I have two physical machines (both Ubuntu Linux) located at different hosting companies. Now one machine runs virtual machines which clients can access through VPN (OpenVPN). What I need now is to connect the other physical server with its virtual machines in a way that VPN clients see it as well and can get their local IPs from the internal DNSMasq server.
Here is my current configuration:
+--------------------------------------+
| Current VPN Server |
| |
| |
|------+ |
| | +-----------------+ |
| tun |<====>| DNSMasq | |
| | +-----------------+ |
|------+\ ^ ^ |
| || \\ / \ |
| || \\ / \ |
| || \\ / \ |
| +---------------------------------+ |
| | VH 1 | VH 2 | ... | VN N | |
| | | | | | |
| | | | | | |
| | | | | | |
| +---------------------------------+ |
| |
+--------------------------------------+
So VPN clients can communicate with the virtual machines by using the internal DNSMasq instance to resolve private names. Each virtual host (VH) instance retrieves it's IP address from DNSMasq. VPN Server routes access to this IP's with iptables NAT rule.
Now I would like to add an additional physical server so that all the stuff is transparent for the clients as well as virtual hosts:
+--------------------------------------+ +--------------------------------------+
| Current VPN Server | | New Server |
| /============================================\ |
| v | | v |
|------+ | |------+ |
| | +-----------------+ | | | |
| tun |<====>| DNSMasq |<---------+ | tun | |
| | +-----------------+ | | | | |
|------+\ ^ ^ | | |------+\ |
| || \\ / \ | | | || \\ |
| || \\ / \ | | | || \\ |
| || \\ / \ | | | || \\ |
| +---------------------------------+ | | | +---------------------------------+ |
| | VH 1 | VH 2 | ... | VN N | | | | | VH 1 | VH 2 | ... | VN N | |
| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | |
| +---------------------------------+ | | | +---------------------------------+ |
| | | | | | | |
+--------------------------------------+ | +----|--------|-------------------|----+
| | | |
+--------+--------+-------------------+
In other words:
- virtual hosts on the new server must be on the same subnet with the virtual hosts on current vpn server
- virtual hosts of the new server must use secure channel to communicate with Current VPN Server
- DNSMasq should assign via DHCP IP addresses to virtual hosts of the new server
- Clients of the OpenVPN server should be able access the virtual hosts on new server
Please point me either to a tutorial or provide some detailed explanation.
As JelmerS wrote, you should think about L3 VPN.
If you REALY need distributed L2 solution:
Result: all virtual machines and both servers reside in one L2 subnet. Clients can gain access to virtuals by connecting to L3-VPN (TUN interface), first server acts for them like a router with NAT.