces openvpn vtun0 description "A2-B1"
set interfaces openvpn vtun0 local-port 1021
set interfaces openvpn vtun0 remote-host 3.3.3.201
set interfaces openvpn vtun0 remote-host 4.4.4.201
set interfaces openvpn vtun0 remote-port 1021
set interfaces openvpn vtun0 local-address 172.30.12.21
set interfaces openvpn vtun0 remote-address 172.30.34.12
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 shared-secret-key-file /root/a2-b1.key
set interfaces openvpn vtun0 openvpn-option "--float"

set interfaces openvpn vtun1 description "A2-B2"
set interfaces openvpn vtun1 local-port 1022
set interfaces openvpn vtun1 remote-host 3.3.3.202
set interfaces openvpn vtun1 remote-host 4.4.4.202
set interfaces openvpn vtun1 remote-port 1022
set interfaces openvpn vtun1 local-address 172.30.12.22
set interfaces openvpn vtun1 remote-address 172.30.34.22
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 encryption aes128
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 shared-secret-key-file /root/a2-b2.key
set interfaces openvpn vtun1 openvpn-option "--float"
commit
save

ob-rt-01
configure
set interfaces openvpn vtun0 description "B1-A1"
set interfaces openvpn vtun0 local-port 1011
set interfaces openvpn vtun0 remote-host 1.1.1.201
set interfaces openvpn vtun0 remote-host 2.2.2.201
set interfaces openvpn vtun0 remote-port 1011
set interfaces openvpn vtun0 local-address 172.30.34.11
set interfaces openvpn vtun0 remote-address 172.30.12.11
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 shared-secret-key-file /root/a1-b1.key
set interfaces openvpn vtun0 openvpn-option "--float"

set interfaces openvpn vtun1 description "B1-A2"
set interfaces openvpn vtun1 local-port 1021
set interfaces openvpn vtun1 remote-host 1.1.1.202
set interfaces openvpn vtun1 remote-host 2.2.2.202
set interfaces openvpn vtun1 remote-port 1021
set interfaces openvpn vtun1 local-address 172.30.34.12
set interfaces openvpn vtun1 remote-address 172.30.12.21
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 encryption aes128
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 shared-secret-key-file /root/a2-b1.key
set interfaces openvpn vtun1 openvpn-option "--float"
commit
save

ob-rt-02
configure
set interfaces openvpn vtun0 description "B2-A1"
set interfaces openvpn vtun0 local-port 1012
set interfaces openvpn vtun0 remote-host 1.1.1.201
set interfaces openvpn vtun0 remote-host 2.2.2.201
set interfaces openvpn vtun0 remote-port 1012
set interfaces openvpn vtun0 local-address 172.30.34.21
set interfaces openvpn vtun0 remote-address 172.30.12.12
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 shared-secret-key-file /root/a1-b2.key
set interfaces openvpn vtun0 openvpn-option "--float"

set interfaces openvpn vtun1 description "B2-A2"
set interfaces openvpn vtun1 local-port 1022
set interfaces openvpn vtun1 remote-host 1.1.1.202
set interfaces openvpn vtun1 remote-host 2.2.2.202
set interfaces openvpn vtun1 remote-port 1022
set interfaces openvpn vtun1 local-address 172.30.34.22
set interfaces openvpn vtun1 remote-address 172.30.12.22
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 encryption aes128
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 shared-secret-key-file /root/a2-b2.key
set interfaces openvpn vtun1 openvpn-option "--float"
commit
save

OSPF
oa-rt-01
configure
set protocols ospf parameters router-id 10.0.0.11
set protocols ospf area 0.0.0.100 network 10.0.100.0/24
set protocols ospf area 0.0.0.0 network 172.30.34.11/32
set protocols ospf area 0.0.0.0 network 172.30.34.21/32
set protocols ospf passive-interface eth2
commit
save

oa-rt-02
configure
set protocols ospf parameters router-id 10.0.0.12
set protocols ospf area 0.0.0.100 network 10.0.100.0/24
set protocols ospf area 0.0.0.0 network 172.30.34.12/32
set protocols ospf area 0.0.0.0 network 172.30.34.22/32
set protocols ospf passive-interface eth2
commit
save

ob-rt-01
configure
set protocols ospf parameters router-id 10.0.0.21
set protocols ospf area 0.0.0.200 network 10.0.200.0/24
set protocols ospf area 0.0.0.0 network 172.30.12.11/32
set protocols ospf area 0.0.0.0 network 172.30.12.21/32
set protocols ospf passive-interface eth2
commit
save

ob-rt-02
configure
set protocols ospf parameters router-id 10.0.0.22
set protocols ospf area 0.0.0.200 network 10.0.200.0/24
set protocols ospf area 0.0.0.0 network 172.30.12.12/32
set protocols ospf area 0.0.0.0 network 172.30.12.21/32
set protocols ospf passive-interface eth2
commit
save

Grand Finale!
That’s ALL! You now got your router/ISP setup fully redundant and highly available.
Other HA options such as ethernet bonding, spare power supplies,
power generators, big UPSes and satellite internet links may be added to harden your setup,
the core functionality is already built and you can just easily extend it.

