-
generic setup.
Location1 - 2 ISP's - 2 OpenVPN Site2Site Connections - 1 per ISP - OpenVPNServer
Location2 - 2 ISP's - 2 OpenVPN Site2Site Connections - 1 per ISP - OpenVPNClientWe are using OpenVPN for site to site. We have 2 ISP's at both locations. We have 2 OpenVPN tunnels going both directions for redundancy, one on each ISP. We now want to add remote access for remote users on a different OpenVPN server. I did setup a new OpenVPN server using an exist IP address, which is being used by one of the site to site tunnels, but it crashed parts of the tunnel. We could ping and rdp from one location but not the other. So what is best practice for having to servers on 1 IP address
-
Sure you can do that as long as the servers are running on different ports. Say 1194 (the default port) and 1195.
Steve
-
i have it on a different port #. In Firewall > Rules > OpenVPN tab, when i add the Allow All rule it kills part of the site2site tunnel. Currently the OpenVPN tab is empty and the site2site works just fine. I can connect to the VPN remotely, but don't have access to any LAN networks
-
Do you have assigned interfaces and policy routing?
If you pass traffic on the OpenVPN tab rather than the assigned interface tab that traffic will not get the required reply-to tag on incoming states and return traffic may not know which tunnel to use.
If you are adding rules to the OpenVPN tab to allow remote access users in make sure they have the tunnel network specified as the source so they don't catch site-2-site traffic too.
Steve
-
Here is what i have hope this helps. Device is a Netgate SG-2440 version 2.4.4
Location 1 Interfaces
WAN - ISP-2 WAN
LAN - LAN
Opt1 - ISP-1 WAN
Opt2 - Empty
OVPN1 - Tunnel 1
OVPN2 - Tunnel 2Firewall Rules
WAN - ISP-2 WAN
Protocol---------Source------------Port---------Destination-----------Port--------Gateway
IPv4 UDP-----Location2 ISP-------^---------Location1 ISP-2-----11194------------^ (Site2Site)
IPv4 UDP-----Location2 ISP-------^---------Location1 ISP-2-----11195------------^ (Site2Site)LAN
Protocol-------Source--------------Port------------Destination------------------------Port------------------------Gateway
------^-----------------^----------------------^--------------------LAN--------------------------443 80 22-------------------------^
IPv4*---------------^----------------------^--------OpenVPN Load Balance-------------^-----------------OpenVPN Load BalanceOpt1 - WAN - ISP-1 WAN
Protocol---------Source-----------Port---------Destination-------------Port---------- Gateway
IPv4 UDP----Location2 ISP------^-------- Location1 ISP-1--------11194--------------^ (Site2Site)
IPv4 UDP----Location2 ISP------^-------- Location1 ISP-1--------11195--------------^ (Site2Site)
IPv4 UDP-----------^--------------------^---------Location1 ISP-1--------1194----------------^ (OpenVPN for RemoteUsers)OVPN1 and OVPN2 (both setup the same)
Protocol--------Source-------Port------Destination-----Port------Gateway
IPv4*--------------^---------------^--------------^-------------------^--------------^OpenVPN - Empty
-
Ok, yeah. So if you add a pass all rule on the OpenVPN tab it will break traffic coming from location two across the load-balanced OpenVPN pair.
You need to either assign the remote access OpenVPN server and add the rules on the new interface tab created.
Or add rules on the OpenVPN tab that catch only the remote access users by specifying the source subnet.Steve
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.