OpenVPN Support Forum

Hi all,

I'm planning to setup an OpenVPN server on an EdgeRouter ER-8-XG and use this device to support VPN for approximately 50 customers. Each customer will have their own network topology with different subnets. I would like to setup server-side + client-side routing in client/server mode and with this setup, the OpenVPN client will be able to reach all the machines behind the OpenVPN server, and the server will be able to reach all the machines behind the client.

My concern is what will be the best practices for building the OpenVPN server in this case? Should we:

• Run 50 different OpenVPN server (tunnels/instances) on 50 different ports, each instance/port is dedicated for 1 customer with their own network topology?

• Run only 1 OpenVPN server on port 1194 and create 50 different *.ovpn configuration files for each client?

What are the pros/cons when setting up multiple OpenVPN tunnels vs single OpenVPN tunnel (with multiple *.ovpn files) on the same device?

And is there any way to configure the OpenVPN server properly without the need of knowing client's network topology in advance? As some customers may use the same subnets on their LAN and I would like to make sure not to push duplicated subnets to their sides. Just like giving the customers the *.ovpn file and the clients should be able to connect to the OpenVPN server automatically + routing subnets on both sides.

Thanks!

You may want to consider buying an OpenVPN Book for such things ..

https://openvpn.net/community-resources/#books

@TinCanTech:
Thanks a lot for your comment. I had a look at those books but could not find a specific way to address the situation where different customers have duplicated subnets. Here is my issue:

- Cilent 1 has a LAN subnet 10.10.10.0/24
- Client 2 has a LAN subnet 10.10.10.0/24

In this case, I can push my own LAN subnet (on the server side) using 'push route' but I don't know how to write proper 'iroute' directives in client-specific configuration files for clients and also the 'route' directive in OVPN server configuration file. Should they also be the same or do I need to separate them using different OVPN server tunnels/instances?