Posted: Wed May 05, 2021 19:41 Post subject: Running Multiple Instances of OpenVPN SERVER
Hi there! Hope everyone is doing OK.
So what I'm trying to do is pretty simple, title pretty much explains it.
I'd like to link five locations together using a site-to-site VPN.
I already have the OpenVPN server configured but would like to start another for other mobile clients to take advantage of some of these dual-core routers.
The first thing I did was dump the same OpenVPN server config out and switched to running the server in Daemon mode.
Stock/Builtin openvpn server config is as follows (confirmed working from GUI first):
Code:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
Posted: Thu May 06, 2021 10:41 Post subject: Running Multiple Instances of OpenVPN SERVER
I'm experimenting on the R6400v2 still. Firmware: DD-WRT v3.0-r44715
The config is not 100% stock because it includes some other routes and settings I originally had in the 'Additional Config' box that I put in myself.
But I know it 100% works as an OpenVPN config because.. well.. I was using it in 'server mode' before switching to Daemon. My Apologies, I said 'stock' but I just meant to convey that the config was used in the 'builtin' dd-wrt GUI OpenVPN server page
I even made sure it works for sure by restoring default settings and copying this exact config directly into Daemon mode without using any of the selections/checkboxes from server mode.
Also, I haven't looked into wireguard yet but I'm not entirely opposed to switching away from OpenVPN. It's just that for the last two weeks I've already spent so much time learning how to tweak OpenVPN that I'd prefer to keep using it.
I don't actually have a problem setting up any simple OpenVPN server seeing as I have all the configs backed up, I just want to be able to take advantage of the second core on these dual-core routers.
The other reason is I plan on using one of the servers for linking the five site-to-site locations. Then the second server will be used for mobile clients, but I want them to all be able to communicate with each other, but I'm not sure I can do that with a mix of OpenVPN and Wireguard.
ie. Router LAN subnet is 10.1.11.0/24 and OpenVPN server 1 is 10.19.97.0/24. OpenVPN Server 2 is 10.19.98.0/24
Other sites will be 10.1.12.0, 10.1.13.0 etc etc and they will all be connected to OpenVPN server 1.
Mobile clients and 'road warriors' will be connected to Server 2.
Is this possible? Have you faced any issues starting up a second server via SSH when calling the /usr/sbin/openvpn binary directly?
Judging by what you are saying it seems as though this was possible in previous builds but maybe its no longer possible.
Joined: 18 Mar 2014 Posts: 12840 Location: Netherlands
Posted: Thu May 06, 2021 11:10 Post subject:
It is definitely possible as a quick test I pulled out the files I used for that:
Code:
4347 root 0 SW [kworker/1:1]
4983 root 0 SW [kworker/0:2]
5045 root 3424 S /tmp/openvpnserver --config /tmp/openvpn/openvpn.conf --daemon
5061 root 3424 S /tmp/openvpnserveregc --config /jffs/openvpn/openvpn-egc.conf --daemon
5062 root 788 S /sbin/hotplug2 --set-rules-file /etc/hotplug2.rules --persistent
5086 root 1436 R ps
root@R6400v2:/tmp#
But I see some unexpected things in your config like
remote-cert-tls client
syslog should show what is going on and why the server will not start.
Of course you also have to deal with firewall settings (open port etc)
Attached the files I used, you need an USB stick, make a partition /jffs, copy all the files to /jfss/openvpn
and take it from there.
All the *.sh files should be made executable.
Add your own ca, server cert and key in the respective files
You can start up with /jffs/openvpn/start-vpnsrv.sh
The route up and down scripts should take care of the firewall rules.
I have not tested it other than that it runs.
You can connect to the management interface with:
Quote:
telnet localhost 15
then do something like:
Quote:
log 20
or
Quote:
log on
Oh and more important you should upgrade to the most recent build 46446
Posted: Sat May 08, 2021 20:02 Post subject: Awesome!
Thanks for the files and example. I haven't been able to get it working for now, and have switched to an old quad-core computer for hosting as its faster anyway. It's also slightly easier to troubleshoot and learn because its running on Ubuntu so theres plenty of documentation.
But I'll definitely experiment more and see if I can get it running and report back when I'm a little more free! I've already spent almost 2 weeks tinkering with all this network stuff, brain is a bit overloaded.
But it has not been looked at/updated so might not work without tweaking.
At one time I contemplated adding multiple clients/servers in the GUI, but as we want OpenVPN to run in 8 MB flash routers that was not possible (and with 32 KB nvram there also is no room for all the keys/certs).
Besides it needed a whole rewrite of the GUI, of course we could then use old VPN for low end routers and new written VPN for higher end routers, but frankly that would end up in an administrative nightmare and now with WireGuard we have an excellent alternative to run as many tunnels as you want _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087