[SOLVED] Network settings in OpenVPN and firewall

Jason.nix · 01-06-2024, 05:34 AM

Hello,
1- Is it possible to run all OpenVPN servers on one port? I currently have an OpenVPN server running with an IP address range of 20.20.0.0 on port 2024, now I want to run another server with a different IP address range on the same port as before.

2- Should every OpenVPN server have its own TUN? Can't run all servers on one TUN?

3- I found the following firewall rules on the internet:

Code:

# IF_MAIN=NIC_Name
# IF_TUNNEL=tun0
# YOUR_OPENVPN_SUBNET=10.10.0.0/16
# iptables -I INPUT -p udp --dport 2024 -j ACCEPT
# iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT
# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE

Do I have to repeat the above firewall rules for each server?

Thanks.

sundialsvcs · 01-12-2024, 01:09 PM

You don’t run “multiple servers.” Instead, you configure the one server to host multiple virtual subnets.

VPNs customarily use the “UDP” (not “TCP/IP”) at a well-known port number. Do not tamper with these rules.

Note that my response is based on uncertainty as to whether “server” refers to a computer or a process. On each computer there should be only one process.

Further uncertainty for me: “20…” is not a “non-routable address range.”

rkelsen · 01-12-2024, 03:15 PM

The answers you seek: https://openvpn.net/faq/can-i-run-mu...ingle-machine/

If you use TLS-Auth, OpenVPN will reject all packets without a matching certificate.

Jason.nix · 01-15-2024, 01:05 AM

Quote:

Originally Posted by rkelsen

The answers you seek: https://openvpn.net/faq/can-i-run-mu...ingle-machine/

If you use TLS-Auth, OpenVPN will reject all packets without a matching certificate.

Hello,
Thank you so much for your reply.
According to the following quote from the above URL, each server should have its own unique port and TUN:

Quote:

If you are running 2 or more OpenVPN instances on the same machine, you will need a separate virtual TUN/TAP adapter and a separate port (using the port directive) for each instance.