[eduVPN-deploy] High availability for VPN Nodes?
François Kooman
fkooman at tuxed.net
Wed Jul 6 12:47:04 CEST 2022
On 05.07.22 16:58, Marc Langer via eduVPN-deploy wrote:
> Hi,
Hi Marc,
> I followed the documentation and now have a HA setup with two portal
> servers and two VPN nodes.
Great!
> But somehow I am missing the information, how the VPN connections can be
> migrated from one node to the other if one fails or has to be rebooted.
They can't be "migrated". If one node fails for example, the client will
have to talk again to the portal to fetch a new configuration and then
will get a configuration for one of the nodes that is still up.
In practice this means that the user will have to manually disconnect
the client and the connect again to 'reach' the other node.
The clients are currently not smart enough to do this automatically.
They'll have to at least wait until a timeout occurs before they can
switch to another node.
> I tried to change the hostname in my VPN connection to the other node,
> but then the connection failed ("tls-crypt unwrap error: packet
> authentication failed").
That won't work indeed as the nodes have different "tls-crypt" keys.
> Could someone point me to the relevant document or config file, where to
> start and fix this?
From what I see you already have everything setup correctly and it
works as expected.
I do get the feeling that this is not what you expected, and that it
should work more "transparent", i.e. auto reconnect to the other node(s)
that are up. Can you be more explicit about your requirements and how
you would like to see it work?
Regards,
François
More information about the eduVPN-deploy
mailing list