diff options
author | jim-p <jimp@pfsense.org> | 2012-03-06 14:30:41 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2012-03-06 14:33:12 -0500 |
commit | 9ea0cb90a6f7685cd29f018895aefbb70e25a5d6 (patch) | |
tree | d3e1fa1a3aae8bb4a37719d3ab5e259d6a0128d1 /etc | |
parent | 731de7112a130960e30b1ecfcdd99ba7e5c37df5 (diff) | |
download | pfsense-9ea0cb90a6f7685cd29f018895aefbb70e25a5d6.zip pfsense-9ea0cb90a6f7685cd29f018895aefbb70e25a5d6.tar.gz |
Be more intelligent when managing OpenVPN client connections bound to CARP VIPs. If the interface is in BACKUP status, do not start the client. Add a section to rc.carpmaster and rc.carpbackup to trigger this start/stop.
If an OpenVPN client is active on both the master and backup system, they will cause conflicting connections to the server. Servers do not care as they only accept, not initiate.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/openvpn.inc | 4 | ||||
-rwxr-xr-x | etc/rc.carpbackup | 10 | ||||
-rwxr-xr-x | etc/rc.carpmaster | 10 |
3 files changed, 24 insertions, 0 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 9729217..01a6f6a 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -672,6 +672,10 @@ function openvpn_restart($mode, $settings) { if (isset($settings['disable'])) return; + /* Do not start if we are a CARP backup on this vip! */ + if ((substr($settings['interface'], 0, 3) == "vip") && (get_carp_interface_status($settings['interface']) == "BACKUP")) + return; + /* start the new process */ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf"; mwexec_bg("/usr/local/sbin/openvpn --config {$fpath}"); diff --git a/etc/rc.carpbackup b/etc/rc.carpbackup index 68f4e2c..165dd9e 100755 --- a/etc/rc.carpbackup +++ b/etc/rc.carpbackup @@ -32,10 +32,20 @@ require_once("functions.inc"); require_once("config.inc"); require_once("notices.inc"); +require_once("openvpn.inc"); $notificationmsg = "A carp cluster member has resumed the state 'BACKUP'"; notify_via_smtp($notificationmsg); notify_via_growl($notificationmsg); +/* Stop OpenVPN clients running on this VIP, since multiple active OpenVPN clients on a CARP cluster can be problematic. */ +global $config; +foreach ($config['openvpn']['openvpn-client'] as $settings) { + if ($settings['interface'] == $argv[1]) { + log_error("Stopping OpenVPN instance on {$settings['interface']} because of transition to CARP backup."); + openvpn_restart('client', $settings); + } +} + ?>
\ No newline at end of file diff --git a/etc/rc.carpmaster b/etc/rc.carpmaster index 5b85e03..aaac868 100755 --- a/etc/rc.carpmaster +++ b/etc/rc.carpmaster @@ -32,10 +32,20 @@ require_once("functions.inc"); require_once("config.inc"); require_once("notices.inc"); +require_once("openvpn.inc"); $notificationmsg = "A carp cluster member has resumed the state 'MASTER'"; notify_via_smtp($notificationmsg); notify_via_growl($notificationmsg); +/* Start OpenVPN clients running on this VIP, since they should be in the stopped state while the VIP is CARP Backup. */ +global $config; +foreach ($config['openvpn']['openvpn-client'] as $settings) { + if ($settings['interface'] == $argv[1]) { + log_error("Starting OpenVPN instance on {$settings['interface']} because of transition to CARP master."); + openvpn_restart('client', $settings); + } +} + ?>
\ No newline at end of file |