Multiple OpenVPN Server

Denis_Pollini · November 2, 2021, 12:07pm

Hi everyone

is possible to configure multiple openvpn server roadwarrior on multiple ports?

Andy_Wismer · November 2, 2021, 12:35pm

Hi

It is possible, I’m using 1194 (Standardport), 1195 and 1198 for different purposes.

However, I’m not using NethServer as firewall, I’m using OPNsense.

I do have one case where OPNsense provides 2 differently configured OpenVPNs, and NethServer provides one (Using the ports above).

It should also be possible in NethServer, but you might need additional effort.
I think the GUI might be an issue…

My 2 cents
Andy

Denis_Pollini · November 2, 2021, 1:26pm

Hi Andy

My goal is to install and configure a Openvpn Server in a VPS in cloud for connect multiple client to the openvpn server and the possibility to talk with other vpn client, but i want to have a multiple subnet network

Andy_Wismer · November 2, 2021, 1:46pm

@Denis_Pollini

Hi Denis

I had a similiar issue on my last NethServer (Installed last month…).
The server is hosted in Germany at Hetzner.
Hetzner provides a Dedicated Server, we installed Proxmox on top of Debian, then installed OPNsense (Main firewall) with two seperate LAN connections (10.49.11.0/24 and 172.26.49.0/24).
My NethServer is on the 172.26.49.0 network.

I can reach this network with normal OpenVPN from OPNsense (Port 1194).
I can also connect using a Site2Site OpenVPN on the OPNsense (Port 1195).
I wanted a third OpenVPN network for direct and exclusive access to the 172.26.49.0 network, I set this up on NethServer. (Port 1198)

AFAIK, NethServer can do this also (several OpenVPNs with different ports), however this takes some manual configuring, as the GUI can only handle one standing OpenVPN configuration.

OPNsense can handle as much OpenVPNs as you need, or have available ports for…
But as I’m here on the NethServer forum, I also wanted one on NethServer.

Configuring multiple Subnets is also a challenge for the OpenVPN GUI in NethServer.

Maybe the free version of Pritunl could cover you with a quick & comfortable install - I’m thinking of using that for larger installations…

My 2 cents
Andy

This is my Home Setup (OPNsense):
One OpenVPN for Roadwarriors, the other is for Site2Site connections.

Note:
I often use a parallel IPsec V2 based VPN for Site2Site, only not all sites can use IPsec. For Example, in Germany, as it’s hard to use bridging for the routers, almost always uses OpenVPN except for larger companies / Institutions…

OPNsense is quite different from NethServer, also it’s based on hardened BSD. But it might still help to see how ports and networks are used…

Security:
DH. 4096
Encryption: AES-256-GCM
Auth/Digest: SHA512
Strict adherence to certs configured!

Andy_Wismer · November 2, 2021, 1:48pm

How do you plan / intend to use this?

Denis_Pollini · November 2, 2021, 1:56pm

i want one openvpn server with this subnet 10.0.0.0 and the second server with 10.0.1.0

so the client connect to the 1st OpenVPN Server can not reach the other client connect to the 2nd OpenVPN Server

But i want the client connect to the server they can talk to each other

Andy_Wismer · November 2, 2021, 2:05pm

This scenario works with OpenVPN…
However: Client - Client connections can only work when both are using the same VPN connection.

In your scenario, a user connecting with OpenVPN to 10.0.0.0 cannot commnunicate with a client using the vPN to 10.0.1.0.
As this AFAIK is done by providing a different subnet (/24 instead of /29) in the OpenVPN network. This would not work using two different networks.

If using an additional Radius Server (Software!) this would be possible using a single OpenVPN.
Radius allows each individual user to be connected to specific target networks, and can specify more, like interconnection of clients, transfer speed, used IPs… But Radius makes things much more complex, and is not available out of the box on NethServer…

Denis_Pollini · November 2, 2021, 2:22pm

So

i need to create two server config file like this:

Server1.conf:
port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.0

Server2.conf:
port 1195
proto udp
dev tun
server 10.0.1.0 255.255.255.0

Andy_Wismer · November 2, 2021, 2:27pm

Esenntially yes!

However I must confess I have no idea how (to start it) and where to place those files…

My 2 cents
Andy

EddieA · November 2, 2021, 3:54pm

Place the files in /etc/openvpn/server

Activate/start/etc with systemctl: systemctl enable|start|stop|etc openvpn-server@<name without .conf>

Cheers.

Denis_Pollini · November 3, 2021, 7:55am

Hi eddie

Can you explain step by step how to do that, i have enable a OpenVPN Roadwarrior in Nethserver and it works, if i want another OpenVPN Server Roadwarrior with a different subnet networks, what are the steps to do?

i try to make a copy of a server conf file but i can’t see another Server Roadwarrior on the GUI?

On cockpit GUI is not possible to manage the 2nd OpenVPN Roadwarrior Server?

Only from command line?

Andy_Wismer · November 3, 2021, 8:38am

Hi Denis

Yes, unfortunately, the GUI can only handle one GUI, AFAIK…

My 2 cents
Andy

royceb · November 3, 2021, 9:08am

Some perspective from my end, I too was trying to get multiple Nethserver Road Warrior connections for different uses and found that trying to make a tool do something it wasn’t naturally designed to do caused more issues than helped. @Andy_Wismer suggestion of using Opensense or PfSense in my opinion is probably the better solution for what you are trying to achieve.

Denis_Pollini · November 3, 2021, 11:06am

Hi Andy

Is possible to install proxmox on top of Debian on a VPS and not dedicated server?

Andy_Wismer · November 3, 2021, 11:17am

@Denis_Pollini

Hi Denis

AFAIK no, as a VPS is already a VM, and usually “nested virtualization” is disabled.

Nested virtualization as such is cool, I installed a VMWare ESXi (To run Novell Netware for archive purposes - legal reasons.) on top of Proxmox, and it runs very well. Now I can do a live backup of the whole VMWare ESXi server!

You may have to enquire at your hoster, quite a few will give you a decent upgrade to a dedicated server for a good price - but I’d suggest calling them… Some can enable nested virtualization, AFAIK…

I installed Proxmox at Hetzner in Germany 4 weeks ago, on a dedicated Server (8 cores, 64 GB RAM, ssd for OS, 2x4 TB Disks for VMs.
Backup is on another dedicated Server, running with Proxmox Backup Server.

My 2 cents
Andy

PS:

I can help you if you want to install Proxmox, OPNsense and NethServer on a hosted Debian.
Send me a PM before you’re quite ready…

EddieA · November 3, 2021, 5:49pm

@Denis_Pollini As @Andy_Wismer pointed out above, you have to manage any other OpenVPN instances outside of the UI.

All the information you need is above. You need to put the .conf file in the /etc/openvpn/server directory and then use systemctl to control it.

Oh, and you need to open the port in the red interface.

Cheers.

Andy_Wismer · November 5, 2021, 8:19am

Hi all here

Just as closing info:

The problem as such is solved now with a Proxmox and a VM running OPNsense.
This whole setup is hosted. NethServers will be at the clients site.

This at least allows a nice GUI showing who is connected - and to which VPN…

My 2 cents
Andy

Denis_Pollini · November 5, 2021, 8:41am

yes very nice GUI