Cluster and route mode - possible?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
chort1
OpenVpn Newbie
Posts: 6
Joined: Tue Mar 01, 2022 12:24 pm

Cluster and route mode - possible?

Post by chort1 » Wed Mar 30, 2022 10:58 am

Hi

I'm running a cluster with round-robin DNS, but I'm having problems understanding how to make routed mode work with this setup

In the admin web GUI, there an option that says:
Dynamic IP Address Network
When a user does not have a specific VPN IP address configured on the User Permissions page, the user's VPN client is assigned an address from this network.

From memory I think this defaults to 172.24.224.0/20 (in sacli this split into vpn.daemon.0.client.network and vpn.daemon.0.client.netmask_bits)

However, when I connect a client, it DOES NOT get an IP from this subnet, but rather from 172.24.240.0/20, which in sacli is vpn.server.group_pool.0 and does NOT seem to be available to change via the admin GUI. If I change it through sacli, it will change for both nodes, since it seems to be a global setting.

So if I'm NOT doing NAT on the access servers, and the clients are getting IPs from the same subnet regardless of which server they connect to, how can I configure return routing from my inside network?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 693
Joined: Tue Feb 16, 2021 10:41 am

Re: Cluster and route mode - possible?

Post by openvpn_inc » Wed Mar 30, 2022 11:28 am

Hello chort1,

Routed mode is not a supported use-case for cluster mode at this time. Only NAT is.

We do intend to add ability to set specific subnets for each cluster node so routing can work, but this is something for a future release of Access Server.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chort1
OpenVpn Newbie
Posts: 6
Joined: Tue Mar 01, 2022 12:24 pm

Re: Cluster and route mode - possible?

Post by chort1 » Wed Mar 30, 2022 11:33 am

Hi Johan

I understand. Thank you for the quick reply and clarification

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 693
Joined: Tue Feb 16, 2021 10:41 am

Re: Cluster and route mode - possible?

Post by openvpn_inc » Sat Apr 02, 2022 4:22 pm

And I have been annoying poor Johan with my nagging about this. :) It's a feature that a lot of large customers want. But he's rightfully focused on getting another important new feature ready, so I have to put up with it.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

tarare
OpenVpn Newbie
Posts: 2
Joined: Fri May 13, 2022 5:16 pm

Re: Cluster and route mode - possible?

Post by tarare » Fri May 13, 2022 5:32 pm

Hi!
+1 to wishbox for this functionality)
I am currently looking for a VPN solution for a corporate network. Testing OpenVPN-AS. Everyone likes the solution, but we need a route mode in the cluster. It is not yet available in the latest version 2.10.3.
Correct me if I'm wrong, but it seems to me that in the code you can just leave the value "vpn.server.group_pool.0" in the local database ~/db/config_local.db, not transfer it to mysql when creating the cluster. Maybe there is a test assembly with such a value in the code for testing?
Thanks

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 693
Joined: Tue Feb 16, 2021 10:41 am

Re: Cluster and route mode - possible?

Post by openvpn_inc » Sat May 14, 2022 4:11 pm

Hi tarare,

I thought the same thing and tried it, but no, it gets overwritten by what's in mysql. I do think that the fix the reporter had in mind is indeed very similar to that idea, which is to move it out of "config" into "config_local".

How many concurrent connections are you needing? Perhaps you can hold off on moving to cluster simply by improving the resources allotted to your Access Server. 4 CPU cores and 4-8GB RAM, given adequate bandwidth, can handle a lot of clients.

For HA you could consider adding a UCARP failover peer.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

tarare
OpenVpn Newbie
Posts: 2
Joined: Fri May 13, 2022 5:16 pm

Re: Cluster and route mode - possible?

Post by tarare » Sun May 15, 2022 6:00 pm

Hi rob0,

Thank you for the answer)
I don't know exactly the number of concurrent connections yet, the project is under development, according to forecasts ~ 100-200 ones.
It's more a question of geo-reserving nodes and reducing delays from clients to the VPN server through the DNS geolocation service. Nodes should be located in different countries where there are company resources and employees.
I have also tried writing directly to the mysql (as_config) and sqlite (config_local) databases, they are overwritten by the "sacli" working script. The question is just to edit the service code to make the "vpn.server.group_pool.0" parameter available only in the local config_local database, without transferring it to mysql, similarly like "vpn.daemon.0.client.network". This would allow assigning group addresses of clients independently on each node of the cluster to implement route mode.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 693
Joined: Tue Feb 16, 2021 10:41 am

Re: Cluster and route mode - possible?

Post by openvpn_inc » Sun May 15, 2022 10:33 pm

Hi tarare,

My suggestion is then to stick with single nodes or failover pairs. You can share the single subscription license among as many Access Server instances as you need, and you can use site-to-site tunnels to make your geo-diverse VPNs all interconnected.

Probably in a year or two we should see this fixed. I can't promise when (I am not in the development team), but I expect that over time, nagging will increase. ;)

Thanks for your interest in Access Server.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply