Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    One OpenVPN server instance with multiple tunnel networks

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 4 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      snow
      last edited by

      Hi guys,

      Would it be possible to run one OpenVPN server instance with multiple tunnel networks?
      In the OpenVPN settings under > Tunnel Settings > IPv4 Tunnel Network, there can be set only one tunnel network (e.g. IPV4).

      If possible, this would be a great benefit for me because it would be easy to create the appropriate firewall rules for specific users and groups based on different tunnel networks.

      We are currently using IPFire for OpenVPN connections and with this solution it's possible.
      The appropriate function is called "Static IP address pools":
      http://wiki.ipfire.org/en/configuration/services/openvpn/config/static_ip

      Thanks in advance,
      snow

      1 Reply Last reply Reply Quote 0
      • PippinP
        Pippin
        last edited by

        Create OpenVPN instances as much as you have groups of users.

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        1 Reply Last reply Reply Quote 0
        • S
          snow
          last edited by

          @Pippin:

          Create OpenVPN instances as much as you have groups of users.

          Cool

          Can I use same port for each of the instances (e.g. 1194/UDP)?

          1 Reply Last reply Reply Quote 0
          • S
            snow
            last edited by

            Seems to be it's not working when using same port/proto combination for multiple server instances:

            When starting the second server with same port/proto the following error occurs in OpenVPN log:
            TCP/UDP: Socket bind failed on local address [AF_INET]x.x.x.x:1194: Address already in use

            Is there any chance to get this working anyway?

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              Use a different port for each instance.

              1 Reply Last reply Reply Quote 0
              • S
                snow
                last edited by

                @viragomann:

                Use a different port for each instance.

                Yes that's working well, but would it be working anyway with same port/proto?

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  No, you cannot use equal address-port combinations for multiple services.
                  Each service instance listening to network connection must have a unique address-port combination. This is a general law, not only aply to pfSense.

                  1 Reply Last reply Reply Quote 0
                  • S
                    snow
                    last edited by

                    @viragomann:

                    No, you cannot use equal address-port combinations for multiple services.
                    Each service instance listening to network connection must have a unique address-port combination. This is a general law, not only aply to pfSense.

                    Ok, I understand that unique address-port combination is required.

                    But would it be possible to bind multiple tunnel networks on one service instance?
                    With IPFire, it's possible:
                    http://wiki.ipfire.org/en/configuration/services/openvpn/config/static_ip

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Yes.

                      You need to define the additional tunnel networks as "Remote Networks" in the server configuration.

                      You can then assign static addresses to specific users using client-specific overrides and ifconfig-push

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • S
                        snow
                        last edited by

                        @Derelict:

                        Yes.

                        You need to define the additional tunnel networks as "Remote Networks" in the server configuration.

                        You can then assign static addresses to specific users using client-specific overrides and ifconfig-push

                        Cool, thank you.

                        I assume the appropriate option needs to be added in the "Custom options" tab in the "Advanced Configuration" section.
                        If so, do you have an example for adding an additional tunnel network?

                        EDIT:

                        Ok, I found the appropriate options here:
                        https://openvpn.net/index.php/open-source/documentation/howto.html#policy

                        If anyone has an idea how to configure the client specific overrides to get a dhcp address (instead of setting a static address) on an additional tunnel network, please let me know.
                        As described in the documention above, it's required to set a pair of ifconfig-push addresses (virtual client and server IP endpoints).

                        E.g.: ifconfig-push 10.8.1.1 10.8.1.2 (the first represents the client, second represents the server).

                        I found the same question in openvpn forum, but without an answer:
                        https://forums.openvpn.net/viewtopic.php?t=22525

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          You referred to an article that referenced setting separate, static addresses. That's what was provided. I do not think there is another way to set another pool in a CSO. I could be wrong. I would just run another server for that.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.