OpenVPN with Failover

A virtual IP is created (, this IP is assumed by the active openvpn server.
When that server fails, the secondary openvpn server assumes that IP and launches the server. This is done through configuring two openvpn servers to be identical in configuration, both configured to listen on, and running ucarp on both servers to manage the fail-over.

On the two servers Openvpn is configured identical, the config file looks like blah, and the certs and ta.key must exist.

The fail-over is handled by ucarp, on both machines the following files are created:

# mkdir /etc/ucarp
# cat > /etc/ucarp/

exec 2> /dev/null

/sbin/ip addr add dev "$1"
/etc/init.d/openvpn start

# cat > /etc/ucarp/

exec 2> /dev/null

/sbin/ip addr del dev "$1"
/etc/init.d/openvpn stop

# chmod +x /etc/ucarp/*

On each machine I started a screen session and launched ucarp:

# ucarp --interface=eth1 -v 42 -p duh -a -s --upscript=/etc/ucarp/ --downscript=/etc/ucarp/

The -s (source IP) should be the actual IP of the interface
The -a is the same on both machines
The —interface should be the interface that is being used on each machine
The -p is a password that should be the same on both machines, it sucks that has to be provided in clear-text on the command-line (Bug#394327)t m
The -v is the ID of the virtual server, it should be the same on both machines

This should all go into an init script, but I want to watch it for now

Setting up an Openvpn client:
on the two servers (kakapo and eider) make a new named after the host connecting in /etc/openvpn/ccd

# cat > /etc/openvpn/ccd/
# ifconfig-push

on the client host itself:

# apt-get install openvpn
# mkdir -p /etc/certs/roots
# mkdir /etc/certs/
# scp riseup/keys/ta.key
# scp riseup/certs/*.pem
# scp riseup/certs/cacert-root.pem
# mkdir /var/log/openvpn (note: need to setup logrotation!)
# cat > /etc/openvpn/phoenix.conf
dev tun0
proto tcp-client
tls-auth /etc/certs/ta.key 1
ca      /etc/certs/roots/cacert-root.pem
cert    /etc/certs/
key     /etc/certs/
remote 1194
user nobody
group nogroup
verb 3
log-append      /var/log/openvpn/openvpn.log
status   /var/log/openvpn/status.log

start up openvpn and make sure it works:

/etc/init.d/openvpn start
ping (the openvpn server over the VPN)

check /var/log/openvpn/openvpn.log for errors

Setting up openvpn inside a vserver (had to do this for

apt-get install openvpn
cd /var/lib/vservers/user/dev/
cat > /etc/vservers/user/2/ip
cat > /etc/vservers/user/2/dev
mkdir /etc/vservers/user/scripts
cat > /etc/vservers/user/scripts/post-start
ip route add to dev tun0

NOTE: The tunctl included in uml-utilities only makes tap devices! This is lame, I had to get a different tunctl source from somewhere else which enabled me to create tun0 devices. I might not have needed the following if I had let openvpn create the
device on install (debconf question).

./tunctl -t tun0
ip route add dev tun0
vserver user start

need to setup eider to assume client when ucarp backup and server when ucarp primary


Changing your IP address can be a handy tool for various reasons, from enhancing privacy to bypassing location-based restrictions. Here are some quick methods to achieve this:

Switch Networks: Connect to a different network, such as switching from Wi-Fi to mobile data, which often assigns a new IP address.

Reset Modem/Router: Power off your modem or router, wait a few minutes, then power it back on. This might prompt your Internet Service Provider (ISP) to assign a new IP.

Use a VPN: A Virtual Private Network (VPN) masks your IP address and provides a new one based on the VPN server’s location. For a quick check of your current IP address, you can visit a website like whatismyip.

Proxy Servers: Configure your web browser to use a proxy server, which can route your internet traffic through a different IP address.

These methods offer simple ways to change your IP address, providing versatility and control over your online presence.