Multiple instances on a server with multiple IPs

[syltrell]

Hello,

I have a dedicated server linux Centos 5.x with three IPs. I want to install OpenVPN so it is possible to choose which of the IPs to connect through at the client GUI. Lets say the Ips are:

100.100.100.100 (lets call it City1)
200.200.200.200 (lets call it City2)
300.300.300.300 (lets call it City3)

Mask 255.255.255.255

My questions are:

1.- How to create a dev tun for each one (I assume I must do it)

2.- At which point of the installation must I define folders for holding the ipp.txt and keys of each IP (folders city 1, city 2 and city 3)

3.- How I create all configs ( city1.config, city2.config and city3.config) and where

4.-How I configure the demon to start all three city1.config, city2.config and city3.config

5.- Shall I assign different subnets arbitrarily?

I am familiar with installing OpenVPN when is on one IP only, I have done it several times but never with more than one IP so I really need help please. Thank you.

[syltrell]

I see that you suggest different ports for each instance. Is that necessary or can all use the same port?

My typical config when I install for just one IP is as follows (please advise what I must change in each config) besides dev tun (den tun 1, etc) , local IP and subnet. Thank you.

dev tun
port 1194
proto udp
comp-lzo
dh dh1024.pem
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
ifconfig-pool-persist ipp.txt
ca ca.crt
cert main.crt
key main.key
local 100.100.100.0
server 10.10.10.0 255.255.255.255
#push "route 10.10.10.0 255.255.255.255"
push "redirect-gateway def1"

[syltrell]

Many thanks for the time and help, all done!

[syltrell]

Sorry, I forgot to ask:

100.100.100.100 is eth0 so at the IPtables I use

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 100.100.100.100
iptables -t filter -A FORWARD -i tun0 -o eth0 -j ACCEPT

But with the other 2 IPs which are eth0-1 and eth0-2 what I should use (IPtables doesn't recognize eth0-x). Thank you

[syltrell]

Sorry, I forgot to ask:

100.100.100.100 is eth0 so at the IPtables I use

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 100.100.100.100
iptables -t filter -A FORWARD -i tun0 -o eth0 -j ACCEPT

But with the other 2 IPs which are eth0-1 and eth0-2 what I should use (IPtables doesn't recognize eth0-x). Thank you

I mean for the OpenVPN installation of course

[syltrell]

As you have separate IP addresses you can use the same port. ie. 1194 (My mistake)

In the client use the <connection> block for each IP if you want one client config and randomize the server or have three separate configs and let the client user choose which IP to use.

I have a setup now with three configs but when I try to restart the openvpn service it gives me FAILED.

Here is how I did the setup:

I created directories at etc/openvpn for each IP keys . Then I run:


#cat /dev/net/tun

#wget packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm

#rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt

#rpm -K rpmforge-release-0.5.2-2.el5.rf.*.rpm

#rpm -i rpmforge-release-0.5.2-2.el5.rf.*.rpm

#sed --in-place "s/\\(.*enabled.*=\\).*/\1 0/" /etc/yum.repos.d/rpmforge.repo

#yum --enablerepo rpmforge install openvpn

#mkdir ~/easy-rsa

#cp -Rv /usr/share/doc/openvpn-*/easy-rsa/2.0/* ~/easy-rsa/

#cd ~/easy-rsa

#vi vars
=============================
ENTERED VALUES FOR THE FIELDS
===========================

#chmod u+x clean-all build-ca whichopensslcnf build-dh build-key pkitool build-key-server

#cd ~/easy-rsa
#. ./vars
#./clean-all
#./build-dh
#./build-ca

============================
Entered values
======================================


#./build-key-server main

#su - root
#vi /etc/openvpn/config100.conf

dev tun0
port 1195
proto udp
comp-lzo
dh /etc/openvpn/config100/dh1024.pem
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
ifconfig-pool-persist /etc/openvpn/config100/ipp.txt
ca /etc/openvpn/config100/ca.crt
cert /etc/openvpn/config100/main.crt
key /etc/openvpn/config100/main.key
client-config-dir /etc/openvpn/config100/keys/
local 100.100.100.100
server 10.10.10.0 255.255.255.248
#push "route 10.10.10.0 255.255.255.248"
push "redirect-gateway def1"
daemon



#cd ~/easy-rsa
#. ./vars
#./build-key Client1-100
#./build-key Client2-100

#cp ~/easy-rsa/keys/* /etc/openvpn/config100/keys

#openvpn /etc/openvpn/config100.conf

.........................................................

