This is a small howto explaining how to run a active/active Cluster (keeplaived) setup with OpenVPN. The active/active reflects that both cluster nodes run the same OpenVPN instance. In server mode this setup leads to routing problems as both nodes have the tunnel route added during startup (not after connect). This results in routing trouble as i needed the passive node to access the VPN tunnel via the active node. This is how i solved it:
Both firewall nodes have a static route which forwards tunnel traffic to one of the internal cluster IP’s. The metric for this route is 2 so a active tunnel is preferred over that static route.
It doesn’t matter which node is active and gets the VPN connects as the other node has the right routing entries.
This setup requires the use of sudo or to run the OpenVPN daemon as root (sudo, sudo, sudo!!!). First we disable to automatically adding of routes and specify scripts for client-connect and client-disconnect. Dont forget to set script security.
1 2 3 4
This is a simple version of the script but it should be sufficient to work in most scenarios.
1 2 3 4 5 6 7 8 9 10 11 12 13
This script adds and removes the needed route to get a operational tunnel.