Two OpenVPN Servers Concurrently?
-
Hello, we have been using the OpenVPN capabilities of a Ubiquity EdgeRouter. Stability was great but the performance was very much lacking. We recently bought a Netgate 6100 (official pfSense box) as a replacement. To facilitate a smooth transition, I’m trying to get both OpenVPN servers running at the same time. Each router has it’s own external IP address. I can get each router to function, but not at the same time. I’m able to connect to both OpenVPN servers at the same time however on the new one I can’t reach anything on the LAN. It looks like to me that any LAN host must have its gateway set to the router that OpenVPN connections are coming from. What I mean is if I set my gateway on a host to the new VPN server /router, then I’m able to reach that host from the new VPN/firewall. At this point however I can’t reach the host in question from the original OpenVPN.
Is it doable to have both OpenVPN servers running at the same time and then migrate each user to the new setup over the span of a few days?
-
@Kajetan321 said in Two OpenVPN Servers Concurrently?:
It looks like to me that any LAN host must have its gateway set to the router that OpenVPN connections are coming from. What I mean is if I set my gateway on a host to the new VPN server /router, then I’m able to reach that host from the new VPN/firewall. At this point however I can’t reach the host in question from the original OpenVPN.
You don't need to switch the default gateway, it is sufficient to add a static route for the tunnel network to the LAN devices and point it to the new server.
If you use DHCP you can deploy the route also from the server. -
@Kajetan321 If you create a transit network between the routers then sure..
So you have something like this..
So create a transit between the routers. Create the gateways and routes so that router 1 goes to router 2 for that vpn tunnel network, lets say is 10.0.20.0/24
And router 2 goes to router 1 for say vpn tunnel network 10.0.10.0/24
So if your vpn comes in router 2, and goes to client that is using router 1 as its gateway.. So this vpn client would have say IP address 10.0.20.100.. Now this PC using router 1 as its gateway.. says hmmm how do I talk to this 10.0.20.100 address, I don't have a router so send it to my default gateway (router 1).. Router 1 says oh you trying to get to some 10.0.20 address let me route that to router 2 via the transit..
And vise verse if the vpn client comes in on router 1, and the pc your talking to is using .254 as its gateway.
The other way you could get it to work is routes on the PCs in your network saying what gateway to use if the source IP is 10.0.10 or 10.0.20..
Another solution is to outbound source nat on each router so vpn clients connecting to it look like they came from the IP in your 192.168.0 network.
So vpn client comes in via router 1 and talks to one of your PC, to the PC it will look like it came from router 1 .1 IP.. If the vpn client comes in router 2, it would look like it came from router 2 .254 address.
edit: yup @viragomann way of handing out the needed routes to the devices on your network should work too as easy way to do the routing on the PCs in your network. That is if they are using dhcp, etc.
That might be the easiest solution to be honest, since all it takes is an edit of your dhcp server to hand out the specific routes.
-
@viragomann Wow, thanks, I think it worked, just need to do some more testing but it's looking good.
-
@viragomann I'd like to provide an update. We use DHCP capabilities in Windows Server. I was able to add the route to the Windows DHCP server and all Windows machines seem to honor it. Linux on the other hand, I have yet to find a single device that does. Synology, QNAP, XCP-ng, all seem to ignore the DHCP embedded route :(
I was able to manually add the route on Synology, others I will attempt now.
-
@Kajetan321 and there you go - why the other suggestions are normally easier ;) Because doesn't matter what the client does.. All it needs is its normal gateway..