However, before buying a bottle of champagne and celebrating you must test your setup
from every angle, put down routers and providers, see what happens afterwards. :)
Anyway remember, there is no thing more important than testing in our business!

If you got any suggestions or you’ve just found a bug in my setup,
you are welcome to comment! Thanks for your attention!
See ya!

This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution 3.0 Unported License.

This entry was posted in Vyatta and tagged , , , , . Bookmark the permalink.

31 Responses to Highly Available OpenVPN connection between two offices

  1. SuperCthulhu says:

    Wow! Great job!

  2. Cartman says:

    Nice!
    BTW thanks for giving me a credit. :)

  3. vonrabbe says:

    Nice!
    BTW thanks for giving me a credit. :)

    It’s 80% YOUR article man :) :) :)

  4. Pingback: best solution for High Availability with 2 ISPs + openvpn

  5. r1ngo says:

    Cool.
    What hypervisor was used? XEN or VMware?

  6. Nice job.
    The only thing: I would put “show” output instead of commands for better readability. This is kind of advanced topic so intended audience can convert configuration to set’s for sure :)

    • vonrabbe says:

      I would put “show” output instead of commands for better readability.

      You know, Cartman told me the same :)

  7. Patrol says:

    SnakeVenom INC – crazy thing :o
    Crazy!

  8. xDuke says:

    My congratulations, you’ve done it and done it good!
    I think you could provide more pictures to improve readability.

  9. SuperCthulhu says:

    Wow again bros! Even Vyatta employees found it good:
    http://www.vyatta.org/forum/viewtopic.php?t=6560
    Me also wanna write somethin’, but too lazy, too lazy, too lazy… (

  10. nihilanthlnxa says:

    Greetings.

    Wow. Amazing. Simply amazing.

    vonrabbe, I expecting the Herminio’s manual in Openredes about VRRP and HA. I saw this post and I like it. Thanks. This post gave me an idea of that.

    See ya.

  11. Dimi says:

    Will this create a big pipe between the two sites?
    I have a project that I want to set this up on Xenserver?
    I have limited knowledge though, can anyone help?

    Thanks
    Dimi!

    • Cartman says:

      The term “big pipe” is very ambiguous.
      What do you need exactly? ;)

      • Andre Tomlinson says:

        Firstly, I’d like to thank you guys for great article. Exactly the type of solution I’ve been thinking of but not quite so sure about the finer setup details.

        So, along the lines of Dimi’s question:

        Would this setup allow the combined bandwidth of all four internet connections to be used simultaneously for inter-site traffic?

        For example: In my environment I connect at about 5mbps down & 860kpbs up from a single ADSL2+ connection based on a large distance to the exchange. With this type of connection at each site my current Vyatta OpenVPN solution runs at about 860/860kbps.

        If I then added 2 additional ADSL2+ services and implemented this solution, Would the resulting bandwidth be doubled to 1.6/1.6mbps? Would I achive this throughput on a single session (server to server) or only a maximum of 860/860 across 2 simultaneous sessions?

        In my current situation with these sites, the next level of service is fibre at more than 30x the cost per tail.

        Would this solution scale nicely to 3 or more ADSL2+ (cheap) services at each site?

        Many thanks in advance for your guidance and expertise.

        Andre

        • Cartman says:

          Hi Andre!

          First, thanks for your interest! :)

          Second, multiple links load-balancing
          scenario is possible with OSPF.
          And, yes, with current scenario you
          will have maximum of 860/860 kbps
          across 2 simultaneous sessions.
          LB is per-flow. Not per-packet.

          Sometimes, if your need to balance
          only certain type of protocols,
          it may be a good idea to use
          specialized load-balancer application
          like HAProxy. It will balance
          TCP traffic more precisely than OSPF.

          Cheers!

  12. Amos Botto says:

    Hi! great tutorial on Open-VPN config.

    However on which interface did you apply the Open-VPN firewall rule 400?

