OpenVPN with Failover

A virtual IP is created (10.0.1.1), this IP is assumed by the active openvpn server.
When that server fails, the secondary openvpn server assumes that IP and launches the server. This is done through configuring two openvpn servers to be identical in configuration, both configured to listen on 10.0.1.1, and running ucarp on both servers to manage the fail-over.

On the two servers Openvpn is configured identical, the config file looks like blah, and the certs and ta.key must exist.

The fail-over is handled by ucarp, on both machines the following files are created:

# mkdir /etc/ucarp
# cat > /etc/ucarp/vpn-up.sh:
#!/bin/sh

exec 2> /dev/null

/sbin/ip addr add 10.0.1.1/24 dev "$1"
/etc/init.d/openvpn start
EOF

# cat > /etc/ucarp/vpn-down.sh
#!/bin/sh

exec 2> /dev/null

/sbin/ip addr del 10.0.1.1/24 dev "$1"
/etc/init.d/openvpn stop
EOF

# chmod +x /etc/ucarp/*

On each machine I started a screen session and launched ucarp:

# ucarp --interface=eth1 -v 42 -p duh -a 10.0.1.1 -s 10.0.1.10 --upscript=/etc/ucarp/vpn-up.sh --downscript=/etc/ucarp/vpn-down.sh

The -s (source IP) should be the actual IP of the interface
The -a is the same on both machines
The —interface should be the interface that is being used on each machine
The -p is a password that should be the same on both machines, it sucks that has to be provided in clear-text on the command-line (Bug#394327)t m
The -v is the ID of the virtual server, it should be the same on both machines

This should all go into an init script, but I want to watch it for now

Setting up an Openvpn client:
on the two servers (kakapo and eider) make a new named after the host connecting in /etc/openvpn/ccd

# cat > /etc/openvpn/ccd/cormorant.riseup.net
# ifconfig-push 10.8.0.15 10.8.0.1

on the client host itself:

# apt-get install openvpn
# mkdir -p /etc/certs/roots
# mkdir /etc/certs/cormorant.riseup.net
# scp riseup/keys/ta.key cormorant.riseup.net:/etc/certs
# scp riseup/certs/cormorant.riseup.net/*.pem cormorant.riseup.net:/etc/certs/cormorant.riseup.net
# scp riseup/certs/cacert-root.pem cormorant.riseup.net:/etc/certs/roots
# mkdir /var/log/openvpn (note: need to setup logrotation!)
# cat > /etc/openvpn/phoenix.conf
dev tun0
proto tcp-client
tls-client
pull
tls-auth /etc/certs/ta.key 1
ca      /etc/certs/roots/cacert-root.pem
cert    /etc/certs/cormorant.riseup.net/cert.pem
key     /etc/certs/cormorant.riseup.net/key.pem
remote phoenix.riseup.net 1194
user nobody
group nogroup
persist-tun
persist-key
verb 3
log-append      /var/log/openvpn/openvpn.log
status   /var/log/openvpn/status.log
EOF

start up openvpn and make sure it works:

/etc/init.d/openvpn start
ping 10.8.0.1 (the openvpn server over the VPN)
ping gull-vpn.riseup.net

check /var/log/openvpn/openvpn.log for errors

Setting up openvpn inside a vserver (had to do this for user.riseup.net):

apt-get install openvpn
cd /var/lib/vservers/user/dev/
./MAKEDEV tun
cat > /etc/vservers/user/2/ip
10.8.0.18
cat > /etc/vservers/user/2/dev
tun0
mkdir /etc/vservers/user/scripts
cat > /etc/vservers/user/scripts/post-start
ip route add to 10.8.0.0/24 dev tun0

NOTE: The tunctl included in uml-utilities only makes tap devices! This is lame, I had to get a different tunctl source from somewhere else which enabled me to create tun0 devices. I might not have needed the following if I had let openvpn create the
device on install (debconf question).

./tunctl -t tun0
ip route add 10.8.0.0/24 dev tun0
vserver user start

need to setup eider to assume client when ucarp backup and server when ucarp primary