One of the lesser-known possibilities when using configuration files is the ability to include other configuration files. This can be especially handy when setting up a complex OpenVPN server, where multiple OpenVPN instances are offered simultaneously. The common configuration directives can be stored in a single file, whereas the connection-specific parts can be stored in a file for each instance. In this recipe, we will set up two OpenVPN instances, one using UDP and the other using TCP as the transport protocol.
Note that this option does not allow for the sharing of VPN IP address ranges between instances.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11.
dev tun ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/server.crt key /etc/openvpn/cookbook/server.key dh /etc/openvpn/cookbook/dh2048.pem tls-auth /etc/openvpn/cookbook/ta.key 0 persist-key persist-tun keepalive 10 60 push "route 10.198.0.0 255.255.0.0" topology subnet user nobody group nobody daemon
Save it as example10-1-common.conf
. Note that this configuration file does not include a protocol specification or server line. Also, note that we will be using the same server certificate for both OpenVPN instances.
config example10-1-common.conf proto udp port 1194 server 10.200.0.0 255.255.255.0 log-append /var/log/openvpn-udp.log
Save it as example10-1-server1.conf
.
config example10-1-common.conf proto tcp port 443 server 10.201.0.0 255.255.255.0 log-append /var/log/openvpn-tcp.log
Save it as example10-1-server2.conf
. This instance is listening on the HTTPS port443
, which is an often-used trick to circumvent very strict firewalls, or to work around a badly configured firewall.
[root@server]# openvpn --config example10-1-server1.conf [root@server]# openvpn --config example10-1-server2.conf
Check the log files to see if both the servers have successfully started.
OpenVPN configuration files are treated very similarly to command line options. As the --config
command line option is used almost always, it is also possible to use it inside a configuration file again. This allows for a split in the configuration options, where directives that are common to all OpenVPN instances can be stored in a single file for easy maintenance. The instance-specific directives (such as the server
directive) can then be stored in much smaller configuration files, which are also less likely to change over time. This again eases maintenance of a large-scale OpenVPN server setup.
OpenVPN has a built-in protection mechanism to avoid including the same configuration file recursively.
18.227.52.11