cluster instance restore

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
vlisnyi
OpenVpn Newbie
Posts: 9
Joined: Mon May 16, 2022 1:35 pm

cluster instance restore

Post by vlisnyi » Wed Jun 29, 2022 4:24 pm

Hi Comunity,

I backup the OpenVPN Access Server and restore it on another instance using the manual below https://openvpn.net/vpn-server-resource ... d-backups/, script looks like below

Code: Select all

#!/bin/bash

set -e

ENV=prod
IP=10.10.10.10
CLUSTER_MODE=`/usr/local/openvpn_as/scripts/sacli ConfigQuery | grep cluster.mode | awk -F \" '{print $4}'`
SERVER_NAME=`/usr/bin/hostname -f | awk -F \- '{print $3}'`
TMP="/tmp/vpnas-backup"

# Script will only restore configuration if this will be a new server, new server always have cluster_mode = false
if [[ $CLUSTER_MODE != "true" ]]; then

  # Fetch backup from S3
  echo "Synching files from S3"
  mkdir -p $TMP
  HOME=/root/ /usr/local/bin/aws s3 sync s3://vpnas-backup-${ENV}/${SERVER_NAME} $TMP || exit 1

  cd $TMP
  # Figure out backup dir (get most recent)
  cd $(ls -r | head -n1)

  # stop service, restore backup, start service
  service openvpnas stop
  [ -e ./config_local.db.bak ] && rm /usr/local/openvpn_as/etc/db/config_local.db ; sqlite3 < ./config_local.db.bak /usr/local/openvpn_as/etc/db/config_local.db
  [ -e ./log.db.bak ] && rm /usr/local/openvpn_as/etc/db/log.db ; sqlite3 < ./log.db.bak /usr/local/openvpn_as/etc/db/log.db
  [ -e ./as.conf.bak ] && cp ./as.conf.bak /usr/local/openvpn_as/etc/as.conf
  cp -r ./ssl-api /usr/local/openvpn_as/etc/
  chmod 600 /usr/local/openvpn_as/etc/ssl-api/*
  chmod 644 /usr/local/openvpn_as/etc/ssl-api/ca.crt
  service openvpnas start
  sleep 5

  # update server configuration with the new server ip
  /usr/local/openvpn_as/scripts/sacli --key "ssl_api.client_addr" --value "$IP" ConfigPut
  /usr/local/openvpn_as/scripts/confdba --cluster -m --prof="prod-openvpn-$SERVER_NAME" --key="sacli_ip" --value="$IP"
  /usr/local/openvpn_as/scripts/sacli start

fi
but found strange things, the restored server see both servers in the cluster, but at the same time the first server don't see the restored server in the cluster and show an error

Code: Select all

    
Unable to reach this node
Reason: <Fault 9000: "Server Agent AuthProxy error: only peer UIDs from the following set are allowed: ['root', 'openvpn_as']">
I've tried to find peed UID in rds databases or local configs but can't find it, same as google this error. Can somebody point me to how this can be fixed?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 787
Joined: Tue Feb 16, 2021 10:41 am

Re: cluster instance restore

Post by openvpn_inc » Wed Jun 29, 2022 4:32 pm

Hello vlisnyi,

Are you upgrading from version 2.7.5 directly to 2.11.0? If so this is the only known case of this issue occurring. If this is your situation then query your database for the cluster inter-node communication password;
./sacli ClusterQuery|grep password

And set that password on the new node on the admin_c user;
./sacli -u admin_c --new_pass="whateverpasswordyouhave" SetLocalPassword

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

vlisnyi
OpenVpn Newbie
Posts: 9
Joined: Mon May 16, 2022 1:35 pm

Re: cluster instance restore

Post by vlisnyi » Wed Jun 29, 2022 8:36 pm

Hi Johan,

no server was not upgraded previously and was installed with version 2.10.3 (build c47a813c). Also, password same on both servers.

vlisnyi
OpenVpn Newbie
Posts: 9
Joined: Mon May 16, 2022 1:35 pm

Re: cluster instance restore

Post by vlisnyi » Thu Jun 30, 2022 1:19 pm

OpenVPN support point me to how this can be fixed, all you need disconnect/connect the restored server to the cluster in a way like this

Code: Select all

./sacli ClusterLeave
./usr/local/openvpn_as/scripts/sacli --mysql_str mysql://root:pass@host:3306 --node_name prod-openvpn-$SERVER_NAME --rsacli_listen_addr $IP --rsacli_client_addr $IP ClusterJoin
so these 2 lines need to be added to the end of the script from the first post.

Post Reply