A virtual IP is created (10.0.1.1), this IP is assumed by the active openvpn server.
When that server fails, the secondary openvpn server assumes that IP and launches the server. This is done through configuring two openvpn servers to be identical in configuration, both configured to listen on 10.0.1.1, and running ucarp on both servers to manage the fail-over.
On the two servers Openvpn is configured identical, the config file looks like blah, and the certs and ta.key must exist.
The fail-over is handled by ucarp, on both machines the following files are created:
# mkdir /etc/ucarp # cat > /etc/ucarp/vpn-up.sh: #!/bin/sh exec 2> /dev/null /sbin/ip addr add 10.0.1.1/24 dev "$1" /etc/init.d/openvpn start EOF # cat > /etc/ucarp/vpn-down.sh #!/bin/sh exec 2> /dev/null /sbin/ip addr del 10.0.1.1/24 dev "$1" /etc/init.d/openvpn stop EOF # chmod +x /etc/ucarp/*
On each machine I started a screen session and launched ucarp:
# ucarp --interface=eth1 -v 42 -p duh -a 10.0.1.1 -s 10.0.1.10 --upscript=/etc/ucarp/vpn-up.sh --downscript=/etc/ucarp/vpn-down.sh
The -s (source IP) should be the actual IP of the interface
The -a is the same on both machines
The —interface should be the interface that is being used on each machine
The -p is a password that should be the same on both machines, it sucks that has to be provided in clear-text on the command-line (Bug#394327)t m
The -v is the ID of the virtual server, it should be the same on both machines
This should all go into an init script, but I want to watch it for now
Setting up an Openvpn client:
on the two servers (kakapo and eider) make a new named after the host connecting in /etc/openvpn/ccd
# cat > /etc/openvpn/ccd/cormorant.riseup.net # ifconfig-push 10.8.0.15 10.8.0.1
on the client host itself:
# apt-get install openvpn # mkdir -p /etc/certs/roots # mkdir /etc/certs/cormorant.riseup.net # scp riseup/keys/ta.key cormorant.riseup.net:/etc/certs # scp riseup/certs/cormorant.riseup.net/*.pem cormorant.riseup.net:/etc/certs/cormorant.riseup.net # scp riseup/certs/cacert-root.pem cormorant.riseup.net:/etc/certs/roots # mkdir /var/log/openvpn (note: need to setup logrotation!) # cat > /etc/openvpn/phoenix.conf dev tun0 proto tcp-client tls-client pull tls-auth /etc/certs/ta.key 1 ca /etc/certs/roots/cacert-root.pem cert /etc/certs/cormorant.riseup.net/cert.pem key /etc/certs/cormorant.riseup.net/key.pem remote phoenix.riseup.net 1194 user nobody group nogroup persist-tun persist-key verb 3 log-append /var/log/openvpn/openvpn.log status /var/log/openvpn/status.log EOF
start up openvpn and make sure it works:
/etc/init.d/openvpn start ping 10.8.0.1 (the openvpn server over the VPN) ping gull-vpn.riseup.net
check /var/log/openvpn/openvpn.log for errors
Setting up openvpn inside a vserver (had to do this for user.riseup.net):
apt-get install openvpn cd /var/lib/vservers/user/dev/ ./MAKEDEV tun cat > /etc/vservers/user/2/ip 10.8.0.18 cat > /etc/vservers/user/2/dev tun0 mkdir /etc/vservers/user/scripts cat > /etc/vservers/user/scripts/post-start ip route add to 10.8.0.0/24 dev tun0
NOTE: The tunctl included in uml-utilities only makes tap devices! This is lame, I had to get a different tunctl source from somewhere else which enabled me to create tun0 devices. I might not have needed the following if I had let openvpn create the
device on install (debconf question).
./tunctl -t tun0 ip route add 10.8.0.0/24 dev tun0 vserver user start
need to setup eider to assume client when ucarp backup and server when ucarp primary