On Mon, 24 Jul 2023 05:45:47 +0000 (UTC), Jason Long via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
PLEASE STOP TOP-POSTING (corrected below)! >>On Sunday, July 23, 2023 at 06:29:20 PM GMT+3:30, Gert Doering >><g...@greenie.muc.de> wrote: >> >>Hi, >> >>>On Sun, Jul 23, 2023 at 01:32:19PM +0000, Jason Long wrote: >>> 1- If the port number is different, then "server" IP can be the same? For >>> example, the first server use: >> >>No. That is inside IPs (and something else again), they must be distinct. >> >>[..] >>> 2- You said, "A "NIC" can have multiple IP addresses", so, a server does >>> not need to have multiple NAT NICs ? >>> For example, A VPN provider can have a VPN server with a >NIC that use >>> three or four public IP addresses. >> >>Sure. >> >>There's some practical limits - like, some OSes start getting funny when >>you exceed something like 500 IP addresses on one interface - but besides >>that it's just a matter of setting up routing/interface config properly. >> >> >>gert >Hi Gert, >Thanks again for your reply. >But, I tested my OpenvPN server. As I understand, the Port number is important >for the OpenVPN server, >because with the same IP address and Different Port, The OpenVPN worked. > >Server 1: > >port 1194 >proto udp >dev tun >ca ca.crt >cert server.crt >key server.key >dh dh.pem >server 10.8.0.0 255.255.255.0 >... > >Server 2: > >port 1195 >proto udp >dev tun >topology "subnet" >push "topology subnet" >ca /etc/openvpn/server2/ca.crt >cert /etc/openvpn/server2/server2.crt >key /etc/openvpn/server2/server2.key >dh /etc/openvpn/server2/dh.pem >server 10.8.0.0 255.255.255.0 > > >Isn't that strange? > I assume you are showing part of the conf files on the server for the two OpenVPN instances. What is it you consider "strange"?? To me the strange thing is your use of different paths to the crypto files, especially that on one server you seem to have placed them inside the default directory, you should use full paths on both. And you are using different crypto for each, that might be what you want but not what I am doing when setting up multiple services on my installations. I keep those in a prtected root only accessible directory. But the most blatant problem I see here is that both servers use the *same* tunnel IP address ranges 10.8.0.x, which is what the examples use and therefore should *not* be used in a live environment. You must have a *different* range for the two servers otherwise routing will be screwed up! And use something *unique* to your installation! Like 10.11.233.0 and 10.12.234.0 so it will not collide with anything else (at least with a minimal chance of). I use the *same* crypto files for my installations of two services, one with a gateway to the server side Internet connection and one only operating on the local network while the client uses his own gateway to the internet. Has been working fine for over 10 years now. But you also have to set up IPTABLES correctly for the wanted routing to happen.... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
