One OpenVPN server instance with multiple tunnel networks



  • Hi guys,

    Would it be possible to run one OpenVPN server instance with multiple tunnel networks?
    In the OpenVPN settings under > Tunnel Settings > IPv4 Tunnel Network, there can be set only one tunnel network (e.g. IPV4).

    If possible, this would be a great benefit for me because it would be easy to create the appropriate firewall rules for specific users and groups based on different tunnel networks.

    We are currently using IPFire for OpenVPN connections and with this solution it's possible.
    The appropriate function is called "Static IP address pools":
    http://wiki.ipfire.org/en/configuration/services/openvpn/config/static_ip

    Thanks in advance,
    snow



  • Create OpenVPN instances as much as you have groups of users.



  • @Pippin:

    Create OpenVPN instances as much as you have groups of users.

    Cool

    Can I use same port for each of the instances (e.g. 1194/UDP)?



  • Seems to be it's not working when using same port/proto combination for multiple server instances:

    When starting the second server with same port/proto the following error occurs in OpenVPN log:
    TCP/UDP: Socket bind failed on local address [AF_INET]x.x.x.x:1194: Address already in use

    Is there any chance to get this working anyway?



  • Use a different port for each instance.



  • @viragomann:

    Use a different port for each instance.

    Yes that's working well, but would it be working anyway with same port/proto?



  • No, you cannot use equal address-port combinations for multiple services.
    Each service instance listening to network connection must have a unique address-port combination. This is a general law, not only aply to pfSense.



  • @viragomann:

    No, you cannot use equal address-port combinations for multiple services.
    Each service instance listening to network connection must have a unique address-port combination. This is a general law, not only aply to pfSense.

    Ok, I understand that unique address-port combination is required.

    But would it be possible to bind multiple tunnel networks on one service instance?
    With IPFire, it's possible:
    http://wiki.ipfire.org/en/configuration/services/openvpn/config/static_ip


  • Netgate

    Yes.

    You need to define the additional tunnel networks as "Remote Networks" in the server configuration.

    You can then assign static addresses to specific users using client-specific overrides and ifconfig-push



  • @Derelict:

    Yes.

    You need to define the additional tunnel networks as "Remote Networks" in the server configuration.

    You can then assign static addresses to specific users using client-specific overrides and ifconfig-push

    Cool, thank you.

    I assume the appropriate option needs to be added in the "Custom options" tab in the "Advanced Configuration" section.
    If so, do you have an example for adding an additional tunnel network?

    EDIT:

    Ok, I found the appropriate options here:
    https://openvpn.net/index.php/open-source/documentation/howto.html#policy

    If anyone has an idea how to configure the client specific overrides to get a dhcp address (instead of setting a static address) on an additional tunnel network, please let me know.
    As described in the documention above, it's required to set a pair of ifconfig-push addresses (virtual client and server IP endpoints).

    E.g.: ifconfig-push 10.8.1.1 10.8.1.2 (the first represents the client, second represents the server).

    I found the same question in openvpn forum, but without an answer:
    https://forums.openvpn.net/viewtopic.php?t=22525


  • Netgate

    You referred to an article that referenced setting separate, static addresses. That's what was provided. I do not think there is another way to set another pool in a CSO. I could be wrong. I would just run another server for that.