Access Server

Follow us

Set up basic server load-balancing/redundancy



How to: set up basic server load-balancing/redundancy

OpenVPN Access Server does not have a load-balancing or redundancy system except for a very basic redundancy system; by setting up 2 OpenVPN Access Servers in the same network and using UCARP to detect if the primary server is down so the secondary server can take over. Running multiple servers in different locations is a tough problem. There are three problems to tackle in this case, two of which are easy to resolve.

Configure VPN clients to try a list of servers

By default, OpenVPN Access Server generates the client config files automatically and pushes them to the clients. So in order to make VPN clients connect to multiple different servers we'll need to do some tweaking on the OpenVPN Access Server itself. The server uses the value entered in the 'hostname or IP address' field found in the web based Admin UI to generate client config files, but this limits us to just one server address. In order to list more, we're going to use the 'Client Config Directives' override field in the web based Admin UI to override it with a list of servers we provide ourselves. Using the directive 'remote-random' we can force the VPN client to randomize the list so you can create a crude form of load-balancing, otherwise it's just sequentially from top to bottom.

Use RSYNC to copy user database and certificates

Let's say we have 2 servers and one of them is the 'master' server where we add users and let OpenVPN Access Server generate certificates on, and the other is there for load-balancing/redundancy. Using RSYNC you could easily and securely periodically copy the two important files that contain the list of users and the list of certificates from the master server onto the slave server. This assumes by the way that you are using authentication mode 'LOCAL', where the username/password is stored in a local SQLite database file. The two files you'll want to copy then are:

/usr/local/openvpn_as/etc/db/certs.db
/usr/local/openvpn_as/etc/db/userprop.db

Set up routing in such a way that things don't completely break

And this is the difficult part that we don't yet have a perfect answer to. Now if the 2 OpenVPN Access Servers can both be connected to the target network where the resources you want to reach are, then things aren't too difficult. You can set each server up with a different VPN client subnet and set up a static route for each of those subnets. Then no matter where the VPN client is connected, it can reach the target network and use the resources available there.