Posted: Sun Nov 09, 2008 3:48 Post subject: Running Two Instances of OpenVPN for UDP & TCP
I edited this post to include my solution.. The original message with my problem is at the bottom of this.. I *think* I got this figured out and running now.. This was done on a Buffalo WHR-G125 running DD-WRT v24-sp2 (10/29/08) vpn - build 10690. This was the goal: To have OpenVPN running and capable of accepting connections via either UDP or TCP depending on where I was connecting from. To do so would require separate instances of OpenVPN. If I connect to the VPN from work, it requires I go through a Squid proxy - which needs to run over TCP.. Most other places I can get away with using it over UDP, which I prefer. Originally, I needed to run it on Port 443 because at school, the only thing open is 80 & 443.. At work, if I go through 80 or 443, it needs to pass through the Squid proxy.. I havent confirmed yet, but I may be able to pass it through 1194 from work without the need for the proxy -- I'll test it Monday. If that works, then what it comes down to is me needing to have OpenVPN listen on both 443 and 1194 with separate instances..
I am using a routed setup for both instances.. I wanted to redirect everything through the VPN when it was in use. I can access my Windows files at home by adding a hosts entry to my client machine (for convenience -- I could also access via its LAN IP), and I have Internet access through the VPN.
port 443
proto tcp-server
dev tun0
cipher AES-256-CBC
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
server 10.32.71.0 255.255.255.0
client-to-client
keepalive 10 120
push "route 192.168.32.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
persist-key
persist-tun
verb 5
client1.ovpn (TCP)
remote my.server.address 443
client
proto tcp-client
dev tun0
comp-lzo
resolv-retry infinite
nobind
float
persist-key
persist-tun
ns-cert-type server
verb 3
cipher AES-256-CBC
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
ping 10
ping-restart 60
Then, I entered the following in my Startup command window to create the 2nd instance.. The sleep commands I had to play around with to account for the openvpn directory to be created and populated with my keys from the GUI..:
Startup
openvpn --mktun --dev tun1
sleep 10
echo "
port 1194
proto udp
dev tun1
cipher AES-256-CBC
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
server 10.71.71.0 255.255.255.0
client-to-client
keepalive 10 120
push "route 192.168.32.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
persist-key
persist-tun
verb 5
" > /tmp/openvpn-udp.conf
Everything seems to be working OK.. Does anyone see anything here that may be a problem?
Hope it helps anyone that was thinking of doing the same..
Rick
My original message was:
I have DD-WRT set up on my gateway WHR-G125.. I have a second WRT54G also with DD-WRT that sits on the LAN as a switch.. My gateway router is set up to handle OpenVPN via TCP for when I am accessing wireless networks that require a proxy.. I would like to know if it is possible to somehow set up the 2nd WRT54G to run its own instance of OpenVPN to handle UDP connections when I dont need to go through a proxy server.
If thats not possible, is it possible to run 2 instances of OpenVPN on the gateway? I suspect not.
Thanks,
Rick
Last edited by RickNY on Tue Nov 18, 2008 21:31; edited 2 times in total
Did you get just one working first? I got the first one set up via the GUI and actually working before I moved on to the other one.. Also, at one point in the very beginning, I realized I needed to do a 30-30-30 reset on the device because it just was not working at all..
Joined: 27 Sep 2008 Posts: 446 Location: Port Of Spain
Posted: Sat Nov 15, 2008 22:58 Post subject:
I did a 30/30/30 reset. The first openvpn is running and i can connect with it (this is the one on tcp 443 in GUI) however the second one does not connect , i get an error saying READ UDPV4"connection reset by peer {WSAECONNRESET} {CODE 10054}.
Looking at it i dont think you can run 2 instances of openvpn, also why does the startup have tun1 and the client config for it has tun0, that really don;t make any sence to me even though i dont know much about openvpn.
Joined: 27 Sep 2008 Posts: 446 Location: Port Of Spain
Posted: Mon Nov 17, 2008 21:46 Post subject:
I changed my statup script to this and now it works great. Maybe you can try it and see if it works for you also. Then maybe the Guru's can have a look at it to see if everything is ok with the setup then they can make it a sticky for those who want to run openvpn on 2 ports. Can you change the subject of this topic to (OPENVPN ON 2 SEPERATE PORTS 1194 & 443)or something like that so people can come in and view it?
my startup
# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
# Config
echo "
proto udp
port 1194
dev tun1
cipher AES-256-CBC
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
server 10.71.71.0 255.255.255.0
client-to-client
keepalive 10 120
push "route 192.168.32.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
persist-key
persist-tun
verb 5
daemon
" > openvpn-udp.conf
# Create interfaces
/tmp/myvpn --mktun --dev tun1
# Initiate the tunnel
sleep 5
/tmp/myvpn --config openvpn-udp.conf
Posted: Sat Jun 13, 2009 7:58 Post subject: I succeded in setting my server up and worked but...
First of all thanks for sharing your ideas with others. This is what I have been looking for!
I succeded in setting up my server just like Rick's initial configuration. The edited startup script was not able to bring up the udp-client, so I switched back to Rick's startup script and both worked but...
This was ONLY for a while. Though the udp-client still work very fine, the tcp-client doesn't. Initially both were working very fine with slow pace on the tcp-client. When I checked the process then, there were two processes registered for openvpn.
Now that only one is working, the server does not start the tcp-client process. I can only see the udp-client process. I have rebooted the router (WRT54GL v1.1) several times to no avail.
After two years, I can see that nobody posted any reply to my request above. So, I've decided to post the final solution to my problem here. Below is my startup script to setup the UDP protocol for the second instance of OpenVPN I run on my network router.
====================== BEGIN STARTUP =======================
# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/openvpn-udp
# Config
echo "
proto udp
port 1194
dev tun1
cipher AES-256-CBC
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
server 10.71.71.0 255.255.255.0
client-to-client
keepalive 10 120
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
persist-key
persist-tun
verb 5
daemon
" > openvpn-udp.conf
# Create interfaces
/tmp/myvpn --mktun --dev tun1
# Initiate the tunnel
sleep 5
/tmp/openvpn-udp --daemon --config openvpn-udp.conf
Posted: Wed Nov 25, 2015 7:29 Post subject: bumping this...
I'm trying to set up a separate instance of OPENWRT on my DDWRT router but am having problems getting the second instance/interface running. Any ideas?
I have 2 routers, both w/ DDWRT. One is the server. The other is the client, and both routers are bridged using TAP0 on port 1194. The LAN is 192.168.2.x with 192.168.2.1 being the router itself.
Unfortunately, my iPhone will NOT dial into the OPENVPN server on my router since it's configured in TAP mode. I am apparently forced to use TUN.
I tried to just create a new instance linked to the openvpn binary ("myvpn2") with a corresponding new configuration file. However, when I run IPCONFIG after sshing into the router, I don't see the TUN1 interface appearing at all. I do see the TAP0 interface, and it's running fine.
Here's a copy of my STARTUP commands. Please note that I am not using the VPN GUI. I was hoping to just have everything running from the startup commands.
I'm guessing that it's okay for the TAP0 interface to be on the 192.168.2.x network, but I'm guessing that the TUN1 needs to be on its own separate network which would then be routed. I'm not sure how to do this, though.
===BEGIN STARTUP COMMANDS===
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name
# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf
echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 21194 # TCP/UDP port number
dev tun1 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name
# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn2.conf