Discussion:
[Openvpn-users] How to configure openvpn to listen on more than one, but not all interfaces
Torsten Krah
2008-03-18 13:07:19 UTC
Permalink
documentation tells this:

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

If i dont set this parameter it will listen on all interfaces.
But how to configure stuff to listen on "a.b.c.d AND e.f.g.h".

Doing

local a.b.c.d e.f.g.h

does not work. Is it possible to do such things?
I don't want to split out configuration in "2" openvpn server processes, it
must be one.

thx for help.

Torsten
--
Bitte senden Sie mir keine Word- oder PowerPoint-AnhÀnge.
Siehe http://www.gnu.org/philosophy/no-word-attachments.de.html

Really, I'm not out to destroy Microsoft. That will just be a
completely unintentional side effect."
-- Linus Torvalds
Prasanna Krishnamoorthy
2008-03-18 13:31:48 UTC
Permalink
On Tue, Mar 18, 2008 at 6:37 PM, Torsten Krah
Post by Torsten Krah
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
If i dont set this parameter it will listen on all interfaces.
But how to configure stuff to listen on "a.b.c.d AND e.f.g.h".
You can't do this as of now AFAIK. Use a firewall, let it listen on
all interfaces, and block on unwanted interfaces.

Prasanna.
--
www.elinanetworks.com
Seamless, secure delivery of applications.
Torsten Krah
2008-03-18 16:06:08 UTC
Permalink
Post by Prasanna Krishnamoorthy
On Tue, Mar 18, 2008 at 6:37 PM, Torsten Krah
Post by Torsten Krah
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
If i dont set this parameter it will listen on all interfaces.
But how to configure stuff to listen on "a.b.c.d AND e.f.g.h".
You can't do this as of now AFAIK. Use a firewall, let it listen on
all interfaces, and block on unwanted interfaces.
Prasanna.
Thats not really a solution beause on another interface (i've got 4 of them),
another server is already listening on the port i need.
Hm this should be really possible to do, sadly it does not work yet :-(.
thx you anyway for your reply.

Torsten
Jan Just Keijser
2008-03-18 16:09:45 UTC
Permalink
Hi Torsten,

this is currently not possible. Openvpn is single threaded. In
Unix/Linux you can either bind to all interfaces or to a single
interface. If a program wishes to bind to multiple interfaces you need
to have multiple instances/threads. This is currently not
possible/implemented in OpenVPN. A stop-gap solution is to bind openvpn
to a single interface and set up NAT'ting on the other desired interface
to redirect traffic to the openvpn interface.

HTH,

JJK
Post by Torsten Krah
Post by Prasanna Krishnamoorthy
On Tue, Mar 18, 2008 at 6:37 PM, Torsten Krah
Post by Torsten Krah
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
If i dont set this parameter it will listen on all interfaces.
But how to configure stuff to listen on "a.b.c.d AND e.f.g.h".
You can't do this as of now AFAIK. Use a firewall, let it listen on
all interfaces, and block on unwanted interfaces.
Prasanna.
Thats not really a solution beause on another interface (i've got 4 of them),
another server is already listening on the port i need.
Hm this should be really possible to do, sadly it does not work yet :-(.
thx you anyway for your reply.
Torsten
Paul Waring
2008-03-18 16:22:21 UTC
Permalink
Post by Torsten Krah
Thats not really a solution beause on another interface (i've got 4 of them),
another server is already listening on the port i need.
Why not just run OpenVPN on another port on all interfaces then? That
way you don't need to fiddle about with multiple configurations, nor
do you clash with the existing server. There's no real reason why you
need to run OpenVPN on the default port - it's not like Apache where
people might get confused if they have to type
http://www.example.org:8080 instead of http://www.example.org.

Paul
--
Paul Waring
http://www.pwaring.com
Erich Titl
2008-03-18 16:31:33 UTC
Permalink
Torsten
Post by Torsten Krah
Post by Prasanna Krishnamoorthy
On Tue, Mar 18, 2008 at 6:37 PM, Torsten Krah
...
Post by Torsten Krah
Thats not really a solution beause on another interface (i've got 4 of them),
another server is already listening on the port i need.
Hm this should be really possible to do, sadly it does not work yet :-(.
thx you anyway for your reply.
It depends on your server. If you run a *X then you could block the
unwanted interfaces locally.

cheers

Erich
Drew Gibson
2008-03-18 16:49:15 UTC
Permalink
Post by Torsten Krah
Post by Prasanna Krishnamoorthy
On Tue, Mar 18, 2008 at 6:37 PM, Torsten Krah
Post by Torsten Krah
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
If i dont set this parameter it will listen on all interfaces.
But how to configure stuff to listen on "a.b.c.d AND e.f.g.h".
You can't do this as of now AFAIK. Use a firewall, let it listen on
all interfaces, and block on unwanted interfaces.
Prasanna.
Thats not really a solution beause on another interface (i've got 4 of them),
another server is already listening on the port i need.
Hm this should be really possible to do, sadly it does not work yet :-(.
thx you anyway for your reply.
Torsten
Hi Torsten,

another workaround might be to run OVPN listening on all interfaces with
your other server listening on the appropriate i/f on a different port.
Use iptables to redirect the original (1194) address/port to the new
port (eg 8194) for the other server.

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1194 -j
REDIRECT --to-ports 8194


regards,

Drew
--
Drew Gibson

Systems Administrator
OANDA Corporation
www.oanda.com
Loading...