geographically dispersed cluster of hypervisors
Geographically dispersed (different locations, different ISP’s) hypervisors connected with openvpn over the internet are running vm’s (vm volume files and config files) on top of block level shared storage (drbd option A)
The hypervisors have either 1 or 2 network adapters, the ones with 2 allow for physical network access to the vpn network, using the second adapter which is bridged with the virtual vpn adapter tap0. The first adapter always connects to the locally available lan with internet access.
Iptables forwards and masquerades the traffic destined for the vpn service from the first to the second adapter (which has the openvpn service listening on it)
The hypervisor acting as the openvpn server in turn needs to have the vpn port (444 in example) forwarded by the gateway/router/firewall of the locally available lan.
eth0 – connected to locally available lan (can also be directly internet-facing with public ip but be sure to put in basic firewall rules)
eth1 – physical switch port bridged with virtual vpn adapter tap0
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.31 –dport 444 -j DNAT –to 192.168.4.31:444
iptables -A FORWARD -p tcp -i eth0 -d 192.168.4.31 –dport 444 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
more on drbd config / setup…
Open Source Docs 