High availability examples

[IFV-oscar-vlugt]

Hi, I was wondering if there is any example how to use this module to run a High Available configuration with two OpenVPN servers. I'm aware I can add multiple remotes, however I am not really sure what is recommended to keep certificates identical on both servers from a single manifest. Can anyone help me in a direction with this module so we can feed examples back into the documentation?

I might not be the only one looking for this solution.

[yakatz]

We used the Puppet SSL certificates, so they don't need to be identical across the machines, but they are from the same CA.

For each server:

$ssl_dir = '/etc/puppetlabs/puppet/ssl'

openvpn::server { 'site-to-site-ha-server':
    ...
    custom_options         => {
      explicit-exit-notify => '2', # 2 means try next server
    },
    extca_enabled          => true,
    extca_ca_cert_file     => "${ssl_dir}/certs/ca.pem",
    extca_ca_crl_file      => "${ssl_dir}/crl.pem",
    extca_server_cert_file => "${ssl_dir}/certs/${facts['networking']['fqdn']}.pem",
    extca_server_key_file  => "${ssl_dir}/private_keys/${facts['networking']['fqdn']}.pem",
    extca_dh_file          => "${ssl_dir}/dhparam.pem",
}

For each client:

openvpn::server { 'site-to-site-client':
    remote                 => [
      'vpna.example.com 1195',
      'vpnb.example.com 1195',
    ],
    ...
    extca_enabled          => true,
    extca_ca_cert_file     => "${ssl_dir}/certs/ca.pem",
    extca_ca_crl_file      => "${ssl_dir}/crl.pem",
    extca_server_cert_file => "${ssl_dir}/certs/${facts['networking']['fqdn']}.pem",
    extca_server_key_file  => "${ssl_dir}/private_keys/${facts['networking']['fqdn']}.pem",

    custom_options         => {
      'remote-random-hostname' => '',
      'remote-random'          => '',
      'explicit-exit-notify'   => '',
    },

}