OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

cluster instance restore

https://forums.openvpn.net/viewtopic.php?t=34428

Page 1 of 1

cluster instance restore

Posted: Wed Jun 29, 2022 4:24 pm
by vlisnyi
Hi Comunity,

I backup the OpenVPN Access Server and restore it on another instance using the manual below https://openvpn.net/vpn-server-resource ... d-backups/, script looks like below

Code: Select all

#!/bin/bash

set -e

ENV=prod
IP=10.10.10.10
CLUSTER_MODE=`/usr/local/openvpn_as/scripts/sacli ConfigQuery | grep cluster.mode | awk -F \" '{print $4}'`
SERVER_NAME=`/usr/bin/hostname -f | awk -F \- '{print $3}'`
TMP="/tmp/vpnas-backup"

# Script will only restore configuration if this will be a new server, new server always have cluster_mode = false
if [[ $CLUSTER_MODE != "true" ]]; then

  # Fetch backup from S3
  echo "Synching files from S3"
  mkdir -p $TMP
  HOME=/root/ /usr/local/bin/aws s3 sync s3://vpnas-backup-${ENV}/${SERVER_NAME} $TMP || exit 1

  cd $TMP
  # Figure out backup dir (get most recent)
  cd $(ls -r | head -n1)

  # stop service, restore backup, start service
  service openvpnas stop
  [ -e ./config_local.db.bak ] && rm /usr/local/openvpn_as/etc/db/config_local.db ; sqlite3 < ./config_local.db.bak /usr/local/openvpn_as/etc/db/config_local.db
  [ -e ./log.db.bak ] && rm /usr/local/openvpn_as/etc/db/log.db ; sqlite3 < ./log.db.bak /usr/local/openvpn_as/etc/db/log.db
  [ -e ./as.conf.bak ] && cp ./as.conf.bak /usr/local/openvpn_as/etc/as.conf
  cp -r ./ssl-api /usr/local/openvpn_as/etc/
  chmod 600 /usr/local/openvpn_as/etc/ssl-api/*
  chmod 644 /usr/local/openvpn_as/etc/ssl-api/ca.crt
  service openvpnas start
  sleep 5

  # update server configuration with the new server ip
  /usr/local/openvpn_as/scripts/sacli --key "ssl_api.client_addr" --value "$IP" ConfigPut
  /usr/local/openvpn_as/scripts/confdba --cluster -m --prof="prod-openvpn-$SERVER_NAME" --key="sacli_ip" --value="$IP"
  /usr/local/openvpn_as/scripts/sacli start

fi
but found strange things, the restored server see both servers in the cluster, but at the same time the first server don't see the restored server in the cluster and show an error

Code: Select all

    
Unable to reach this node
Reason: <Fault 9000: "Server Agent AuthProxy error: only peer UIDs from the following set are allowed: ['root', 'openvpn_as']">
I've tried to find peed UID in rds databases or local configs but can't find it, same as google this error. Can somebody point me to how this can be fixed?

Re: cluster instance restore

Posted: Wed Jun 29, 2022 4:32 pm
by openvpn_inc
Hello vlisnyi,

Are you upgrading from version 2.7.5 directly to 2.11.0? If so this is the only known case of this issue occurring. If this is your situation then query your database for the cluster inter-node communication password;
./sacli ClusterQuery|grep password

And set that password on the new node on the admin_c user;
./sacli -u admin_c --new_pass="whateverpasswordyouhave" SetLocalPassword

Kind regards,
Johan

Re: cluster instance restore

Posted: Wed Jun 29, 2022 8:36 pm
by vlisnyi
Hi Johan,

no server was not upgraded previously and was installed with version 2.10.3 (build c47a813c). Also, password same on both servers.

Re: cluster instance restore

Posted: Thu Jun 30, 2022 1:19 pm
by vlisnyi
OpenVPN support point me to how this can be fixed, all you need disconnect/connect the restored server to the cluster in a way like this

Code: Select all

./sacli ClusterLeave
./usr/local/openvpn_as/scripts/sacli --mysql_str mysql://root:pass@host:3306 --node_name prod-openvpn-$SERVER_NAME --rsacli_listen_addr $IP --rsacli_client_addr $IP ClusterJoin
so these 2 lines need to be added to the end of the script from the first post.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/