Load balancing, failover, etc.

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
artiegold
OpenVpn Newbie
Posts: 4
Joined: Sat Sep 25, 2010 9:41 am

Load balancing, failover, etc.

Post by artiegold » Fri Apr 01, 2011 2:32 pm

In the HOWTO, it says the following:
Server

The simplest approach to a load-balanced/failover configuration on the server is to use equivalent configuration files on each server in the cluster, except use a different virtual IP address pool for each server. For example:

server1

server 10.8.0.0 255.255.255.0

server2

server 10.8.1.0 255.255.255.0

server3

server 10.8.2.0 255.255.255.0
The question I have is: Why would you specify different subnets when the server to which you are connected (and, hence the supplied address) should be transparent? It would seem that having each server on the list provide exactly the same address range would make more sense.

Any ideas here?

Thanks,
--ag

User avatar
gladiatr72
Forum Team
Posts: 194
Joined: Mon Dec 13, 2010 3:51 pm
Location: Lawrence, KS

Re: Load balancing, failover, etc.

Post by gladiatr72 » Fri Apr 01, 2011 3:58 pm

The how-to isn't describing an actual load-balancing scenario. It is describing using near-identical configs on multiple systems to provide service to the same client pool. In this context, you cannot think of a "client" as an IP address; you must think of the client in terms of its certificate subject or whatever non-certificate authentication token you might be using.

If you set multiple remote entries in your client configuration and use the max-clients directive in your server configuration, the client will try connecting to the next server in its configuration if the max-clients limit has been reached.

Or you can use a host name in your client configuration and do the poor-man's round-robin dns dance (with an appropriately low TTL for that record) such that clients will be connected in a reasonably even fashion to your various systems.

Regardless of whether you're talking about a virtual interface (tun) or a physical interface, a subnet cannot be attached to your network in more than one place.

-S
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole

artiegold
OpenVpn Newbie
Posts: 4
Joined: Sat Sep 25, 2010 9:41 am

Re: Load balancing, failover, etc.

Post by artiegold » Fri Apr 01, 2011 5:03 pm

Right.
Any given (openvpn) client would be connected to exactly one (openvpn) server -- and just which server would be determined by the randomization dance. The idea is that it would be able to address that server over the tunneled network at a known address (the address of the server from the openvpn perspective, which would be constant).

--ag

Post Reply