[eduVPN-deploy] High availability for VPN Nodes?

[François Kooman]

On 05.07.22 16:58, Marc Langer via eduVPN-deploy wrote:
> Hi,

Hi Marc,

> I followed the documentation and now have a HA setup with two portal
> servers and two VPN nodes.

Great!

> But somehow I am missing the information, how the VPN connections can be
> migrated from one node to the other if one fails or has to be rebooted.

They can't be "migrated". If one node fails for example, the client will 
have to talk again to the portal to fetch a new configuration and then 
will get a configuration for one of the nodes that is still up.

In practice this means that the user will have to manually disconnect 
the client and the connect again to 'reach' the other node.

The clients are currently not smart enough to do this automatically. 
They'll have to at least wait until a timeout occurs before they can 
switch to another node.

> I tried to change the hostname in my VPN connection to the other node,
> but then the connection failed ("tls-crypt unwrap error: packet
> authentication failed").

That won't work indeed as the nodes have different "tls-crypt" keys.

> Could someone point me to the relevant document or config file, where to
> start and fix this?

 From what I see you already have everything setup correctly and it 
works as expected.

I do get the feeling that this is not what you expected, and that it 
should work more "transparent", i.e. auto reconnect to the other node(s) 
that are up. Can you be more explicit about your requirements and how 
you would like to see it work?

Regards,
François