2 OpenVPN servers on one IP address



  • generic setup.
    Location1 - 2 ISP's - 2 OpenVPN Site2Site Connections - 1 per ISP - OpenVPNServer
    Location2 - 2 ISP's - 2 OpenVPN Site2Site Connections - 1 per ISP - OpenVPNClient

    We are using OpenVPN for site to site. We have 2 ISP's at both locations. We have 2 OpenVPN tunnels going both directions for redundancy, one on each ISP. We now want to add remote access for remote users on a different OpenVPN server. I did setup a new OpenVPN server using an exist IP address, which is being used by one of the site to site tunnels, but it crashed parts of the tunnel. We could ping and rdp from one location but not the other. So what is best practice for having to servers on 1 IP address


  • Netgate Administrator

    Sure you can do that as long as the servers are running on different ports. Say 1194 (the default port) and 1195.

    Steve



  • i have it on a different port #. In Firewall > Rules > OpenVPN tab, when i add the Allow All rule it kills part of the site2site tunnel. Currently the OpenVPN tab is empty and the site2site works just fine. I can connect to the VPN remotely, but don't have access to any LAN networks


  • Netgate Administrator

    Do you have assigned interfaces and policy routing?

    If you pass traffic on the OpenVPN tab rather than the assigned interface tab that traffic will not get the required reply-to tag on incoming states and return traffic may not know which tunnel to use.

    If you are adding rules to the OpenVPN tab to allow remote access users in make sure they have the tunnel network specified as the source so they don't catch site-2-site traffic too.

    Steve



  • Here is what i have hope this helps. Device is a Netgate SG-2440 version 2.4.4

    Location 1 Interfaces
    WAN - ISP-2 WAN
    LAN - LAN
    Opt1 - ISP-1 WAN
    Opt2 - Empty
    OVPN1 - Tunnel 1
    OVPN2 - Tunnel 2

    Firewall Rules
    WAN - ISP-2 WAN
    Protocol---------Source------------Port---------Destination-----------Port--------Gateway
    IPv4 UDP-----Location2 ISP-------^---------Location1 ISP-2-----11194------------^ (Site2Site)
    IPv4 UDP-----Location2 ISP-------^---------Location1 ISP-2-----11195------------^ (Site2Site)

    LAN
    Protocol-------Source--------------Port------------Destination------------------------Port------------------------Gateway
    ------^-----------------^----------------------^--------------------LAN--------------------------443 80 22-------------------------^
    IPv4*---------------^----------------------^--------OpenVPN Load Balance-------------^-----------------OpenVPN Load Balance

    Opt1 - WAN - ISP-1 WAN
    Protocol---------Source-----------Port---------Destination-------------Port---------- Gateway
    IPv4 UDP----Location2 ISP------^-------- Location1 ISP-1--------11194--------------^ (Site2Site)
    IPv4 UDP----Location2 ISP------^-------- Location1 ISP-1--------11195--------------^ (Site2Site)
    IPv4 UDP-----------^--------------------^---------Location1 ISP-1--------1194----------------^ (OpenVPN for RemoteUsers)

    OVPN1 and OVPN2 (both setup the same)
    Protocol--------Source-------Port------Destination-----Port------Gateway
    IPv4*--------------^---------------^--------------^-------------------^--------------^

    OpenVPN - Empty


  • Netgate Administrator

    Ok, yeah. So if you add a pass all rule on the OpenVPN tab it will break traffic coming from location two across the load-balanced OpenVPN pair.

    You need to either assign the remote access OpenVPN server and add the rules on the new interface tab created.
    Or add rules on the OpenVPN tab that catch only the remote access users by specifying the source subnet.

    Steve


Log in to reply