4

I'm currently running OpenVPN on my VPS, listening on port 1194 via TCP. I need to use TCP since I sometimes need to tunnel traffic over an HTTP proxy. However, I'd also like to be able to use UDP, which should be faster. However, I don't want to create two subnets, as I also have my machines connect to one another, and I'd like to have them all on one subnet.

Is there any way I have two instances share one IP pool?

Here's my server config, for reference:

dev tun
proto tcp
persist-key
persist-tun
log-append /var/log/openvpn
comp-lzo

port 1194
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server 192.168.192.0 255.255.255.0
topology subnet
client-to-client
push "dhcp-option DNS 192.168.192.1"
push "dhcp-option DOMAIN my.example.com"

# Daemon settings
user nobody
group nogroup
Mikeage
  • 2,741
  • 6
  • 26
  • 37

2 Answers2

1

Ok, I solved this.

First, I switched to a bridged network. I created one bridge device, and two tap devices which are attached (I don't have an ethernet device on the bridge). The UDP server listens on 192.168.192.1 [and on tap0], the TCP on 192.168.192.2 [and on tap1]. The bridge itself gets 192.168.192.1, but I don't think this is that important. Both have the same ifconfig-pool-persist file.

This worked, but I couldn't connect from clients connected via UDP to clients connected via TCP or vice versa (clients with the same method could talk to each other). I added a firewall rule:

iptables -A FORWARD -i br0 -o br0 -j ACCEPT

and now everything works.

Mikeage
  • 2,741
  • 6
  • 26
  • 37
0

The traffic you put into the VPN is independent from the protocol used for the tunnel. In an OpenVPN tunnel, you can put AFAIK any traffic (TCP, UDP, ICMP,...).

EDIT : I really really don't think you can have two OpenVPN instances with the same subnet as that would give you an impossible routing table. What you can do, is have to separate subnets or route between them. I have never done it but I think it's reasonnable to think that it will work.

Antoine Benkemoun
  • 7,314
  • 3
  • 42
  • 60
  • ummm.. yeah. But the OpenVPN connection can be created over a TCP connection (good for tunneling via HTTP) or a UDP connection (better performance) – Mikeage Aug 23 '10 at 03:16
  • answered in edit. – Antoine Benkemoun Aug 23 '10 at 11:12
  • It makes sense that it'd be a problem, but perhaps there's some trick out there. It seems like listening on both UDP and TCP is a fairly common requirement, and if the client's IP changed depending on where is would connect, it would be rather hard to find (DNS is a problem since if I use OpenVPN based DNS, I lose local network DNS). – Mikeage Aug 23 '10 at 13:43
  • For DNS, you could always use some bogus TLD such as .vpn and use that. You could then use both local and OpenVPN DNS... – Antoine Benkemoun Aug 23 '10 at 14:44