Optimizing OpenVPN Failover Timeout for High-Availability Server Switching


5 views

When implementing high-availability OpenVPN setups with multiple remote entries in client configurations, many administrators notice an unexpectedly long delay during failover. The default behavior can leave clients disconnected for several minutes before successfully reconnecting to the backup server.

These OpenVPN client settings significantly impact failover behavior:

# Basic retry settings (often insufficient alone)
connect-retry 2
connect-retry-max 2

# More comprehensive approach
remote vpn1.example.com 1194
remote vpn2.example.com 1194
remote-random
resolv-retry 60
connect-timeout 10
tls-timeout 5

For enterprise-grade failover performance, consider these adjustments:

# Server list with DNS names (better than IPs for cert verification)
remote vpn-ha1.example.com 1194
remote vpn-ha2.example.com 1194

# Connection behavior tuning
remote-random
resolv-retry infinite
connect-retry 2 300
connect-timeout 10
tls-timeout 5
hand-window 15

For even faster reaction times, implement a custom script:

script-security 2
up "/etc/openvpn/scripts/failover-detection.sh"
down "/etc/openvpn/scripts/failover-detection.sh"

# Example script content (simplified):
#!/bin/bash
if [ "$script_type" == "up" ]; then
    echo "$(date) - Connected to $trusted_ip" >> /var/log/openvpn-failover.log
elif [ "$script_type" == "down" ]; then
    echo "$(date) - Connection lost" >> /var/log/openvpn-failover.log
    # Immediate retry with different server
    systemctl restart openvpn@client
fi

Use this command to verify timeout behavior without disrupting production:

openvpn --config client.ovpn --verb 4 --connect-retry 2 --connect-timeout 10

Monitor the output for connection attempts and timing between retries. The --verb 4 flag provides detailed logging without being overly verbose.

Remember that server configuration also impacts failover:

# On your OpenVPN servers:
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

These settings help maintain stable connections and clean reconnects during failover scenarios.

When implementing a high-availability OpenVPN setup with multiple remote entries, we often encounter delayed failover transitions. The default behavior can cause connection interruptions lasting several minutes before the client successfully reconnects to an alternative server.

The following parameters in your client configuration file (client.ovpn) significantly impact failover responsiveness:

# Connection timeout and retry settings
connect-retry 2           # Wait 2 seconds between retries
connect-retry-max 3       # Maximum of 3 retries per server
resolv-retry 30           # DNS resolution retry window
link-mtu 1500             # Optimize for standard MTU
tun-mtu 1500              # Match link MTU
mssfix 1400               # Prevent MTU-related fragmentation
proto udp                 # UDP generally fails over faster than TCP
nobind                    # Allows rapid reconnect from different source ports

On Linux clients, these sysctl parameters can help reduce TCP timeout delays:

# Add to /etc/sysctl.conf
net.ipv4.tcp_keepalive_time = 20
net.ipv4.tcp_keepalive_intvl = 5
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_fin_timeout = 10

This bash script helps validate your failover configuration by simulating server failures:

#!/bin/bash
# Test OpenVPN failover response time

MAIN_SERVER="vpn1.example.com"
BACKUP_SERVER="vpn2.example.com"
TEST_DURATION=300  # 5 minute test

start_time=$(date +%s)
while [ $(($(date +%s) - start_time)) -lt $TEST_DURATION ]; do
    echo "Blocking main VPN server at $(date)"
    sudo iptables -A INPUT -s $MAIN_SERVER -j DROP
    
    sleep 60  # Wait for failover to occur
    
    echo "Unblocking main VPN server at $(date)"
    sudo iptables -D INPUT -s $MAIN_SERVER -j DROP
    
    sleep 60  # Observe reconnection behavior
done

For more control, implement connection management scripts:

# client.ovpn additions
script-security 2
up "/etc/openvpn/scripts/vpn-up.sh"
down "/etc/openvpn/scripts/vpn-down.sh"
route-up "/etc/openvpn/scripts/route-up.sh"

Example route-up.sh script:

#!/bin/bash
# Log connection events and trigger fast failover
TIMEOUT=5  # seconds to wait before testing backup

logger "OpenVPN connected to $trusted_ip"
if ! ping -c 1 -W $TIMEOUT $trusted_ip &> /dev/null; then
    logger "Primary VPN unreachable, triggering fast failover"
    killall -SIGUSR1 openvpn  # Soft restart to try next remote
fi

Use these commands to monitor connection status during failover events:

# Continuous connection monitoring
watch -n 1 "ip route show table all | grep tun && ping -c 1 10.8.0.1"

# OpenVPN status logging
sudo journalctl -fu openvpn@client -n 100