OpenVPN - multiple instances



  • Hello,

    I'm testing OpenVPN instance as remote access for users. This pfSense test installation uses dual WAN config (on 2 x DSL links).
    First, I see that "passtos" option is invalid for Windows client. Shouldn't be even available on server config page "Set the TOS IP header value of tunnel packets to match the encapsulated packet value." But ok, this can be disabled and go on.
    Now I'm thinking about.. how to configure 2 OpenVPN instances for both WANs and use shared certificates?
    Yes, I can run Wizard twice and it will create 2 servers, but both will use 2 server certificates, one per one. Second thing is that probably have to use different IP pools, becuse of possible IP conflicts for clients.
    Now, when I choose in User Manager both certificates for both OpenVPN instances for user it creates 2 x NEW "CA" with name LDAP. And this is causing user to not show up on "OpenVPN: Client Export Utility" page, have to manually change Server certificate to LDAP.
    And there is another thing: how to create installer with 2 configurations (for example for Windows)? (Probably have to manually copy config files for the second instance)

    Can I just use single CA, single server certificate and single IP client subnet for multiple OpenVPN instances?













  • Why no answer? Nobody wants to create VPN server for multiple WANs? Can't belive it… :)



  • @TooMeeK:

    First, I see that "passtos" option is invalid for Windows client. Shouldn't be even available on server config page "Set the TOS IP header value of tunnel packets to match the encapsulated packet value."

    There are tons of scenarios that don't use any Windows clients. It's there for good reason.

    @TooMeeK:

    Now I'm thinking about.. how to configure 2 OpenVPN instances for both WANs and use shared certificates?
    Yes, I can run Wizard twice and it will create 2 servers, but both will use 2 server certificates, one per one. Second thing is that probably have to use different IP pools, becuse of possible IP conflicts for clients.

    You can choose existing CA and certs in the wizard, or create the server manually.


Locked