Running Multiple Instances of OpenVPN SERVER

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
strwbrrysam
DD-WRT Novice


Joined: 16 Apr 2021
Posts: 29

PostPosted: Wed May 05, 2021 19:41    Post subject: Running Multiple Instances of OpenVPN SERVER Reply with quote
Hi there! Hope everyone is doing OK.
So what I'm trying to do is pretty simple, title pretty much explains it.
I'd like to link five locations together using a site-to-site VPN.

I already have the OpenVPN server configured but would like to start another for other mobile clients to take advantage of some of these dual-core routers.

The first thing I did was dump the same OpenVPN server config out and switched to running the server in Daemon mode.

Stock/Builtin openvpn server config is as follows (confirmed working from GUI first):
Code:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

keepalive 10 120
verb 3
mute 3
syslog

status /tmp/openvpn/openvpn-status.log 5

topology subnet
script-security 2

port 443
proto udp4

cipher AES-128-GCM
auth sha256
tls-server
client-to-client
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
fast-io
tun-mtu 1500
mtu-disc yes
server 10.19.97.0 255.255.255.0
dev tun0
tls-crypt /tmp/openvpn/ta.key
push "route 10.3.11.0 255.255.255.0"
push "route 10.19.97.0 255.255.255.0"
socket-flags TCP_NODELAY
persist-key
tls-version-min 1.2
remote-cert-tls client


After that I take this same config but make some changes to it so that I can run the server on a different port as well... so basically the following

Code:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

keepalive 10 120
verb 3
mute 3
syslog

status /tmp/openvpn/openvpn2-status.log 5

topology subnet
script-security 2

port 1194
proto udp4

cipher AES-128-GCM
auth sha256
tls-server
client-to-client
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
fast-io
tun-mtu 1500
mtu-disc yes
server 10.19.98.0 255.255.255.0
dev tun1
tls-crypt /tmp/openvpn/ta.key
push "route 10.3.11.0 255.255.255.0"
push "route 10.19.98.0 255.255.255.0"
socket-flags TCP_NODELAY
persist-key
tls-version-min 1.2
remote-cert-tls client


As per some other guides, now its time to save these to the router startup script because all user generated files get deleted on reboot.

So I have the following in my startup commands...(again, this is the SECOND server config I am saving to the startup script)

Code:

cd /tmp

echo "
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

keepalive 10 120
verb 3
mute 3
syslog

status /tmp/openvpn/openvpn2-status.log 15

topology subnet
script-security 2

port 1194
proto udp4

cipher AES-128-GCM
auth sha256
tls-server
client-to-client
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
fast-io
tun-mtu 1500
mtu-disc yes
server 10.19.98.0 255.255.255.0
dev tun1
tls-crypt /tmp/openvpn/ta.key
push "route 10.3.11.0 255.255.255.0"
push "route 10.19.98.0 255.255.255.0"
socket-flags TCP_NODELAY
persist-key
tls-version-min 1.2
remote-cert-tls client
" > openvpn2.conf

/tmp/openvpnserver --mktun --dev tun1

sleep 15

/tmp/openvpnserver --config /tmp/openvpn2.conf --daemon


But after a reboot, the second daemon does not start.

Immediately after reboot, I SSH into the /tmp folder to confirm that after a few seconds, openvpn2.conf is being created successfully.

But monitoring the processes using
Code:
top -d 1
shows that only the stock/builtin daemon (server1) is running.

If I try to manually call the /tmp/openvpnserver binary again to run it inside of SSH I get no feedback.
Code:
top -d 1
does not even show any activity. The daemon simply does not launch. No log files show up, despite being specified in the server config file.

Is it even possible to do this inside of DD-WRT?

I took my inspiration from this very old thread https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=40540&highlight=tcp where other users have successfully done it but to me it seems like something has changed inside of DD-WRT.

You may have noticed they also created a new symlink from /usr/sbin/openvpn binary but this doesn't work either.

I have tried calling
Code:
/usr/sbin/openvpn
/tmp/openvpn
/tmp/openvpnserver

with
Code:
--config /tmp/openvpn2.conf --daemon

but nothing ever happens.

All I see is something similar to below...
Code:
root@CCAU-CBD:/tmp# ls
TZ                igmpproxy.conf    openvpn2
cron.d            loginprompt       openvpn2.conf
crontab           mnt               openvpnserver
ddns              nas.wl0.1lan.pid  ppp
dnsmasq.conf      nas.wl0lan.pid    resolv.conf
dnsmasq.leases    nas.wl1lan.pid    resolv.dnsmasq
eap_identities    nvram             root
etc               nvstate           services
firstrun          oet               var
hosts             openvpn           www
root@CCAU-CBD:/tmp# /tmp/openvpnserver --config /tmp/openvpn2.conf --dae
mon --verb 4
root@CCAU-CBD:/tmp#
root@CCAU-CBD:/tmp#
root@CCAU-CBD:/tmp#


I tried using --verb 4 for debug but again, nothing shows up.

Any ideas?

