OpenVpn multi-server

Hi all, i have this problem to solve

1 to 20 remote appliance with openvpn installed (configuration is not
modifyable apart primary and backup server name)

two Debian machines behind two different ADSL router are the servers
reached from remote appliance

remote appliance talks via socket with a service resident in a windows
machine in the same network of the two Debian servers

remote appliance cannot resolve DNS... so only ip available.

My problem is: how the windows machine can know where to send packets to
remote appliance (by server 1 or server 2?)

How must be configured Debian servers and windows networks to gain this
functionality?

Here you can see a schema of what i have (don't take care about the
third linux box..)



http://it.tinypic.com/r/2uhpis2/5


Thanks
Mauro

Mauro D. wrote:
> Hi all, i have this problem to solve
>
> 1 to 20 remote appliance with openvpn installed (configuration is not
> modifyable apart primary and backup server name)
>
> two Debian machines behind two different ADSL router are the servers
> reached from remote appliance
>
> remote appliance talks via socket with a service resident in a windows
> machine in the same network of the two Debian servers
>
> remote appliance cannot resolve DNS... so only ip available.
>
> My problem is: how the windows machine can know where to send packets to
> remote appliance (by server 1 or server 2?)
>
> How must be configured Debian servers and windows networks to gain this
> functionality?
>
> Here you can see a schema of what i have (don't take care about the
> third linux box..)
>
>
>
> http://it.tinypic.com/r/2uhpis2/5
>

Just make sure that the two openvpn servers have different networks for
their vpn tunnels, and that your Windows machine knows how to route
packets to those addresses. For example, suppose Linux 1 uses 10.1.x.x
for its openvpn network, and Linux 2 uses 10.2.x.x. Then if a client
connects via Linux 2, it gets an address such as 10.2.0.5 with a tunnel
endpoint on Linux 2 of 10.2.0.6. The windows machine sees the incoming
packets from source 10.2.0.5, and sends replies to Linux 2, which passes
them out to the client.

David Brown wrote:
> Just make sure that the two openvpn servers have different networks for
> their vpn tunnels, and that your Windows machine knows how to route
> packets to those addresses. For example, suppose Linux 1 uses 10.1.x.x
> for its openvpn network, and Linux 2 uses 10.2.x.x. Then if a client
> connects via Linux 2, it gets an address such as 10.2.0.5 with a tunnel
> endpoint on Linux 2 of 10.2.0.6. The windows machine sees the incoming
> packets from source 10.2.0.5, and sends replies to Linux 2, which passes
> them out to the client.
>

This require a radical change into the service source code because in
the "standard" the service knows the IP assigned to remote device
because he need to contact device directly... I'll check if I can change
this behavior.

Thanks
Mauro

Mauro D. wrote:
> David Brown wrote:
>> Just make sure that the two openvpn servers have different networks
>> for their vpn tunnels, and that your Windows machine knows how to
>> route packets to those addresses. For example, suppose Linux 1 uses
>> 10.1.x.x for its openvpn network, and Linux 2 uses 10.2.x.x. Then if
>> a client connects via Linux 2, it gets an address such as 10.2.0.5
>> with a tunnel endpoint on Linux 2 of 10.2.0.6. The windows machine
>> sees the incoming packets from source 10.2.0.5, and sends replies to
>> Linux 2, which passes them out to the client.
>>
>
> This require a radical change into the service source code because in
> the "standard" the service knows the IP assigned to remote device
> because he need to contact device directly... I'll check if I can change
> this behavior.
>
> Thanks
> Mauro

This is not a "radical change" - it's standard configuration for the
openvpn servers. You just have to make sure that on one of the server's
configuration you have a line such as "server 10.1.0.0 255.255.0.0", and
on the other you have "server 10.2.0.0 255.255.0.0".

Or do you mean that the windows machine has to know the addresses of the
clients and initiate a connection with them? If that is the case, then
you have a bit more of a challenge.

David Brown ha scritto:
> This is not a "radical change" - it's standard configuration for the
> openvpn servers. You just have to make sure that on one of the server's
> configuration you have a line such as "server 10.1.0.0 255.255.0.0", and
> on the other you have "server 10.2.0.0 255.255.0.0".
>
> Or do you mean that the windows machine has to know the addresses of the
> clients and initiate a connection with them? If that is the case, then
> you have a bit more of a challenge.
>

The last sentence is the right one ... damn

So I have to rewrite my service code...

Mauro