Page 1 of 1
Questions about openvpn-as and galera cluster
Posted: Sun Mar 14, 2021 1:48 pm
by jmeslovich
For the last several years we have run a single OpenVPN-AS server on CentOS 6 (presently running 2.7.5). We are replacing that server with the Ubuntu 18.04 based appliance VHD from OpenVPN. We have two server rooms that we run VMs out of so we created two OpenVPN-AS 2.8.7 servers and clustered them together using a single MariaDB server that we created for now in the one server room.
We would like the two OpenVPN-AS servers to be resilient to either server room going offline. So we were thinking about creating a small two node galera cluster and having a node in each server room as well. Then point each OpenVPN-AS node to its local database node in the galera cluster. Would that work or would the OpenVPN-AS cluster not form correctly?
Has anyone done that before or do most people that go the cluster route for OpenVPN-AS just go with an AWS RDS instance?
Re: Questions about openvpn-as and galera cluster
Posted: Sun Mar 14, 2021 7:19 pm
by openvpn_inc
Hello,
Regarding Galera cluster, we have done that ourselves actually. Works great. But you need at least 3 nodes for a Galera cluster. The reason is quorum. When a situation occurs where it is unclear which set of data is the correct set of data (due to an interruption on one of the nodes or network connectivity issues for example) the Galera cluster can 'take a vote' on which set of data is the correct one and that one 'wins' and gets replicated to the 'losing' node so it is in sync again. This is to prevent split-brain situations. But with 2 nodes you can never have quorum in such a situation. Therefore a third node is necessary. But that third node could be just only a database server. And you can have more than 3 nodes in total on Galera.
Kind regards,
Johan
Re: Questions about openvpn-as and galera cluster
Posted: Sun Mar 14, 2021 8:14 pm
by jmeslovich
I was worried I would have to put an haproxy load balancer in front of the galera cluster and reference it in OpenVPN-AS that way. The three node cluster definitely makes sense, thank you.
Re: Questions about openvpn-as and galera cluster
Posted: Mon Mar 15, 2021 11:01 am
by openvpn_inc
Hello,
No, you can just edit as.conf to point to the particular Galera node you want that Access Server node to use. The three nodes are just minimum amount for quorum to make split-brain resolution automatic.
Good luck,
Johan
Re: Questions about openvpn-as and galera cluster
Posted: Sun Apr 11, 2021 5:34 pm
by chilinux
I had some follow-up questions about the syntax for as.conf. Is is possible to do additional things in the as.conf beyond what the web portal interface allows.
More to the point, does the as.conf allow for doing any of the following:
(1) Is it possible to specify more than one node so AS will failover to the next galera node if it can't connect to the first one?
(2) Is it possible to specify using TLS in the as.conf? Can a specific MYSQL_OPT_SSL_CA or MYSQL_OPT_SSL_CERT be specified?
(3) Is it possible to have different OpenVPN AS clusters use the same galera cluster? Can a different database name be specified in the as.conf?