Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    One OpenVPN server instance with multiple tunnel networks

    OpenVPN
    4
    11
    3828
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      snow last edited by

      Hi guys,

      Would it be possible to run one OpenVPN server instance with multiple tunnel networks?
      In the OpenVPN settings under > Tunnel Settings > IPv4 Tunnel Network, there can be set only one tunnel network (e.g. IPV4).

      If possible, this would be a great benefit for me because it would be easy to create the appropriate firewall rules for specific users and groups based on different tunnel networks.

      We are currently using IPFire for OpenVPN connections and with this solution it's possible.
      The appropriate function is called "Static IP address pools":
      http://wiki.ipfire.org/en/configuration/services/openvpn/config/static_ip

      Thanks in advance,
      snow

      1 Reply Last reply Reply Quote 0
      • Pippin
        Pippin last edited by

        Create OpenVPN instances as much as you have groups of users.

        1 Reply Last reply Reply Quote 0
        • S
          snow last edited by

          @Pippin:

          Create OpenVPN instances as much as you have groups of users.

          Cool

          Can I use same port for each of the instances (e.g. 1194/UDP)?

          1 Reply Last reply Reply Quote 0
          • S
            snow last edited by

            Seems to be it's not working when using same port/proto combination for multiple server instances:

            When starting the second server with same port/proto the following error occurs in OpenVPN log:
            TCP/UDP: Socket bind failed on local address [AF_INET]x.x.x.x:1194: Address already in use

            Is there any chance to get this working anyway?

            1 Reply Last reply Reply Quote 0
            • V
              viragomann last edited by

              Use a different port for each instance.

              1 Reply Last reply Reply Quote 0
              • S
                snow last edited by

                @viragomann:

                Use a different port for each instance.

                Yes that's working well, but would it be working anyway with same port/proto?

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann last edited by

                  No, you cannot use equal address-port combinations for multiple services.
                  Each service instance listening to network connection must have a unique address-port combination. This is a general law, not only aply to pfSense.

                  1 Reply Last reply Reply Quote 0
                  • S
                    snow last edited by

                    @viragomann:

                    No, you cannot use equal address-port combinations for multiple services.
                    Each service instance listening to network connection must have a unique address-port combination. This is a general law, not only aply to pfSense.

                    Ok, I understand that unique address-port combination is required.

                    But would it be possible to bind multiple tunnel networks on one service instance?
                    With IPFire, it's possible:
                    http://wiki.ipfire.org/en/configuration/services/openvpn/config/static_ip

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      Yes.

                      You need to define the additional tunnel networks as "Remote Networks" in the server configuration.

                      You can then assign static addresses to specific users using client-specific overrides and ifconfig-push

                      1 Reply Last reply Reply Quote 0
                      • S
                        snow last edited by

                        @Derelict:

                        Yes.

                        You need to define the additional tunnel networks as "Remote Networks" in the server configuration.

                        You can then assign static addresses to specific users using client-specific overrides and ifconfig-push

                        Cool, thank you.

                        I assume the appropriate option needs to be added in the "Custom options" tab in the "Advanced Configuration" section.
                        If so, do you have an example for adding an additional tunnel network?

                        EDIT:

                        Ok, I found the appropriate options here:
                        https://openvpn.net/index.php/open-source/documentation/howto.html#policy

                        If anyone has an idea how to configure the client specific overrides to get a dhcp address (instead of setting a static address) on an additional tunnel network, please let me know.
                        As described in the documention above, it's required to set a pair of ifconfig-push addresses (virtual client and server IP endpoints).

                        E.g.: ifconfig-push 10.8.1.1 10.8.1.2 (the first represents the client, second represents the server).

                        I found the same question in openvpn forum, but without an answer:
                        https://forums.openvpn.net/viewtopic.php?t=22525

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          You referred to an article that referenced setting separate, static addresses. That's what was provided. I do not think there is another way to set another pool in a CSO. I could be wrong. I would just run another server for that.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy