Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Jan 2020
    Posts
    4

    Default Multiple OpenVPN Server instances?

    I am looking into new firewall for home lab setup and evaluating the options. Untangle looks promising so far, but I also see some limitations. It is possible to host two instances of OpenVPN server? I.e. by adding multiple instances of OpenVPN app? I just want to have both TCP/UDP protocol options supported, but I don't see a way to get this working on Untangle (and pretty much any Linux-based Firewall distro out there).

    Btw, this option is available on OPNSense/pfSense FreeBSD-based firewalls out of the box, but I would really like to stay in Linux world if possible. So far, it looks for me I am going to join dark (BSD) side.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,263

    Default

    It's not possible to have two OpenVPN instances. What is the use case?

    You can pick UDP or TCP but not both at the same time.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Jan 2020
    Posts
    4

    Default

    I know that single OpenVPN server instance can listen on either TCP or UDP, this is why I asked about ability to run several instances with difference configuration.
    Use case is simple: I need to be able to connect to server from the networks with blocked UDP traffic. OpenVPN recommends UDP and this is where OpenVPN shows best performance and this is what I want to use by default. But, in situations where I can't use UDP I want to connect to TCP instance and get at least some connectivity (I know about downsides of TCP over TCP, but this works at least at some point).
    So, I am trying to find a reason to prefer Untangle over OPNSense/pfSense. I prefer Linux-based solution over BSD and don't mind to pay a reasonable license fee it it worth it, but here I see that Untangle is clearly loosing. Any suggestions for addressing my issue before I go BSD side?

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,909

    Default

    In situations like this, I use the IPSec module. All remote users have OpenVPN, and L2TP available. Though to be honest in recent years this is not working out so well due to a ton of factors. Most of the time OpenVPN UDP works, and when it doesn't alternatives aren't much better.

    I had an executive in a conference center in Dallas last year, she couldn't use OpenVPN, L2TP, RDP, OR ScreenConnect to connect to her office... all due to filtration happening at the hotel. You'd think such a place would know better, but in the end I just told her to use her phone's hot spot. BOOM online.

    But, the bottom line, it doesn't matter what you do it's going to not work at some point. And additional complexity is just more security problems.

    But honestly, if you don't see the obvious benefits of Untangle vs OPNSense, no one here is going to be able to help you. The two products are apples and oranges. I use both heavily, but I never use OPNSense on an edge device anymore.

    Heck, for that matter ever considered abandoning the VPN idea entirely? It's going the way of the dodo in favor of all sorts of things. O365 / Teams has file sync and storage built in. And if you want remote file access while doing the above from all open source, that's what nextcloud / owncloud is for.
    Last edited by sky-knight; 01-13-2020 at 05:08 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Jan 2020
    Posts
    4

    Default

    In situations like this, I use the IPSec module.
    Yes, this is what I am doing now with IPFire setup (I am using clean IPsec/IKEv2). There are few problem with this:
    1. It is UDP-only.
    2. It requires to open multiple ports on firewall (500/4500 in case of IKEv2 and 500/1701 in case IPsec/l2tp). With OpenVPN I can open single port (and host two instances with TCP/UDP setup on same port - ideal solution for me I was trying to get on Untangle).
    3. IKEv2 not supported by all hardware I am using (there are workarounds though).
    4. L2 tunneling is redundant for my use case.

    Since this is UDP-based, I have to configure OpenVPN for TCP port (to get separation working and to have working VPN on UDP-blocking networks). I would really like to have OpenVPN in UDP mode as well, but can't due to another instance is needed.

    All remote users have OpenVPN, and L2TP available. Though to be honest in recent years this is not working out so well due to a ton of factors. Most of the time OpenVPN UDP works, and when it doesn't alternatives aren't much better.
    Not sure if I get your setup properly. L2TP is UDP based and later your are mentioning your OpenVPN is also configured for UDP? Then there is no surprise you have issues, since UDP-blocking public/hotel wifi networks are pretty frequent. Switch your OpenVPN to TCP and put it on 443 port and it will work everywhere (except the DPI-configured network which can differentiate OpenVPN and HTTPS tranffic). Only caveat is performance in this scenario - TCP-over-TCP is not the best thing, so I would use this only if any other options are not working.

    But honestly, if you don't see the obvious benefits of Untangle vs OPNSense, no one here is going to be able to help you. The two products are apples and oranges. I use both heavily, but I never use OPNSense on an edge device anymore.
    Well, this sounds like something new to me. I consider them very close to Untangle for the functionality and not agree with "apples and oranges" here. Also, what is wrong in putting OPNSense as edge device? You have some real cases or explanation what is wrong with this?

    for that matter ever considered abandoning the VPN idea entirely?
    This is not the option, since I need VPN exactly to have access to my internal network remotely. I can expose some services outside separately, but this is separate story.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,909

    Default

    OPNSense / PFSense is a layer 2/3 device with some layer 7 features bolted on. Untangle is a layer 7 device, with some layer 2/3 features bolted on.

    The nature of the work they do, and how they do it is drastically different. Untangle is a UTM, OPNSense/PFSense pretend to be a UTM, there's a huge gulf of difference there. And again, I use both, they're terrific for what they are good at. But they are light years from any sort of functional equivalence. It's kind of sad that this fact is so overlooked, because there are tons of products out there in that pretend category. You know who they are by their performance scaling usually.

    But if all you're using Untangle for is the free stuff, I can see how you think they're the same... they however very much are not. Just the visibility differences alone, comparing Untangle reports to xSense logs?!? YUCK!

    As for UDP blocking hotels, that's why we have cell phones. Blocking UDP isn't a reasonable tactic to take, as it breaks all sorts of things, not the least of which is DNS resolution. Yes, I know it can fail back to TCP but it's nowhere near fast enough for a modern network that way.

    If you must have a TCP VPN option it's possible to reconfigure OpenVPN to work that way, but as you indicated this is far less than ideal. TCP over TCP is just a bad idea... If UDP isn't available, I swap to my hotspot. If I'm at a convention center, or professional class hotel, I find the manager and scream at him/her in public. That's an utterly unacceptable technical reality, and they need to be called out for it, I then loudly and firmly inform them I'll never be staying here again until they fix it. I usually get a few people that ask why, we have a friendly chat, and now that manager has 3-5 angry paying customers in their face. Hopefully, that makes things better for someone else later. I despise taking this out on the managers, but as a customer that's the only surface I have for issues like this. Fortunately, my exposure to this insanity has been minimal. Most places have working networks, because solid wifi is a rather large selling point these days. And blocking UDP breaks YouTube... so... it's rather visible.

    There are just certain technical problems that aren't solved by jumping through flaming hoops. But, if you need something further, and you're willing to dump in this much complexity, I'd suggest deploying a dedicated OpenVPN server in a VM on your LAN, or using SSTP via Windows Server, both can be the emergency TCP connectivity you want.

    You also could use the Command Center to remotely reconfigure OpenVPN into TCP mode as needed, if your TCP requirement is that intermittent.
    Last edited by sky-knight; 01-13-2020 at 11:30 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Jan 2020
    Posts
    4

    Default

    Thanks, it all makes sense. Really I didn't think about layer 7 stuff a lot, but in a light it is present I may start doing this. Thanks for your input - very valuable.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2