#su - root
#vi /etc/openvpn/config200.conf

dev tun1
port 1195
proto udp
comp-lzo
dh /etc/openvpn/config200/dh1024.pem
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
ifconfig-pool-persist /etc/openvpn/config200/ipp.txt
ca /etc/openvpn/config200/ca.crt
cert /etc/openvpn/config200/main.crt
key /etc/openvpn/config200/main.key
client-config-dir /etc/openvpn/config200/keys/
local 200.200.200.200
server 10.10.20.0 255.255.255.255
#push "route 10.10.20.0 255.255.255.255"
push "redirect-gateway def1"
daemon


#cd ~/easy-rsa
#. ./vars
#./build-key Client1-200
#./build-key Client2-200

#cp ~/easy-rsa/keys/* /etc/openvpn/config200/keys

#openvpn /etc/openvpn/config200.conf

.....................................

#su - root
#vi /etc/openvpn/config300.conf

dev tun2
port 1195
proto udp
comp-lzo
dh /etc/openvpn/config300/dh1024.pem
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
ifconfig-pool-persist /etc/openvpn/config300/ipp.txt
ca /etc/openvpn/config300/ca.crt
cert /etc/openvpn/config300/main.crt
key /etc/openvpn/config300/main.key
client-config-dir /etc/openvpn/config300/keys/
local 300.300.300.300
server 10.10.30.0 255.255.255.255
#push "route 10.10.30.0 255.255.255.255"
push "redirect-gateway def1"
daemon


#cd ~/easy-rsa
#. ./vars
#./build-key Client1-300
#./build-key Client2-300


cp ~/easy-rsa/keys/* /etc/openvpn/config300/keys

#openvpn /etc/openvpn/config300.conf

...............................................

Added to /etc/rc.local the following:

openvpn /etc/openvpn/config100.conf &
openvpn /etc/openvpn/config200.conf &
openvpn /etc/openvpn/config300.conf
____________________________________________________________________________________

#su - root

#chkconfig openvpn on

#echo 1 > /proc/sys/net/ipv4/ip_forward

#service openvpn restart

==================================================

Then at IPtables I have set:

# VPN
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 100.100.100.100
iptables -t filter -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 200.200.200.200
iptables -t filter -A FORWARD -i tun1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 300.300.300.300
iptables -t filter -A FORWARD -i tun2 -o eth0 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 1195 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 1195 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 1195 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 1195 -j ACCEPT
echo - VPN [OK]

===============================================================

A sample of the .ovpn for the clients:

dev tun2
proto udp
comp-lzo
client
nobind
user nobody
group nobody
persist-key
persist-tun
ca 300ca.crt
cert Client1-300.crt
key Client1-300.key
resolv-retry infinite
remote 300.300.300.300 1195
ns-cert-type server

======================================

So, when I try to restart service openvpn I get stopped OK and start FAILED.

Of course then if trying to connect I get WSAECONNRESET code 10054

Any advice will be very appreciated. Thank you

[syltrell]

when I try to restart the OpenVPN service it gives me FAILED

Indeed, unfortunately your operating system does not release port 1195 quickly enough for the restarted service to bind to it as the port is still bound to the previous (now dead) instance of OpenVPN. Try Stop/(pause)/Start ..

Didn't work


service openvpn stop
OK

(60 sec pause)

service openvpn start
FAILED

Other suggestion? Thank you

[syltrell]

service openvpn start
FAILED

Other suggestion? Thank you

Check your log file for errors ...

I tried to find the openvpn log but I only found openvpn-status.log which is empty...