Multiple OpenVPN instances

I'm trying to setup two instances of OpenVPN, but I guess I'm missing something.

If I've a single /etc/config/openvpn

It works fine.

If I copy this file to /etc/openvpn/openvpn1.conf

And create an /etc/config/openvpn as

config openvpn 'vpn1'
    option enabled 1
    option config '/etc/openvpn/openvpn1.conf'

It doesn't work

I'm also guessing that to have the multiple instances I should have (once this works)

config openvpn 'vpn1'
    option enabled 1
    option config '/etc/openvpn/openvpn1.conf'
config openvpn 'vpn1'
    option enabled 2
    option config '/etc/openvpn/openvpn2.conf'

What I'm missing ?

Thanks !

UCI syntax does not match OpenVPN syntax:
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

As vgaetera pointed out, you are copying a UCI file and telling OpenVPN to read it, but OpenVPN expects a file in its native format.

Instead of using option config to point to an external file you can just write all the options directly in /etc/config/openvpn. Here is an excerpt of mine, where I do exactly this:

config openvpn 5678udp_server
        option enabled 1
        option port 5678
        option proto udp
        option dev tun
        option ca /etc/openvpn/cavpn.crt
        option cert /etc/openvpn/_VPN.crt
        option key /etc/openvpn/_VPN.key
        option tls_server
        option dh /etc/openvpn/dhvpn.pem
        option server "192.168.199.0 255.255.255.0"
        list push "redirect-gateway def1 bypass-dhcp"
        option keepalive "10 60"
        option tls_crypt "/etc/openvpn/ta.key"
        option persist_key 1
        option persist_tun 1
        option user nobody
        option verb 3
        option tls_version_min "1.2"

config openvpn 1234udp_server
        option enabled 1
        option port 1234
        option proto udp
        option dev tun
        option ca /etc/openvpn/cavpn.crt
        option cert /etc/openvpn/_VPN.crt
        option key /etc/openvpn/_VPN.key
        option tls_server
        option dh /etc/openvpn/dhvpn.pem
        option server "192.168.237.0 255.255.255.0"
        list push "redirect-gateway def1 bypass-dhcp"
        option keepalive "10 60"
        option tls_crypt "/etc/openvpn/ta.key"
        option persist_key 1
        option persist_tun 1
        option user nobody
        option verb 3
        option tls_version_min "1.2"

Note that my instances share the keyfiles. Some options can be shared, some cannot (e.g. server), and some should not depending on your needs (shared CA/keyfiles is bad if not all clients are allowed access to all VPN instances).

Most options are named the same as in OpenVPN, but you'll need to replace dashes (-) in OpenVPN names with underscores (_). So tls-version-min in OpenVPN documentation is tls_version_min in UCI. You can find all the options UCI can handle in openvpn.options, on your OpenWrt device it will be at /usr/share/openvpn/openvpn.options.

In addition, in your example you have named both config sections vpn1. This may cause issues, so give them unique names.

1 Like

Tried that already, but didn't worked ... I will give another try.

The vpn1 duplication it was a mistake just in the example here, it was ok in my testing.

Thanks !

It should work, check syslog for errors.