You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: admin-and-features/setting-up-your-instance/high-availability-and-failover.md
+19-16Lines changed: 19 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,34 +8,40 @@ Currently we support the following HA/failover scenarios:
8
8
9
9
## Gateway - High Availability
10
10
11
-
We support active-active configurations with multiple gateways for a single VPN instance or location. Since our gateway uses a vanilla kernel WireGuard®, there are multiple approaches for implementation.
11
+
We support active-passive configuration with multiple gateways for a single VPN instance or location. Active-active configurations should also be possible but come with some caveats. Since our gateway uses a vanilla kernel WireGuard®, there are multiple approaches for implementation.
12
12
13
13
{% hint style="info" %}
14
14
Please also see documentation of [Creating a New VPN location](../features-and-configuration/wireguard/create-your-vpn-network.md) where each [location setting has information regarding high-availability](../features-and-configuration/wireguard/create-your-vpn-network.md#vpn-location-settings).
15
15
{% endhint %}
16
16
17
-
#### Deploying the active-active gateway setup
17
+
#### Deploying multiple gateways for one location
18
18
19
-
To have multi-gateway for one location setup, you need to [deploy the gateway on each server](gateway/).
19
+
To have a multi-gateway setup for a given location, you will need to [deploy the gateway on each one of your servers](gateway/) under the same location.
20
20
21
-
If you already have a gateway deployed, and want to add new gateways for the location, go to _VPN Overview_ -> Click: _Edit Location Settings (in top right corner)_, then choose the location you want to add the gateway, and follow instructions for deployment:
21
+
If you already have a gateway deployed and want to add another one for the location, go to _VPN Overview_ -> Click: _Edit Location Settings (in the top right corner)_, then choose the location you want to add the new gateway to, and follow the deployment instructions:
22
22
23
23
<figure><imgsrc="../../.gitbook/assets/Screenshot 2024-11-12 at 16.55.55.png"alt=""><figcaption></figcaption></figure>
24
24
25
-
After each gateway deployment all gateways will have the same configuration and will **bind to the defined port** in the location _Gateway Port._
25
+
Each gateway deployed for a given location will receive the same network configuration and will **bind to the defined port** in the location's_Gateway Port._
26
26
27
-
The only thing left to do is to point your traffic to those gateways, which can be acomplished with various HA scenarios:
27
+
The only thing left to do is to point your traffic to those gateways, which can be accomplished in several ways:
28
28
29
-
* floating public IP - if you choose this scenario, please remember that the IP must be the IP specified in the Location _Gateway Address_
30
-
* proxy/load balancing - also remember that the proxy must be configured with the _Gateway Address and Gateway Port_
29
+
* Floating public IP - if you choose this scenario, please remember that the IP must be the IP specified in the Location _Gateway Address._ In this scenario, the floating IP switches between your gateway servers, directing the traffic to one of the two gateways.
30
+
* Proxy/load balancing - also remember that the proxy must be configured with the _Gateway Address and Gateway Port._ In this scenario, your clients connect to the proxy/load balancer, which direct the VPN traffic (UDP) to one of your gateway backends_._
31
+
32
+
#### Active-active setups
33
+
34
+
Active-active setups should be possible but are not as thoroughly tested in production as active-passive. Here are the currently known issues with such configurations:
35
+
36
+
* Multiple running gateways bound to one location with network traffic distributed between them may produce invalid network usage statistics, making the network usage graphs and displays on the dashboard unreliable. Related issue: [https://github.com/DefGuard/defguard/issues/1022](https://github.com/DefGuard/defguard/issues/1022)
31
37
32
38
### Determining if multiple gateways are running
33
39
34
40
All gateways that are successfully connected for the location are displayed under the Location in VPN Overview, here is an example for two gateways:
35
41
36
42
<figure><imgsrc="../../.gitbook/assets/Screenshot 2024-11-12 at 17.01.42.png"alt=""><figcaption></figcaption></figure>
37
43
38
-
### What is the gateway peers persistance (if core/proxy services fail)
44
+
### What is the gateway peers persistence (if core/proxy services fail)
39
45
40
46
1. For **VPN Locations without MFA** - it's persistent until the system reboot - _even if the gateway will not work_ - as the gateway configures WireGuard "in kernel".
41
47
2. For **VPN Locations with MFA**, this depends on the _Peer Disconnect Threshold (seconds)_ setting in the VPN Location settings. This setting specifies that if the peer is inactive for _(defined seconds)_, the gateway should remove it from the configuration. Therefore, if the proxy/core is not operational, MFA authentication will fail, and the peer will not be added if it is disconnected.
@@ -44,15 +50,12 @@ All gateways that are successfully connected for the location are displayed unde
44
50
45
51
The core service handles gateway states as well as core connects _**to the proxy**_. Since proxy serves HTTP based protocol communication and should be in the public Internet, it needs to be secure, thus core connects to the proxy.
46
52
47
-
This way **core can be in an Intranet network segment and proxy can be in DMZ, making Core completely cut-off on firewall from the Internet** (you only can have only outgoing firewall rules from Intranet allowing only for core to connect to proxy).
53
+
This way **core can be in an Intranet network segment and proxy can be in DMZ, making Core completely cut-off on firewall from the Internet** (you only can have only outgoing firewall rules from Intranet allowing only for core to connect to proxy).
48
54
49
55
So **High Availability for core and proxy** gets complicated, with multiple proxies core needs to manage those connections. We already have most of the code for that ready, but it's not yet production ready.
50
56
51
-
#### How to bulet-proof proxy & core with failover?
52
-
53
-
We recommend to deploy them on a failover solution - like on a kubernetes cluster (even small one - like mini-kube) . This way, kubernetes manages: healthecks and does failover. You can have cluster N-nodes and if any VM/node with Core/Proxy goes offline or health checks fail - it's migrated to a new node.
57
+
#### How to bullet-proof proxy & core with failover?
54
58
55
-
Also failover is good eanough now, since:
59
+
We recommend to deploy them on a failover solution - like on a kubernetes cluster (even small one - like mini-kube) . This way, kubernetes manages: healthchecks and does failover. You can have cluster N-nodes and if any VM/node with Core/Proxy goes offline or health checks fail - it's migrated to a new node.
56
60
57
-
* gateways are fully active-active HA,
58
-
* even if they fail, [peers are fully (or with configuration) persistent](high-availability-and-failover.md#what-is-the-gateway-peers-persistance-if-core-proxy-services-fail).
61
+
Also failover is good enough now, since gateways also support failover and even if they fail, [peers are fully (or with configuration) persistent](high-availability-and-failover.md#what-is-the-gateway-peers-persistance-if-core-proxy-services-fail).
0 commit comments