• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

One OpenVPN server instance with multiple tunnel networks

Scheduled Pinned Locked Moved OpenVPN
11 Posts 4 Posters 5.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    snow
    last edited by May 26, 2017, 11:36 AM

    Hi guys,

    Would it be possible to run one OpenVPN server instance with multiple tunnel networks?
    In the OpenVPN settings under > Tunnel Settings > IPv4 Tunnel Network, there can be set only one tunnel network (e.g. IPV4).

    If possible, this would be a great benefit for me because it would be easy to create the appropriate firewall rules for specific users and groups based on different tunnel networks.

    We are currently using IPFire for OpenVPN connections and with this solution it's possible.
    The appropriate function is called "Static IP address pools":
    http://wiki.ipfire.org/en/configuration/services/openvpn/config/static_ip

    Thanks in advance,
    snow

    1 Reply Last reply Reply Quote 0
    • P
      Pippin
      last edited by May 26, 2017, 12:47 PM

      Create OpenVPN instances as much as you have groups of users.

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      1 Reply Last reply Reply Quote 0
      • S
        snow
        last edited by May 26, 2017, 1:05 PM

        @Pippin:

        Create OpenVPN instances as much as you have groups of users.

        Cool

        Can I use same port for each of the instances (e.g. 1194/UDP)?

        1 Reply Last reply Reply Quote 0
        • S
          snow
          last edited by May 26, 2017, 1:22 PM

          Seems to be it's not working when using same port/proto combination for multiple server instances:

          When starting the second server with same port/proto the following error occurs in OpenVPN log:
          TCP/UDP: Socket bind failed on local address [AF_INET]x.x.x.x:1194: Address already in use

          Is there any chance to get this working anyway?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by May 26, 2017, 1:46 PM

            Use a different port for each instance.

            1 Reply Last reply Reply Quote 0
            • S
              snow
              last edited by May 26, 2017, 2:09 PM

              @viragomann:

              Use a different port for each instance.

              Yes that's working well, but would it be working anyway with same port/proto?

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by May 26, 2017, 3:42 PM

                No, you cannot use equal address-port combinations for multiple services.
                Each service instance listening to network connection must have a unique address-port combination. This is a general law, not only aply to pfSense.

                1 Reply Last reply Reply Quote 0
                • S
                  snow
                  last edited by May 29, 2017, 6:47 AM

                  @viragomann:

                  No, you cannot use equal address-port combinations for multiple services.
                  Each service instance listening to network connection must have a unique address-port combination. This is a general law, not only aply to pfSense.

                  Ok, I understand that unique address-port combination is required.

                  But would it be possible to bind multiple tunnel networks on one service instance?
                  With IPFire, it's possible:
                  http://wiki.ipfire.org/en/configuration/services/openvpn/config/static_ip

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by May 29, 2017, 6:56 AM

                    Yes.

                    You need to define the additional tunnel networks as "Remote Networks" in the server configuration.

                    You can then assign static addresses to specific users using client-specific overrides and ifconfig-push

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • S
                      snow
                      last edited by May 29, 2017, 9:44 AM May 29, 2017, 8:15 AM

                      @Derelict:

                      Yes.

                      You need to define the additional tunnel networks as "Remote Networks" in the server configuration.

                      You can then assign static addresses to specific users using client-specific overrides and ifconfig-push

                      Cool, thank you.

                      I assume the appropriate option needs to be added in the "Custom options" tab in the "Advanced Configuration" section.
                      If so, do you have an example for adding an additional tunnel network?

                      EDIT:

                      Ok, I found the appropriate options here:
                      https://openvpn.net/index.php/open-source/documentation/howto.html#policy

                      If anyone has an idea how to configure the client specific overrides to get a dhcp address (instead of setting a static address) on an additional tunnel network, please let me know.
                      As described in the documention above, it's required to set a pair of ifconfig-push addresses (virtual client and server IP endpoints).

                      E.g.: ifconfig-push 10.8.1.1 10.8.1.2 (the first represents the client, second represents the server).

                      I found the same question in openvpn forum, but without an answer:
                      https://forums.openvpn.net/viewtopic.php?t=22525

                      1 Reply Last reply Reply Quote 0
                      • D
                        Derelict LAYER 8 Netgate
                        last edited by May 29, 2017, 2:54 PM

                        You referred to an article that referenced setting separate, static addresses. That's what was provided. I do not think there is another way to set another pool in a CSO. I could be wrong. I would just run another server for that.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received