 |
FirewallBuilder |
|
Search Users Guide
In this example, we are working with the same two Linux machines used in the previous example Section 14.4.3 running heartbeat for failover that form a High Availability (HA) firewall pair. In addition to standard Ethernet interfaces the firewalls in the cluster are using an OpenVPN tunnel interface, tun0, to connect to a remote location.
Note
You must configure OpenVPN tunnels outside of Firewall Builder. Configuration of OpenVPN tunnes is outside the scope of this cookbook; you can find more information about OpenVPN and information on configuring tunnels at www.openvpn.net.
In this scenario, in addition to the regular Ethernet interfaces failing over in the event of a failure, we also want the OpenVPN tunnel interface, tun0, to failover automatically as well. This design requires that the OpenVPN tunnel configuration use the outide interface's virtual address as the tunnel source which introduces some complications during a failover event.
The first issue is that the OpenVPN tunnel on the slave firewall, linux-test-2, cannot be started while it is in slave mode. This is due to the fact that the IP address it is configured to use as the tunnel source address, the virtual address, does not exist on the server (remember that master will be configured with the virtual address unless there is a failover event).
This behavior leads to the second issue, which is that the Firewall Builder-generated script will fail to start if the tunnel interface, tun0, is used in any of the firewall rules. Since the tun0 interface does not exist on the slave firewall the script cannot implement the rules as defined which causes it to exit with an error.
The solution to these problems is to use OpenVPN's persistent tunnel interfaces combined with some additional logic in the heartbeat configuration automate the tunnel interface failover.
OpenVPN provides a feature called "persistent tunnels". These are tunnel interfaces that always exist even if the OpenVPN daemon is not running. The tunnel interface needs to be created early in the boot sequence; you can do this by adding the following to the file /etc/network/intefaces.
auto tun0
iface tun0 inet static
address 192.168.123.1
netmask 255.255.255.252
pre-up openvpn --mktun --dev tun0
Note
Examples are based on Ubuntu Server, other distributions may have different network initialization files and syntax.
The "openvpn --mktun --dev tun0" command creates a tunnel interface, but note that this is an interface "stub" since the full OpenVPN configuration has not been applied and thus the tunnel interface is not providing any connectivity to the remote site. Later when the OpenVPN daemon is run, the rest of the VPN configuration will be applied to this interface.
Now that we have a persistent tunnel interface, the second part of this solution has two components. First, we need a script to restart the OpenVPN daemon and second we need to add this script to the heartbeat configuration so that it is called if there is a failover event.
Here's an example of a wrapper script that will restart the OpenVPN daemon.
root@linux-test-2:/etc/ha.d# cat resource.d/OpenVPN
#
#!/bin/sh
#
# Description: a wrapper to restart OpenVPN daemon at the takeover event
#
# Author: Vadim Kurland
# Copyright: (C) 2010 NetCitadel LLC
#
# An example usage in /etc/ha.d/haresources:
#
# node1 10.0.0.170 OpenVPN::restart
#
. /etc/ha.d/resource.d/hto-mapfuncs
usage() {
echo "usage: $0 $LEGAL_ACTIONS"
exit 1
}
op=$1
/etc/init.d/openvpn $1
exit 0
To execute this wrapper script on a failover event, we need to add it to the haresources file as shown below.
root@linux-test-1:/etc/ha.d# cat haresources
linux-test-1 IPaddr::10.3.14.150/24/eth0/10.3.14.255
linux-test-1 IPaddr::10.1.1.1/24/eth1/10.1.1.255
linux-test-1 10.3.14.150 OpenVPN::restart
With this configuration in place, you can now use the tun0 interface as you would use any other interface in your Firewall Builder cluster Policy rules.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.