OPENVPN with OSPF and REMOTE configured for redundancy.



  • Hi Guys,
    Rather simple issue I'm having that might require a complicated solution.  We have two identical OPENVPN servers configured with client setup to connect to the first one and the REMOTE option for the second server should the first fail.  Everything works and the client easily switch between the two but the issue is that when they switch, we can no longer connect to the clients because the OSPF routes show the previous routes from the failed server.  The only way we can get the routes to redistribute properly is the shutdown the failed OPENVPN servers service and restart the other.

    My first though to get around this was to have the client push his own route so that OSPF would automatically learn via the OPENVPN tunnel it opens.  I tried to add a push "route x.x.x.x" on the client so that it would throw its routes whenever it established an OPENVPN connection but this doesn't seem to be supported.

    We're looking into something with CDD files but so far nothing.

    I know we can probably get this working by installing OSPF on the client but we'd rather keep things simple since we have many clients.

    Is there some sort of magical command for this?  I'm certain that I'm not the only person to have tried this type of redundant setup.

    "route-up, route-down" ? perhaps?

    Let me know, thanks.

    Here is some of the configuration…

    SERVER
    dev ovpns2
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher BF-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local X.X.X.X - HIDDEN
    tls-server
    server 10.15.16.0 255.255.252.0
    client-config-dir /var/etc/openvpn-csc
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'firewall3' 1 "
    lport 1195
    management /var/etc/openvpn/server2.sock unix
    push "route 192.168.248.0 255.255.255.0"
    push "route 192.168.251.0 255.255.255.0"
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.1024
    comp-lzo yes
    route 13.13.13.0 255.255.255.0
    route 10.16.242.0 255.255.255.0
    push "route 192.168.248.0 255.255.255.0"
    push "route 192.168.251.0 255.255.255.0"



  • you run identical tunnel networks on both servers ? i don't think thats a good idea.

    wouldn't it be better todo it like this? https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN#Bind_to_Localhost_and_Setup_Port_Forwards



  • Hi, the two OPENVPN server are on two different devices at two different locations.  I'm NOT trying to get the pfSense to work on a single device with two WAN interfaces so the article you sent doesn't apply.

    Thanks anyway.



  • Anyone? :(


Log in to reply