OpenVPN active/active cluster

daniel — Mon, 01 Feb 2010 18:49:10 +0000

Code snippets are for Gentoo systems but it should be easy to adapt this for other systems

This is a small howto explaining how to run a active/active Cluster (keeplaived) setup with OpenVPN. The active/active reflects that both cluster nodes run the same OpenVPN instance. In server mode this setup leads to routing problems as both nodes have the tunnel route added during startup (not after connect). This results in routing trouble as i needed the passive node to access the VPN tunnel via the active node. This is how i solved it:

Routing setup

Both firewall nodes have a static route which forwards tunnel traffic to one of the internal cluster IP’s. The metric for this route is 2 so a active tunnel is preferred over that static route.

routes_eth2=( "192.168.44.0/24 via 192.168.20.254 metric 2" )

It doesn’t matter which node is active and gets the VPN connects as the other node has the right routing entries.

OpenVPN configuration

This setup requires the use of sudo or to run the OpenVPN daemon as root (sudo, sudo, sudo!!!). First we disable to automatically adding of routes and specify scripts for client-connect and client-disconnect. Dont forget to set script security.

route-noexec
client-connect /etc/openvpn/cluster_routing.sh
client-disconnect /etc/openvpn/cluster_routing.sh
script-security 3

cluster_routing.sh

This is a simple version of the script but it should be sufficient to work in most scenarios.

#!/bin/bash
 
## This is useful for debugging and to get the available env vars
##exec > /tmp/ovpn.debug.$$ 2>&1; set -x
 
if [ "${script_type}" == "client-connect" ];
then
    /usr/bin/sudo /sbin/route add -net ${route_network_1}/24 gw ${route_vpn_gateway}
else
    /usr/bin/sudo /sbin/route del -net ${route_network_1}/24 gw ${route_vpn_gateway}
fi
 
exit 0

This script adds and removes the needed route to get a operational tunnel.

HA Linux Router

daniel — Mon, 27 Oct 2008 21:32:38 +0000

This howto describes the setup of a HA Linux router based on Gentoo and Keepalived. I’m writing this because there’s not really a good documentation on this topic so far. At least as i searched for it.

Requirement

The intended router requires this config and tools:

Kernel with activcated VLAN support(CONFIG_VLAN_8021Q=y)
Keepalived installed
vconfig installed
Optionally bonding support in Kernel and ifenslave installed

Network Configuration

This configuration example is designed for 8 NIC’s and 20 VLAN’s. The following config is split to make it more readable but belongs completely to /etc/conf.d/net.

VLAN-Interface-Mapping

Depending on your network and traffic you have to find a VLAN-interface-mapping that matches your environment.

#######################################################
## VLAN <--> Interface Mapping
#######################################################
 
## eth0: VLAN 20 - 22
vlans_eth0="20 21 22"
 
## eth1: VLAN 22
vlans_eth1="22"
 
## eth2: VLAN 23 - 24
vlans_eth2="23 24"
 
## eth3: VLAN 25 26 27 28
vlans_eth3="25 26 27 28"
 
## eth4: VLAN 29
vlans_eth4="29"
 
## eth5: VLAN 30 - 34
vlans_eth5="30 31 32 33 34"
 
## eth6: VLAN 35 - 38 
vlans_eth6="35 36 37 38"
 
## eth7: VLAN 39 - 40
vlans_eth7="39 40"

VLAN Settings

This VLAN setup will lead to interfaces named vlanXX. See the manpage of vconfig if you prefer a different setup. Then it’s time to disable the “parent interfaces”. You can’t use a interface in mixed mode: VLAN’s or single interface.

#######################################################
## VLAN Interface naming scheme
#######################################################
 
vconfig_eth0=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
vconfig_eth1=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
vconfig_eth2=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
vconfig_eth3=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
vconfig_eth4=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
vconfig_eth5=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
vconfig_eth6=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
vconfig_eth7=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
 
#######################################################
## Disable interfaces for "normal" use
#######################################################
 
config_eth0=( "null" )
config_eth1=( "null" )
config_eth2=( "null" )
config_eth3=( "null" )
config_eth4=( "null" )
config_eth5=( "null" )
config_eth6=( "null" )
config_eth7=( "null" )

IP Adresses

Now it’s time to assign addresses to our VLAN interfaces. I myself prefer the last 3 adresses of every subnet as router addresses.

|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|
|            192.168.45.0/25
|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|
| Router-VIP  ==> 192.168.45.254 Cluster IP
| Router-A    ==> 192.168.45.253 Real-IP Node A
| Router-B    ==> 192.168.45.252 Real-IP Node B
 
config_vlan20=( "10.1.20.0/24" )
config_vlan21=( "10.1.21.0/24" )
config_vlan22=( "10.1.22.0/24" )
config_vlan23=( "10.1.23.0/24" )
config_vlan24=( "10.1.24.0/24" )
config_vlan25=( "10.1.25.0/24" )
config_vlan26=( "10.1.26.0/24" )
config_vlan27=( "10.1.27.0/24" )
config_vlan28=( "10.1.28.0/24" )
config_vlan29=( "10.1.29.0/24" )
config_vlan30=( "10.1.30.0/24" )
...

Routing

If you’re familiar with Gentoo’s routing syntax you shouldn’t be surprised to see how it works.

routes_vlan21=("192.168.99.0/27 via 10.1.21.5")
routes_vlan31=("default via 10.1.31.1")

Keepalived Configuration

MASTER: /etc/keepalived/keepalived.conf

## Unique identifier for every router
global_defs {
   router_id router-a
}
 
## Sync Group
vrrp_sync_group SG_A {
  group {
          VI_21 # VLAN 21
          VI_22 # VLAN 22
          VI_23 # VLAN 23
          VI_24 # VLAN 24
          VI_25 # VLAN 25
          VI_26 # VLAN 26
          VI_27 # VLAN 27
          VI_28 # VLAN 28
          VI_29 # VLAN 29
          VI_30 # VLAN 30
          VI_31 # VLAN 31
 
          ...
        }
}
 
## VLAN 21
vrrp_instance VI_21 {
    interface vlan21
    state MASTER
    virtual_router_id 21
    priority 80
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass >FreakShow_<
    }
    virtual_ipaddress {
        10.1.21.254
    }
}
 
## VLAN 22
vrrp_instance VI_22 {
    interface vlan22
    state MASTER
    virtual_router_id 22
    priority 80
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass >FreakShow_<
    }
    virtual_ipaddress {
        10.1.22.254
    }
}
 
...

SLAVE: /etc/keepalived/keepalived.conf

## Unique identifier for every router
global_defs {
   router_id router-b
}
 
## Sync Group
vrrp_sync_group SG_B {
  group {
          VI_21 # VLAN 21
          VI_22 # VLAN 22
          VI_23 # VLAN 23
          VI_24 # VLAN 24
          VI_25 # VLAN 25
          VI_26 # VLAN 26
          VI_27 # VLAN 27
          VI_28 # VLAN 28
          VI_29 # VLAN 29
          VI_30 # VLAN 30
          VI_31 # VLAN 31
 
          ...
        }
}
 
## VLAN 21
vrrp_instance VI_21 {
    interface vlan21
    state SLAVE
    virtual_router_id 21
    priority 50
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass >FreakShow_<
    }
    virtual_ipaddress {
        10.1.21.254
    }
}
 
## VLAN 22
vrrp_instance VI_22 {
    interface vlan22
    state SLAVE
    virtual_router_id 22
    priority 50
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass >FreakShow_<
    }
    virtual_ipaddress {
        10.1.22.254
    }
}
 
...

My two ¢'s » keepalived