Server on several ports with same config?

[zmi]

I have a running openvpn server, on port udp/443. I want it to also listen on udp/10443, tcp/443, tcp/10443 - but with the same config. On the client side this is no problem, I can use

Code: Select all

<connection>
remote server 443 udp
</connection>
<connection>
remote server 443 tcp
</connection>
<connection>
remote server 10443 udp
</connection>
<connection>
remote server 10443 tcp
</connection>

but on the server seems to be no eqivalence? If not, how could I solve this? The problematic line seems to be

Code: Select all

server 172.24.0.0 255.248.0.0

so the first openvpn process takes IP 172.24.0.1+2, and that block is reserved. Subsequent servers each overwrite that IP again, and it's not working at all.

My goal is that a client has several ports and protocols to choose from, so there's a bigger chance it works from every hotel or internet cafe etc. But the servers must have the same config, of course.

[Mimiko]

Use port translation. For example 10443/TCP to 443/TCP.
Protocol translation cannot be done.
You will have to setup different OpenVPN server, each with its port/protocol/ip pool.

[zmi]

Use port translation. For example 10443/TCP to 443/TCP.

OK, some simple iptables rules will help out here.

You will have to setup different OpenVPN server for tcp/udp, each with its port/protocol/ip pool.

Is it possible to "share the base"? What I mean is, as I have a static IP for each client, assigned by ccd config, it doesn't matter too much which IP the server itself has. Example:

server-tcp.config: server 172.24.0.0 255.248.0.0
server-udp.config: could I make a definition here so that server also has 172.24.0.0/13 available?

I want client A to be able to connect either udp or tcp. Each client gets a fixed IP via ccd config, so there's the guarantee of no overlapping IPs. I want the clients to have maximum flexibility, they should reach the VPN from every hotel, WiFi, Internet Cafe, etc., and sometimes udp works, sometimes tcp, ...

[Mimiko]

Different instancences of OpenVPN must have different network pool. You can devide 172.24.0.0/255.255.0.0 in sybnets for different instances. So from operating system client wiil be from same network, but connecting to different instances, client will get different ip. For now it's not possible for multiple OpenVPN instances to share same network IP pool.

[maikcat]

yes it can be done but its a little trickier..

COPIED FROM ANOTHER POST (sadly i cant find the original post & poster..sorry )

Server config (Debian Lenny, OpenVPN 2.1~rc11-1)

====UDP server====
Code:
port 1194
proto udp
sndbuf 262144
rcvbuf 262144
txqueuelen 500
dev tun1
topology subnet
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
crl-verify crl.pem
dh easy-rsa/keys/dh2048.pem
server 172.27.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt 0
client-config-dir ccd
learn-address /etc/openvpn/udp-route.sh
script-security 2
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 5
management 127.0.0.1 5000

====TCP server====

Code:
local xx.yy.zz.110
port 443
proto tcp
tcp-queue-limit 256
dev tun2
topology subnet
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key # This file should be kept secret
crl-verify crl.pem
dh easy-rsa/keys/dh2048.pem
server 172.27.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt 0
client-config-dir ccd
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-128-CBC # AES
comp-lzo
persist-key
persist-tun
status openvpn-status-tcp.log
learn-address /etc/openvpn/tcp-route.sh
script-security 2
verb 3
management 127.0.0.1 5001


====udp-route.sh====

Code:
#!/bin/bash

if [[ $1 = 'add' ]]; then
ip route add $2 dev tun1 src 172.27.0.1
fi
if [[ $1 = 'delete' ]]; then
ip route del $2 dev tun1 src 172.27.0.1
fi


====tcp-route.sh====

Code:
#!/bin/bash

if [[ $1 = 'add' ]]; then
ip route add $2 dev tun2 src 172.27.0.1
fi
if [[ $1 = 'delete' ]]; then
ip route del $2 dev tun2 src 172.27.0.1
fi


====client config====

Code:
client
dev tun
topology subnet

<connection>
remote vpn.xx.com 1194 udp
</connection>

<connection>
remote vpn.xx.com 443 tcp
</connection>

<connection>
remote vpn.yy.com 1194 udp
</connection>

<connection>
remote vpn.yy.com 443 tcp
</connection>

resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3

[ewiley]

Thanks maikat! This worked perfectly to solve a problem I had.

I'm curious, though, how the tunnel interfaces don't register an IP conflict (or at least make the kernel very confused).

[maikcat]

maybe because they are tun interfaces not tap.

just my 2 cents..

Michael.