Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running two servers with different configuration #28

Closed
PitStains opened this issue Jan 24, 2017 · 15 comments

Comments

Projects
None yet
7 participants
@PitStains
Copy link

commented Jan 24, 2017

Hello,
I'm wondering you could have 2 server keys.
I'd like to have 1 client be on a fast, less-secure, UDP connection.
And I'd like to have 1 client be on a most-secure, TCP connection.

I'm not sure if this is even possible on the same OpenVPN server?? I know you can edit the .ovpn client file, but that wouldn't have the secure-ness of the server key.

@angristan

This comment has been minimized.

Copy link
Owner

commented Jan 25, 2017

I would like that too. I know it's possible, so I keep this open.

@PitStains

This comment has been minimized.

Copy link
Author

commented Jan 26, 2017

Cool thanks!
I wonder if I just rename all the /etc/openvpn folder and run the script again, and then merge the files? Or is it more involved in getting the server to accept 2 simultaneous connections. I've seen people on the Stack say they've accomplished this scenario, but haven't seen how.

@PitStains

This comment has been minimized.

Copy link
Author

commented Jan 27, 2017

On openvpn.net: https://openvpn.net/index.php/open-source/documentation/howto.html

If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:
Use a different port number for each instance (the UDP and TCP protocols use different port spaces so you can run one daemon listening on UDP-1194 and another on TCP-1194).
If you are using Windows, each OpenVPN configuration taneeds to have its own TAP-Windows adapter. You can add additional adapters by going to Start Menu -> All Programs -> TAP-Windows -> Add a new TAP-Windows virtual ethernet adapter.
If you are running multiple OpenVPN instances out of the same directory, make sure to edit directives which create output files so that multiple instances do not overwrite each other's output files. These directives include log, log-append, status, and ifconfig-pool-persist.

@angristan angristan added bug and removed bug labels Feb 6, 2017

@angristan angristan changed the title Not an "issue" - multiple server keys? Running two servers with different configuration Feb 6, 2017

@actuallymentor

This comment has been minimized.

Copy link

commented Jun 24, 2017

AFAIK you just need to set up 2 servers. In the case of this script you need to run it twice. Once for your fast UDP and once for your secure TCP.

This should produce 2 server configs, and 2 client configs.

You wil still only have one openvpn package installed, but it will be listening on multiple ports the same way nginx might run multiple website from multiple configs.

@paccerdk

This comment has been minimized.

Copy link

commented Jan 16, 2018

This should normally work out of the box (at least for systemd based distributions) when having different configuration files in /etc/openvpn/*.conf

The following line breaks this functionality and hard-codes all service instances to use server.conf only:
https://github.com/Angristan/OpenVPN-install/blob/f681c0bd3426cc0f825345d483a283da537d34d2/openvpn-install.sh#L621

Is this strictly necessary for the script? if not, it should be removed.

Manually changing server.conf back to %i.conf in /lib/systemd/system/openvpn@.service fixes support for multiple instances

@angristan

This comment has been minimized.

Copy link
Owner

commented Jan 25, 2018

Wow indeed, @paccerdk, thanks.

root@server:~# netstat -paunt | grep openvpn
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      841/openvpn
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           850/openvpn

root@server:~# ps ffaux | grep openvpn
root      1088  0.0  0.0  12784   948 pts/0    S+   11:51   0:00          \_ grep openvpn
nobody     841  0.0  0.5  48144  5640 ?        Ss   11:48   0:00 /usr/sbin/openvpn --daemon ovpn-server2 --status /run/openvpn/server2.status 10 --cd /etc/openvpn --config /e
tc/openvpn/server2.conf --writepid /run/openvpn/server2.pid
nobody     850  0.0  0.5  48144  5524 ?        Ss   11:48   0:00 /usr/sbin/openvpn --daemon ovpn-server3 --status /run/openvpn/server3.status 10 --cd /etc/openvpn --config /e
tc/openvpn/server3.conf --writepid /run/openvpn/server3.pid

I don't remember why I hardcoded it, I'll take a look.

@ookangzheng

This comment has been minimized.

Copy link
Contributor

commented Mar 30, 2018

I hardcoded like this

  1. After a clean install with UDP mode
  2. clone server.conf into server2.conf (manual edit UDP => TCP mode)
  3. in server2.conf, change ip 10.8.0.1 to 10.9.0.1
  4. add 10.9.0.1 in IPtables
  5. at line 838 or close to it, add
    sed -i 's|server2.conf' /lib/systemd/system/openvpn/server2.service
  6. service openvpn@server restart and service openvpn@server2 restart
  7. try lsof -i:1194 your port number, you will see both UDP & TCP openvpn services are running

screen shot 2018-03-31 at 6 31 46 am

@randomshell

This comment has been minimized.

Copy link
Contributor

commented Sep 14, 2018

@angristan this issue is not only about different configuration (ex. running OpenVPN both on TCP and UDP) but also different keys, one more and the other one less secure. Other issues linked, like #266, are only about a different configuration for using multiple ports.

I'm specifying this because managing different keys too requires, eventually, having multiple subdirectories for better management, for example /etc/openvpn/server1 and /etc/openvpn/server2.

So here there should be two options:

  • Add new client with different config but same keys.
  • Add new client with different config and different keys.

Did I get it right?

@angristan

This comment has been minimized.

Copy link
Owner

commented Sep 15, 2018

@randomshell I think you got it right :)

@randomshell

This comment has been minimized.

Copy link
Contributor

commented Sep 15, 2018

So, are we going to support them both?

@angristan

This comment has been minimized.

Copy link
Owner

commented Sep 15, 2018

I don't know. It will be hard to install and maintain in both cases. I don't know if it's worth supporting it.

@angristan

This comment has been minimized.

Copy link
Owner

commented Sep 16, 2018

I'm reducing the scope of the script because I already spend a lot of time maintaining it.

I'm closing this, until someone implement a simple and easy-to-maintain solution, which will likely not happen.

This was a feature I wanted too, but the script is already over 900 lines.

@angristan angristan closed this Sep 16, 2018

@angristan angristan added out-of-scope and removed help wanted labels Sep 16, 2018

@paccerdk

This comment has been minimized.

Copy link

commented Sep 17, 2018

@angristan, couldn't you remove the line mentioned in my #28 (comment) ?

I see no reason for the hard coding, and you didn't provide any reason either. (comment after linked one)

This would restore expected OpenVPN functionality at least.

@angristan

This comment has been minimized.

Copy link
Owner

commented Sep 17, 2018

See #294.

@jam-2000

This comment has been minimized.

Copy link

commented Oct 4, 2018

@angristan
Hi, angristan.

Is it possible to add functionality with openvpn server listen on both UDP and TCP at the same time like this:
https://thomas.gouverneur.name/2014/02/openvpn-listen-on-tcp-and-udp-with-tun/

Thanks for answer)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.