OpenVPN with Failover

A virtual IP is created (, this IP is assumed by the active openvpn server.
When that server fails, the secondary openvpn server assumes that IP and launches the server. This is done through configuring two openvpn servers to be identical in configuration, both configured to listen on, and running ucarp on both servers to manage the fail-over.

On the two servers Openvpn is configured identical, the config file looks like blah, and the certs and ta.key must exist.

The fail-over is handled by ucarp, on both machines the following files are created:

# mkdir /etc/ucarp
# cat > /etc/ucarp/

exec 2> /dev/null

/sbin/ip addr add dev "$1"
/etc/init.d/openvpn start

# cat > /etc/ucarp/

exec 2> /dev/null

/sbin/ip addr del dev "$1"
/etc/init.d/openvpn stop

# chmod +x /etc/ucarp/*

On each machine I started a screen session and launched ucarp:

# ucarp --interface=eth1 -v 42 -p duh -a -s --upscript=/etc/ucarp/ --downscript=/etc/ucarp/

The -s (source IP) should be the actual IP of the interface
The -a is the same on both machines
The —interface should be the interface that is being used on each machine
The -p is a password that should be the same on both machines, it sucks that has to be provided in clear-text on the command-line (Bug#394327)t m
The -v is the ID of the virtual server, it should be the same on both machines

This should all go into an init script, but I want to watch it for now

Setting up an Openvpn client:
on the two servers (kakapo and eider) make a new named after the host connecting in /etc/openvpn/ccd

# cat > /etc/openvpn/ccd/
# ifconfig-push

on the client host itself:

# apt-get install openvpn
# mkdir -p /etc/certs/roots
# mkdir /etc/certs/
# scp riseup/keys/ta.key
# scp riseup/certs/*.pem
# scp riseup/certs/cacert-root.pem
# mkdir /var/log/openvpn (note: need to setup logrotation!)
# cat > /etc/openvpn/phoenix.conf
dev tun0
proto tcp-client
tls-auth /etc/certs/ta.key 1
ca      /etc/certs/roots/cacert-root.pem
cert    /etc/certs/
key     /etc/certs/
remote 1194
user nobody
group nogroup
verb 3
log-append      /var/log/openvpn/openvpn.log
status   /var/log/openvpn/status.log

start up openvpn and make sure it works:

/etc/init.d/openvpn start
ping (the openvpn server over the VPN)

check /var/log/openvpn/openvpn.log for errors

Setting up openvpn inside a vserver (had to do this for

apt-get install openvpn
cd /var/lib/vservers/user/dev/
cat > /etc/vservers/user/2/ip
cat > /etc/vservers/user/2/dev
mkdir /etc/vservers/user/scripts
cat > /etc/vservers/user/scripts/post-start
ip route add to dev tun0

NOTE: The tunctl included in uml-utilities only makes tap devices! This is lame, I had to get a different tunctl source from somewhere else which enabled me to create tun0 devices. I might not have needed the following if I had let openvpn create the
device on install (debconf question).

./tunctl -t tun0
ip route add dev tun0
vserver user start

need to setup eider to assume client when ucarp backup and server when ucarp primary