Multiple OpenVPN Server tunnels and routing subnets on both sides

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
plax.kart
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 05, 2019 11:46 am

Multiple OpenVPN Server tunnels and routing subnets on both sides

Post by plax.kart » Wed Jun 05, 2019 10:20 pm

Hi all,

I'm planning to setup an OpenVPN server on an EdgeRouter ER-8-XG and use this device to support VPN for approximately 50 customers. Each customer will have their own network topology with different subnets. I would like to setup server-side + client-side routing in client/server mode and with this setup, the OpenVPN client will be able to reach all the machines behind the OpenVPN server, and the server will be able to reach all the machines behind the client.

My concern is what will be the best practices for building the OpenVPN server in this case? Should we:
  • Run 50 different OpenVPN server (tunnels/instances) on 50 different ports, each instance/port is dedicated for 1 customer with their own network topology?
  • Run only 1 OpenVPN server on port 1194 and create 50 different *.ovpn configuration files for each client?
What are the pros/cons when setting up multiple OpenVPN tunnels vs single OpenVPN tunnel (with multiple *.ovpn files) on the same device?

And is there any way to configure the OpenVPN server properly without the need of knowing client's network topology in advance? As some customers may use the same subnets on their LAN and I would like to make sure not to push duplicated subnets to their sides. Just like giving the customers the *.ovpn file and the clients should be able to connect to the OpenVPN server automatically + routing subnets on both sides.

Thanks!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6248
Joined: Fri Jun 03, 2016 1:17 pm

Re: Multiple OpenVPN Server tunnels and routing subnets on both sides

Post by TinCanTech » Wed Jun 05, 2019 10:33 pm

You may want to consider buying an OpenVPN Book for such things ..

https://openvpn.net/community-resources/#books

plax.kart
OpenVpn Newbie
Posts: 8
Joined: Wed Jun 05, 2019 11:46 am

Re: Multiple OpenVPN Server tunnels and routing subnets on both sides

Post by plax.kart » Wed Jun 05, 2019 11:44 pm

@TinCanTech:
Thanks a lot for your comment. I had a look at those books but could not find a specific way to address the situation where different customers have duplicated subnets. Here is my issue:

- Cilent 1 has a LAN subnet 10.10.10.0/24
- Client 2 has a LAN subnet 10.10.10.0/24

In this case, I can push my own LAN subnet (on the server side) using 'push route' but I don't know how to write proper 'iroute' directives in client-specific configuration files for clients and also the 'route' directive in OVPN server configuration file. Should they also be the same or do I need to separate them using different OVPN server tunnels/instances?

Post Reply