diff options
author | jim-p <jimp@pfsense.org> | 2012-03-06 14:30:41 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2012-03-06 14:33:12 -0500 |
commit | 9ea0cb90a6f7685cd29f018895aefbb70e25a5d6 (patch) | |
tree | d3e1fa1a3aae8bb4a37719d3ab5e259d6a0128d1 | |
parent | 731de7112a130960e30b1ecfcdd99ba7e5c37df5 (diff) | |
download | pfsense-9ea0cb90a6f7685cd29f018895aefbb70e25a5d6.zip pfsense-9ea0cb90a6f7685cd29f018895aefbb70e25a5d6.tar.gz |
Be more intelligent when managing OpenVPN client connections bound to CARP VIPs. If the interface is in BACKUP status, do not start the client. Add a section to rc.carpmaster and rc.carpbackup to trigger this start/stop.
If an OpenVPN client is active on both the master and backup system, they will cause conflicting connections to the server. Servers do not care as they only accept, not initiate.
-rw-r--r-- | etc/inc/openvpn.inc | 4 | ||||
-rwxr-xr-x | etc/rc.carpbackup | 10 | ||||
-rwxr-xr-x | etc/rc.carpmaster | 10 |
3 files changed, 24 insertions, 0 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 9729217..01a6f6a 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -672,6 +672,10 @@ function openvpn_restart($mode, $settings) { if (isset($settings['disable'])) return; + /* Do not start if we are a CARP backup on this vip! */ + if ((substr($settings['interface'], 0, 3) == "vip") && (get_carp_interface_status($settings['interface']) == "BACKUP")) + return; + /* start the new process */ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf"; mwexec_bg("/usr/local/sbin/openvpn --config {$fpath}"); diff --git a/etc/rc.carpbackup b/etc/rc.carpbackup index 68f4e2c..165dd9e 100755 --- a/etc/rc.carpbackup +++ b/etc/rc.carpbackup @@ -32,10 +32,20 @@ require_once("functions.inc"); require_once("config.inc"); require_once("notices.inc"); +require_once("openvpn.inc"); $notificationmsg = "A carp cluster member has resumed the state 'BACKUP'"; notify_via_smtp($notificationmsg); notify_via_growl($notificationmsg); +/* Stop OpenVPN clients running on this VIP, since multiple active OpenVPN clients on a CARP cluster can be problematic. */ +global $config; +foreach ($config['openvpn']['openvpn-client'] as $settings) { + if ($settings['interface'] == $argv[1]) { + log_error("Stopping OpenVPN instance on {$settings['interface']} because of transition to CARP backup."); + openvpn_restart('client', $settings); + } +} + ?>
\ No newline at end of file diff --git a/etc/rc.carpmaster b/etc/rc.carpmaster index 5b85e03..aaac868 100755 --- a/etc/rc.carpmaster +++ b/etc/rc.carpmaster @@ -32,10 +32,20 @@ require_once("functions.inc"); require_once("config.inc"); require_once("notices.inc"); +require_once("openvpn.inc"); $notificationmsg = "A carp cluster member has resumed the state 'MASTER'"; notify_via_smtp($notificationmsg); notify_via_growl($notificationmsg); +/* Start OpenVPN clients running on this VIP, since they should be in the stopped state while the VIP is CARP Backup. */ +global $config; +foreach ($config['openvpn']['openvpn-client'] as $settings) { + if ($settings['interface'] == $argv[1]) { + log_error("Starting OpenVPN instance on {$settings['interface']} because of transition to CARP master."); + openvpn_restart('client', $settings); + } +} + ?>
\ No newline at end of file |