User VPN Gateway option missing after enabling Cluster mode

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
frankfil
OpenVpn Newbie
Posts: 2
Joined: Tue Jun 08, 2021 1:14 am

User VPN Gateway option missing after enabling Cluster mode

Post by frankfil » Tue Jun 08, 2021 4:34 am

Hello,

I'm currently evaluating OpenVPN Access Server for multiple site-to-site (or LAN-to-LAN) connections.

We are making use of the "Allow client to act as VPN gateway for these client-side subnets" option as each user connection will represent a remote site with its own subnet and all the remote subnets need to have access to each other.

This is all working correctly when OpenVPN AS is running on a stand alone server.

Remote sites connect and their subnet is entered into the local routing table and traffic flows as required between sites.

We would however like to add redundancy and load balancing - eventually this system will have several hundred remotes sites connected - so I configured a MySQL server and an additional OpenVPN server and enabled the Cluster option and also enabled OSPF between the servers so that inter-site routing would work regardless of which server a remote site connected to.

However when the Cluster mode is enabled the option under the User Configuration to enable the gateway mode no longer appears and I can see in our routing tables that the remote site's subnet is no longer listed even when that user is connected.

Is this mode of operation just not supported when running OpenVPN AS with Cluster mode enabled?

And if not - is it possible to have multiple OpenVPN Access Server's point to the same MySQL server to share configuration data even if not acting in a failover or clustering mode?

Thanks.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: User VPN Gateway option missing after enabling Cluster mode

Post by chilinux » Tue Jun 08, 2021 8:18 am

It sounds like you are trying to maximize performance/throughput but going about it in a complicated way.

First, to maximize what you get out of each individual OpenVPN Acess Server, I suggest doing the following:

(1) From the server shell, run: grep aes /proc/cpuinfo

See if it returns "aes" as one of the CPU flags. If it doesn't then go to the BIOS/EFI settings and make sure AES-NI is enabled. If you can't find that setting, look up the capabilities of the processor you are using and if it doesn't support AES-NI, consider switching to a server that does have this feature.

(2) Also while you are in the BIOS settings, make sure SMT/Hyperthreading is turned off for both performance and security reasons.

(3) Also do: grep "^processor" /proc/cpuinfo
Since it counts from 0, take the last value and add 1 to it so if you have a "processor: 7" then treat is as having 8 cores.
Go to the OpenVPN AS admin web panel and then Configuration -> Network Settings -> Multi-Daemon Mode -> Number of UDP daemons and increase it to match the number of cores on the system.

(4) If possible, use 10 or 40Gbps NIC and switch ports. If not possible, consider bonding multiple 1Gbps ports together using LACP

OpenVPN AS is not really designed with using a OSPF routing daemon such as GNU Zebra/Quagga on the same server. For what you are trying to accomplish with VPN Gateway and OSPF, I would suggest instead try tunneling GRE inside the OpenVPN connection. It would then be whatever router or server that terminates the GRE tunnel to allow it to appear as a gateway. The only downside is you will have the added complexity of also needing to configure GRE on the remote side as well. However, it should work with OpenVPN AS in cluster mode while accomplishing what I think you are trying to do.

Lastly, as far as I know, you shouldn't have multiple OpenVPN Access Servers using the same MySQL/MariaDB server if they aren't in cluster mode. This may result in some conflicts between the servers sharing the same database tables.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: User VPN Gateway option missing after enabling Cluster mode

Post by openvpn_inc » Tue Jun 08, 2021 8:58 am

Hello frankfil,

Just to provide some specific answers;

> Is this mode of operation just not supported when running OpenVPN AS with Cluster mode enabled?

Correct, this is not supported under cluster mode, therefore the option is removed there.

> And if not - is it possible to have multiple OpenVPN Access Server's point to the same MySQL server to share configuration data even if not acting in a failover or clustering mode?

It is possible, but not a use case we advertise or fully support. Still we see people do it and it works. So just be prepared that if you run into serious issues with this, that we may not be able to help you. A caveat here is that if you make changes on one node, they are not applied automatically on all other nodes - you'd need to reload configuration with sacli start or such to get them to pick up the configuration changes.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

frankfil
OpenVpn Newbie
Posts: 2
Joined: Tue Jun 08, 2021 1:14 am

Re: User VPN Gateway option missing after enabling Cluster mode

Post by frankfil » Wed Jun 09, 2021 2:56 am

chilinux wrote:
Tue Jun 08, 2021 8:18 am
It sounds like you are trying to maximize performance/throughput but going about it in a complicated way.
I was actually more after redundancy than performance - while we will eventually have a lot of remotes sites actual bandwidth usage will be quite small.
chilinux wrote:
Tue Jun 08, 2021 8:18 am
OpenVPN AS is not really designed with using a OSPF routing daemon such as GNU Zebra/Quagga on the same server. For what you are trying to accomplish with VPN Gateway and OSPF, I would suggest instead try tunneling GRE inside the OpenVPN connection.
I'm working with some existing routers that won't support this - my only workable option is the OpenVPN clients on each remote router.
openvpn_inc wrote:
Tue Jun 08, 2021 8:58 am
> Is this mode of operation just not supported when running OpenVPN AS with Cluster mode enabled?

Correct, this is not supported under cluster mode, therefore the option is removed there.
Is there a particular reason why this is the case? I'm just curious if it's something technical or maybe a support issue (for example I can see how clients flip-flopping from one server to another could make routing a pain to get working in some network setups).
openvpn_inc wrote:
Tue Jun 08, 2021 8:58 am
> And if not - is it possible to have multiple OpenVPN Access Server's point to the same MySQL server to share configuration data even if not acting in a failover or clustering mode?

It is possible, but not a use case we advertise or fully support. Still we see people do it and it works. So just be prepared that if you run into serious issues with this, that we may not be able to help you. A caveat here is that if you make changes on one node, they are not applied automatically on all other nodes - you'd need to reload configuration with sacli start or such to get them to pick up the configuration changes.
OK so tread with caution!

For my proposed usage we'd be making very few changes once all the remote sites were configured - and it would be pretty straight forward for us to limit changes to be made only on a single "primary" server and then just restart the secondaries for the changes to take effect.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: User VPN Gateway option missing after enabling Cluster mode

Post by chilinux » Wed Jun 09, 2021 4:30 pm

frankfil wrote:
Wed Jun 09, 2021 2:56 am
I was actually more after redundancy than performance - while we will eventually have a lot of remotes sites actual bandwidth usage will be quite small.
If total bandwidth is small and you expect the clients to be running in UDP mode, I think OpenVPN AS in fail-over mode may best fit your needs.

If you find that you need to scale further later, you can put up a second fail-over pair.

My experience has been that it is amount of total bandwidth that is the biggest scaling factor for the product, not the number of concurrent sessions.
Cluster mode may be overkill for your use case.

Post Reply