    • Cartman says:

      Thanks man, we try hard!
      In this case firewall WAN_local with rule 400
      must be applied on both public interfaces, eth0 and eth1.
      Added this point to HOWTO. Nice feedback!

  13. zmi says:

    Great explanation!

    I’m using quagga, keepalived and openvpn, so my config might require differences, but…

    1) I believe there’s a typo in the ospf config of ob-rt-02:
    set protocols ospf area 12.12.12.12 network 172.30.12.12/32
    set protocols ospf area 22.22.22.22 network 172.30.12.21/32
    Shouldn’t that mean “12.22″ instead “12.21″?

    2) I see that you configured the ospf areas by specifying the remote single IP of the VPN tunnel with /32. Does that really work for you? Shouldn’t that be a /30?

  14. zmi says:

    Sorry, didn’t mean to send that. This was missing:

    3) On each site, you have the backbone area 0 configured. That should normally not work, right?

  15. Cartman says:

    Hi zmi!

    More than year passed since this HOWTO was published and I personally
    do not remember exactly why we did everything the way we did,
    but I state our setup was working and even currently it perfectly works.

    And for now I can not get in touch with Vonrabbe to ask his comments.

    I’ll try to humbly answer you basing on my present experience, if you don’t mind.
    Questions 1) & 2)
    Specifying /30 network is right. For some reason it did not work for us
    and we switched to remote single IP. So no typos, I think it was some kind of
    OpenVPN quirk workaround. At least I want to believe so.

    You third question made me a sad panda… Very sad panda…
    Scenario in article works, but we all know backbone area is not splittable.

    Man. Thanks for your comments. I think it is a good idea to examine
    working system and, if possible, make it correctly working and also
    update this article.

  16. Cartman says:

    OK, vonrabbe is not reachable, I’ll do it on my own…

    > Questions 1) & 2)
    > Specifying /30 network is right. For some reason it did not work for us
    > and we switched to remote single IP. So no typos, I think it was some kind of
    > OpenVPN quirk workaround. At least I want to believe so.

    Disregard this. Specifying /30 network is right when
    both tunnel ends reside in a same /30 network.
    But we have tunnels like 172.30.12.21< =>172.30.34.12,
    which ends are NOT in the same network, so it’s totally
    normal to specify single remote IPs. Personally I would
    not do it this way, IMHO it’s weird, throught correct. :)

    > 3) On each site, you have the backbone area 0 configured.
    > That should normally not work, right?

    Totally right! Zone mess fixed in article. Thanks!

  17. Tudor says:

    nice article.
    tested this in a lab environment and seems to be working.
    I tested LB with links down (1 up and 1 down) and it takes some time before the openvpn tunnels are up again. Probably because of vyatta considering that LB is configured with per-flow balancing. anyway are you are of any settings regarding flow timeout? or maybe it would be better if per-packet LB is considered?

  18. Tudor says:

    sorry last part shoulh have been:

    anyway, are you AWARE of any settings regarding flow timeout? or maybe it would be better if per-packet LB is considered?

  19. Cartman says:

    Hi Tudor,
    Thanks for you comment!
    Per-flow timeout will suit any basic needs better. Use it in 99% of cases. :)
    Maybe you just need to decrease OpenVPN timeout or OSPF dead time?

  20. Sean Jahnig says:

    Thanks vonrabbe and Cartman, this is really similar to what i’m looking for :-)

    I was just wondering, would it be much more difficult to setup something where there are 3 remote locations all linked to each other? Basically, the head office sitting in the middle with location A and location B below it. All 3 locations are remote but operate as a LAN. Nothing else fancy.

    I haven’t been able to find much about this on the net.

    Thanks in advance :-)

    Cheers, Sean.

    • Cartman says:

      Hi Sean!
      Yes, it’s fairly simple, just interconnect all three routers with OpenVPN tunnels,
      bring up OSPF backbone area with OpenVPN networks and set redistribute connected
      on your routers.

  21. Tudor says:

    Hello again,

    is there a way to make the following scenario possible?

    1 router with 2 wan links and a openvpn tunnel to a remote site.
    traffic destined for tunnel go thru one designated interface, all other traffic thru the other one. when one link goes down the traffic thru it switched to the healthy one?

    i am not sure how to achieve this…

  22. Cartman says:

    You do not even need OSPF to achieve this///
    WAL load balancing with two failover rules is enough for this,
    one failover rule for general traffic, another for VPN traffic…
    Please consult Vyatta WAN load balancing documentation for further info. :)

  23. Pingback: High availability OpenVPN service - Just just easy answers

Add Comment Register

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>