[eduVPN-deploy] High availability for VPN Nodes?

Thu Jul 28 09:51:29 CEST 2022

On 27.07.22 18:03, Marc Langer via eduVPN-deploy wrote:
> I had to solve some other problems in the meantime and now came back to
> test my eduvpn3 setup. I have two machines, each have the portal and a
> VPN node installed.

Ah, my instructions are meant for separate portal/node and not combined 
on 1 machine, to make HA work actually:

https://github.com/eduvpn/documentation/blob/v3/HA.md#making-the-portal-redundant-ha-portal

> When VM2 is VRRP master, the portal on VM2 generates a OpenVPN
> configuration file with the hostname of VM1, but the host key seems to
> be wrong. When I manually change the servername to connect to VM2, it works.

By host key you mean tls-crypt key? You can of course sync those, but as 
mentioned before, the idea was to make it truly HA! So you should 
probably not be doing that... The client will decide on connect to which 
node you will connect.

> So I must have something wrong with the node keys and configuration. I
> followed the instructions in the documentation, and cannot find the error.

So using 4 VMs would probably help, but I guess it could work on two as 
well. I still have to set this up myself and update the documentation.

> Do you have any idea where to start, what to check first?
> 
> Here some parts of the config:
> 
> 
> On both hosts:
> 
>       'ProfileList' => [
>           [
>               'profileId' => 'Uni-Netz',
>               'displayName' => 'Uni-Netz',
>               'hostName' => ['eduvpn3-1.rz.uni-osnabrueck.de',
> 'eduvpn3-2.rz.uni-osnabrueck.de'],
>               'nodeURL' =>
> ['http://eduvpn3-1.uni-osnabrueck.de:41194','http://eduvpn3-2.uni-osnabrueck.de:41194'],

This looks good!

> On eduvpn3-1:   /etc/vpn-server-node/config.php:
> 
>       'apiUrl' =>
> 'http://eduvpn3-1.rz.uni-osnabrueck.de/vpn-user-portal/node-api.php',
>       'nodeNumber' => 0,
> 
> 
> On eduvpn3-2:   /etc/vpn-server-node/config.php:
> 
>       'apiUrl' =>
> 'http://eduvpn3-2.rz.uni-osnabrueck.de/vpn-user-portal/node-api.php',
>       'nodeNumber' => 1,

So in vpn-server-node you want to point to the shared hostname, e.g. 
http://eduvpn3.rz.uni-osnabrueck.de/vpn-user-portal/node-api.php so the 
HA is actually used. Your setup is a bit strange in that you setup two 
machines to do the task of 4, so some things don't make sense anymore. I 
have to think how this is supposed to work.

So currently the instructions are for 2 portals and 2 nodes on all 
different machines. Some things, but I don't know what exactly, need to 
change if you have only two systems. I have to do this myself first to 
figure it out...

> Each have different /etc/vpn-server-node/keys/node.key and
> /var/lib/vpn-user-portal/keys/tls-crypt-Uni-Netz.key files. Perhaps
> these are wrong?

If you never talk to the other portal from the node, then you don't need 
that I think.

Regards,
François