OPNsense Forum

English Forums => General Discussion => Topic started by: malecoda on February 16, 2019, 03:24:08 am

Title: OpenVPN Multiple Servers/Ports Difficulty
Post by: malecoda on February 16, 2019, 03:24:08 am

OPNsense 18.7.10
I created a VPN Connection with nearly default settings (allow inter client communication and changed encryption) and was able to connect without issue on 1194. Due to some site specific connectivity issues I decided to also run a server on TCP 443. My first clumsy attempt I copied the config of the first server and changed the port. I was able to connect on both ports, but one of the ports passed no traffic in either direction. Stopping the server on 1194 and restarting the server on TCP443 allowed me to connect. Upon starting 1194 I was able to connect, but no traffic.

For my second attempt, I ran the config wizard again (all default settings) and created another cert Still nothing. Then I assigned a different subnet and now both are working at the same time.

I now suspect it could have something to do with tap/tun(currently tun) or topology option(Currently unchecked)?

Is it possible to connect with the same cert on the same subnet? Client only connects to one port at a time. If so, what settings do I need to edit to run multiple OpenVPN servers on the same subnet?

Thanks for any suggestions!

Edit: Got something working for now. Still tun, topology checked, Assigned a different /28 to each server. Still wondering if it is possible to assign both servers the same subnet?

Title: Re: OpenVPN Multiple Servers/Ports Difficulty
Post by: Antaris on February 18, 2019, 10:29:53 pm

Firs of all always change the default port (as security measure) and try not to assign used ports on any side of the router.
More than one VPN server needed to access different parts of the internal network or is one is site-to-site and the other is for road warriors(single clients)
And - yes, they can share single SSL certificate.
On my shop i have one for road warriors to acces entire network, and other for clients to access only specific server. They are on high random ports 10000-50000 and both works without issues.

Title: Re: OpenVPN Multiple Servers/Ports Difficulty
Post by: bartjsmit on February 18, 2019, 10:48:25 pm

Quote from: malecoda on February 16, 2019, 03:24:08 am

Still wondering if it is possible to assign both servers the same subnet?

Short answer - no. Each tunnel needs to have their own subnet.

Long answer - why would you run two servers and apply the same security policy to them? You may be able to create a bridge between two TAP tunnels but that's an awful lot of complexity and you would need a good reason for it.

Bart...

Title: Re: OpenVPN Multiple Servers/Ports Difficulty
Post by: malecoda on February 20, 2019, 12:43:09 am

Thanks for the response! That makes sense, I was just flailing my fingers around trying to get it to work. Most scenarios I found on the internet only described a single vpn connection.

There are two connections, 443/tcp for locked down wifi, and 1194 udp for a better connection. This is just a homelab setup with 3 users. I have already moved the opnsense webui to a different port.