Questions about openvpn-as and galera cluster

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
jmeslovich
OpenVpn Newbie
Posts: 2
Joined: Sun Mar 14, 2021 1:39 pm

Questions about openvpn-as and galera cluster

Post by jmeslovich » Sun Mar 14, 2021 1:48 pm

For the last several years we have run a single OpenVPN-AS server on CentOS 6 (presently running 2.7.5). We are replacing that server with the Ubuntu 18.04 based appliance VHD from OpenVPN. We have two server rooms that we run VMs out of so we created two OpenVPN-AS 2.8.7 servers and clustered them together using a single MariaDB server that we created for now in the one server room.

We would like the two OpenVPN-AS servers to be resilient to either server room going offline. So we were thinking about creating a small two node galera cluster and having a node in each server room as well. Then point each OpenVPN-AS node to its local database node in the galera cluster. Would that work or would the OpenVPN-AS cluster not form correctly?

Has anyone done that before or do most people that go the cluster route for OpenVPN-AS just go with an AWS RDS instance?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Questions about openvpn-as and galera cluster

Post by openvpn_inc » Sun Mar 14, 2021 7:19 pm

Hello,

Regarding Galera cluster, we have done that ourselves actually. Works great. But you need at least 3 nodes for a Galera cluster. The reason is quorum. When a situation occurs where it is unclear which set of data is the correct set of data (due to an interruption on one of the nodes or network connectivity issues for example) the Galera cluster can 'take a vote' on which set of data is the correct one and that one 'wins' and gets replicated to the 'losing' node so it is in sync again. This is to prevent split-brain situations. But with 2 nodes you can never have quorum in such a situation. Therefore a third node is necessary. But that third node could be just only a database server. And you can have more than 3 nodes in total on Galera.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

jmeslovich
OpenVpn Newbie
Posts: 2
Joined: Sun Mar 14, 2021 1:39 pm

Re: Questions about openvpn-as and galera cluster

Post by jmeslovich » Sun Mar 14, 2021 8:14 pm

I was worried I would have to put an haproxy load balancer in front of the galera cluster and reference it in OpenVPN-AS that way. The three node cluster definitely makes sense, thank you.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Questions about openvpn-as and galera cluster

Post by openvpn_inc » Mon Mar 15, 2021 11:01 am

Hello,

No, you can just edit as.conf to point to the particular Galera node you want that Access Server node to use. The three nodes are just minimum amount for quorum to make split-brain resolution automatic.

Good luck,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Questions about openvpn-as and galera cluster

Post by chilinux » Sun Apr 11, 2021 5:34 pm

I had some follow-up questions about the syntax for as.conf. Is is possible to do additional things in the as.conf beyond what the web portal interface allows.

More to the point, does the as.conf allow for doing any of the following:

(1) Is it possible to specify more than one node so AS will failover to the next galera node if it can't connect to the first one?

(2) Is it possible to specify using TLS in the as.conf? Can a specific MYSQL_OPT_SSL_CA or MYSQL_OPT_SSL_CERT be specified?

(3) Is it possible to have different OpenVPN AS clusters use the same galera cluster? Can a different database name be specified in the as.conf?

Post Reply