Access Server

Follow us

Set up basic server load-balancing/redundancy



How to: set up basic server load-balancing/redundancy

OpenVPN Access Server has a built-in UCARP function for redundancy.  This requires setting up 2 Access Servers, a primary and secondary node (we will issue a secondary license key for the failover node at no charge).  This failover setup is similar to VRRP/HSRP so both servers need to be in the same subnet.  Once both servers are up and have AS installed, ssh into the secondary node, obtain root access and enter the command ovpn-init:

root@openvpn:~# ovpn-init

Then enter DELETE at the prompt:

Detected an existing OpenVPN-AS configuration.
Continuing will delete this configuration and restart from scratch.

Please enter 'DELETE' to delete existing configuration: DELETE

Agree to the terms of usage with yes, then you will be asked if this will be the primary node - enter no:

Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
Press ENTER for default [yes]: no

After this the setup wizard for a secondary node will begin, follow the prompts.  Then open a web browser and go to the admin UI of the primary node (https://addressofserver:943/admin)

Click Failover

Select the radio button for LAN model (UCARP).  Enter the shared virtual IP address that you will be using, enter the primary node information, including username and ssh password, then repeat for the secondary node.  Remember, all of these IP addresses have to be in the same subnet.

Click Validate at the bottom of the screen to test communication of the nodes.

Messages will appear at the top of the screen, if all are green and say GOOD then you are ready to move on.

Click Commit and Restart at the bottom of the screen to commit the changes.  The server will restart and connectivity will be lost for a few seconds.  If using an IP address and not a DNS registered domain name, you will have to enter the VIP in order to access the admin UI, this will be the new server address.  NOTE: in this scenario the VIP will also need to be added to Server Network Settings.  If using a DNS name that points to the new VIP this is not necessary.

And that is it!  Your failover is set up.

More Options

Load-balancing is a different subject and a difficult one.  Running multiple servers in different locations can be challenging. There are three problems to tackle in this case, two of which are easy to resolve.

Configure VPN clients to try a list of servers

By default, OpenVPN Access Server generates the client config files automatically and pushes them to the clients. So in order to make VPN clients connect to multiple different servers we'll need to do some tweaking on the OpenVPN Access Server itself. The server uses the value entered in the 'hostname or IP address' field found in the web based Admin UI to generate client config files, but this limits us to just one server address. In order to list more, we're going to use the 'Client Config Directives' override field in the web based Admin UI to override it with a list of servers we provide ourselves. Using the directive 'remote-random' we can force the VPN client to randomize the list so you can create a crude form of load-balancing, otherwise it's just sequentially from top to bottom.

Use RSYNC to copy user database and certificates

Let's say we have 2 servers and one of them is the 'master' server where we add users and let OpenVPN Access Server generate certificates on, and the other is there for load-balancing/redundancy. Using RSYNC you could easily and securely periodically copy the two important files that contain the list of users and the list of certificates from the master server onto the slave server. This assumes by the way that you are using authentication mode 'LOCAL', where the username/password is stored in a local SQLite database file. The two files you'll want to copy then are:

/usr/local/openvpn_as/etc/db/certs.db
/usr/local/openvpn_as/etc/db/userprop.db