It is possible to add additional "profiles" to a VPN service. This is useful when you for example have two categories of users using the same VPN server, e.g. "employees" and "administrators".
Each profile needs to either use different ports, or different IP addresses
to listen on. Furthermore, each profile MUST have its own unique
profileNumber and profileId. A maximum of 16 profiles is supported.
Below, we will end up with two profiles:
| profileId | profileNumber | displayName |
|---|---|---|
| office | 1 | Office |
| admin | 2 | Administrators |
You may also need to take a look at the SELinux instructions.
The configuration file /etc/vpn-server-api/default/config.php needs to be
modified, you can remove the internet profile that was there by default:
'vpnProfiles' => [
// Office Employees
'office' => [
'profileNumber' => 1,
'displayName' => 'Office',
...
...
'extIf' => 'eth0',
'hostName' => 'office.vpn.example',
range: 10.0.5.0/24
range6: 'fd10:0:5::/48'
routes: ['192.168.0.0/24', '192.168.1.0/24']
vpnProtoPorts: ['udp/1194', 'tcp/1194']
],
// Administrators
'admin' => [
'profileNumber' => 2,
'displayName' => 'Administrators',
...
...
'extIf' => 'eth0',
'hostName' => 'admin.vpn.example',
range: 10.0.10.0/24
range6: 'fd10:0:10::/48'
routes: ['192.168.0.0/24', '192.168.1.0/24', '192.168.5.0/24']
vpnProtoPorts: ['udp/1195', 'tcp/1195']
],
],
In this scenario, extIf is actually the interface where the traffic needs
to go, so the "LAN" interface of the VPN server. It is best to use different
hostName values for the profiles as this gives more flexibility to move to
a setup with multiple machines in the future.
If you have multiple IP addresses at your disposal for the VPN server, you
can use the listen key to specify them. This will make you loose the IPv4 and
IPv6 support though, but you can use the same port numbers for both
profiles.
It is e.g. possible to activate Two-factor Authentication for the
admin profile, or see Profile Configuration for more
configuration options.
If you had an old profile, e.g. the default internet, as is the default when
deploying using deploy.sh it needs to be stopped first, and can be removed:
$ sudo systemctl disable --now openvpn-server@default-internet-{0,1}
$ sudo rm /etc/openvpn/server/default-internet-{0,1}.conf
$ sudo rm -rf /etc/openvpn/server/tls/default/internet
Now the new configurations can be generated:
$ sudo vpn-server-node-server-config --profile office --generate
$ sudo vpn-server-node-server-config --profile admin --generate
Enable and start them:
$ sudo systemctl enable --now openvpn-server@default-office-{0,1}
$ sudo systemctl enable --now openvpn-server@default-admin-{0,1}
If you changed UDP/TCP ports, you also need to update the firewall
configuration in /etc/vpn-server-node/firewall.php.
Regenerate and restart the firewall:
$ sudo vpn-server-node-generate-firewall --install
$ sudo systemctl restart iptables
$ sudo systemctl restart ip6tables