Thanks in advance Smile
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12814
Location: Netherlands

PostPosted: Thu May 06, 2021 10:10    Post subject: Reply with quote
I have done it in the past, but now I use WireGuard as second server running. so you might consider that too

I do see some settings in your config I would not expect, from what router model and buildnumber is the original config coming?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
strwbrrysam
DD-WRT Novice


Joined: 16 Apr 2021
Posts: 29

PostPosted: Thu May 06, 2021 10:41    Post subject: Running Multiple Instances of OpenVPN SERVER Reply with quote
I'm experimenting on the R6400v2 still. Firmware: DD-WRT v3.0-r44715

The config is not 100% stock because it includes some other routes and settings I originally had in the 'Additional Config' box that I put in myself.
But I know it 100% works as an OpenVPN config because.. well.. I was using it in 'server mode' before switching to Daemon. My Apologies, I said 'stock' but I just meant to convey that the config was used in the 'builtin' dd-wrt GUI OpenVPN server page

I even made sure it works for sure by restoring default settings and copying this exact config directly into Daemon mode without using any of the selections/checkboxes from server mode.

Also, I haven't looked into wireguard yet but I'm not entirely opposed to switching away from OpenVPN. It's just that for the last two weeks I've already spent so much time learning how to tweak OpenVPN that I'd prefer to keep using it.

I don't actually have a problem setting up any simple OpenVPN server seeing as I have all the configs backed up, I just want to be able to take advantage of the second core on these dual-core routers.

The other reason is I plan on using one of the servers for linking the five site-to-site locations. Then the second server will be used for mobile clients, but I want them to all be able to communicate with each other, but I'm not sure I can do that with a mix of OpenVPN and Wireguard.

ie. Router LAN subnet is 10.1.11.0/24 and OpenVPN server 1 is 10.19.97.0/24. OpenVPN Server 2 is 10.19.98.0/24

Other sites will be 10.1.12.0, 10.1.13.0 etc etc and they will all be connected to OpenVPN server 1.

Mobile clients and 'road warriors' will be connected to Server 2.

Is this possible? Have you faced any issues starting up a second server via SSH when calling the /usr/sbin/openvpn binary directly?

Judging by what you are saying it seems as though this was possible in previous builds but maybe its no longer possible.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12814
Location: Netherlands

PostPosted: Thu May 06, 2021 11:10    Post subject: Reply with quote
It is definitely possible as a quick test I pulled out the files I used for that:
Code:
 4347 root         0 SW   [kworker/1:1]
 4983 root         0 SW   [kworker/0:2]
 5045 root      3424 S    /tmp/openvpnserver --config /tmp/openvpn/openvpn.conf --daemon
 5061 root      3424 S    /tmp/openvpnserveregc --config /jffs/openvpn/openvpn-egc.conf --daemon
 5062 root       788 S    /sbin/hotplug2 --set-rules-file /etc/hotplug2.rules --persistent
 5086 root      1436 R    ps
root@R6400v2:/tmp#


But I see some unexpected things in your config like
remote-cert-tls client

syslog should show what is going on and why the server will not start.

Of course you also have to deal with firewall settings (open port etc)

Attached the files I used, you need an USB stick, make a partition /jffs, copy all the files to /jfss/openvpn
and take it from there.
All the *.sh files should be made executable.
Add your own ca, server cert and key in the respective files

You can start up with /jffs/openvpn/start-vpnsrv.sh
The route up and down scripts should take care of the firewall rules.

I have not tested it other than that it runs.

You can connect to the management interface with:
Quote:
telnet localhost 15

then do something like:
Quote:
log 20

or
Quote:
log on


Oh and more important you should upgrade to the most recent build 46446

To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

If you have not already read the forum guidelines, please do !!

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
strwbrrysam
DD-WRT Novice


Joined: 16 Apr 2021
Posts: 29

PostPosted: Sat May 08, 2021 20:02    Post subject: Awesome! Reply with quote
Thanks for the files and example. I haven't been able to get it working for now, and have switched to an old quad-core computer for hosting as its faster anyway. It's also slightly easier to troubleshoot and learn because its running on Ubuntu so theres plenty of documentation.

But I'll definitely experiment more and see if I can get it running and report back when I'm a little more free! I've already spent almost 2 weeks tinkering with all this network stuff, brain is a bit overloaded.
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Wed Sep 21, 2022 0:34    Post subject: Reply with quote
Did you ever sort this out strwbrrysam?

Multiple clients with different settings is exactly what I'd like to do. Hoping that would spread the load over the 4 cores in my r9000.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12814
Location: Netherlands

PostPosted: Thu Sep 22, 2022 9:21    Post subject: Reply with quote
This thread is about running multiple OpenVPN Servers

Running multiple OpenVPN Clients is described elsewhere, see:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1223103#1223103

But it has not been looked at/updated so might not work without tweaking.

At one time I contemplated adding multiple clients/servers in the GUI, but as we want OpenVPN to run in 8 MB flash routers that was not possible (and with 32 KB nvram there also is no room for all the keys/certs).
Besides it needed a whole rewrite of the GUI, of course we could then use old VPN for low end routers and new written VPN for higher end routers, but frankly that would end up in an administrative nightmare and now with WireGuard we have an excellent alternative to run as many tunnels as you want Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Thu Sep 22, 2022 11:13    Post subject: Reply with quote
Well yeah, that's what I'm hoping to do - serve multiple clients. Sorry if it wasn't clear.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum