Hi everyone,
I have got 2 questions regarding OpenVPN configuration, hoping that someone has a solution or a good point
My current situation is that I have a working OpenVPN server configured on my Mikrotik Router and I receive addresses from a pool that I configured within the Router itself.
So first question is:
Is there any way to configure OpenVPN clients to use a DHCP server external from the router?
I think that a DHCP-Relay should be used but I can’t understand which interface should I configure on that, is it the WAN or is it another? Do I need extra configuration elsewhere?
Second question is (and could be related the first one):
Is there a way to achieve failover mechanism if I configure an OpenVPN server with the same certificates on a second router? Should I use VRRP or there is another method? In the first case, what is the interface that I should set (resuming the first question)?
My goal is that if the first router goes down, I am still capable to access the network via VPN with the second one.
Many thanks for your time and help.
Have a great day
To the first question, since you mention a local pool but not a local DHCP server, I assume the OpenVPN is configured for IP (TUN) mode; if so, it cannot use an external DHCP server, but it should be able to use an external RADIUS server. If you run it in L2 (TAP) mode, or if you can switch it to that mode (not all clients support it), you can use any external DHCP server connected to the L2 bridge, or use a DHCP relay to forward clients’ requests to a DHCP server accessible via L3.
To the second one, the best approach depends on the overall network topology on the site.
if both the primary and backup routers share the same uplink to the internet and a single IP address, VRRP is indeed the way to go (or the full HA setup where the backup router inherits the complete configuration of the primary one), but in such an arrangement, an outage of the uplink is much more likely (in fact, frequent) than a failure of the router. So I’d consider this type of redundancy only for quite niche situations (hard to reach site so complicated to replace the router, and temporary outage not that critical so no need to address uplink outages that the ISP fixes).
if you have multiple uplinks, the optimum solution depends on whether each has their own IP address or whether you enjoy the luxury of an own AS and can use BGP to advertise a single address via any of the routers.
I thought so…
It would be great if VRRP had an internal procedure that could synchronize the configuration of the VRRP Routers without the need of a script…
