Load Balance OpenVPN

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
dizzy21
OpenVpn Newbie
Posts: 1
Joined: Thu Oct 20, 2022 9:22 am

Load Balance OpenVPN

Post by dizzy21 » Thu Oct 20, 2022 9:35 am

Hello,

I'm having more then 1000 clients that are already configured to connect to one OpneVPN server.
My goal is to use two servers of OpenVPN on the same host that share the same resources in order to be able to connect thousands of clients. Is very important to know that changing the configuration of the clients is not possible. So I'm excluding OpenVPN official information from the OpenVPN documentation.
I need to know what are the solutions for using OpenVPN behind a load balancer. As I know and read on different topics HAproxy, nginx does not support UDP datagram for load balancing. Did not found something explicit for my case. Also did found that iptables can be used in this case with some of it modules but not something explicit for udp load balance.

Thank you.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Load Balance OpenVPN

Post by openvpn_inc » Sat Nov 05, 2022 3:58 pm

Hi diz,

With large numbers of clients, you run up against the issue of CPU overload. The openvpn(8) 2.5.x and earlier software is a single-threaded application, so your server process is running on a single CPU core.

Version 2.6 (now available only through git) addresses this limitation with a new feature called Data Channel Offload (DCO). With DCO the main server thread is still on that one CPU core, but the more challenging work of encrypting and decrypting and routing packets is shared among other CPU cores.

The commercial OpenVPN Access Server software has a different workaround for this problem: it runs one daemon per protocol (TCP/UDP) per CPU core. And the network you assign to the VPN is split among each openvpn daemon.

So for 1000 connections and, say, 8 CPU cores, you would have to give your VPN a larger netblock than you might expect: that block would be split in 16 pieces. Normally you would think that a /22 would accommodate 1000 clients. But given that most clients will use UDP, you're at less than half what you need. You really need a /20 or larger. Not a problem, of course, given the size of RFC 1918 networks.

To directly answer your question, we don't recommend using load balancers. You can implement the Access Server CPU workaround in community-version openvpn, by controlling which CPU core runs each openvpn daemon. It was a lot of work, and it does not benefit the average hobby user, only the medium-to-large businesses. That's why it was kept proprietary. But you can examine a free trial version of Access Server and see how it was done.

When you grow beyond what a single server can do, and/or want to do away with the SPOF, Access Server also supports a local failover pair, or clustering, which can expand far beyond just a pair, and can be geographically diverse. (The issue of netblock splitting of course gets much more complicated with a cluster.)

My suggestion, given that you are already running a server for 1000+ clients, is to set up a server with 2.6 from git and DCO. There is no "upgrade" path from community openvpn to Access Server; you'd probably end up having to re-create each client profile.

Hope this helps, regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply