It is possible to add additional “profiles” to a VPN service. This is useful when you for example have two categories of users using the same VPN server, e.g. “employees” and “administrators”.
Each profile needs to either use different ports, or different IP addresses
to listen on. Furthermore, each profile MUST have its own unique
profileId. A maximum of 64 profiles is supported.
Below, we will end up with two profiles:
You may also need to take a look at the SELinux instructions when running on CentOS or Fedora.
The configuration file
/etc/vpn-server-api/config.php needs to be
modified, you can remove the
internet profile that was there by default:
'vpnProfiles' => [ // Office Employees 'office' => [ 'profileNumber' => 1, 'displayName' => 'Office', ... ... 'hostName' => 'office.vpn.example', 'range' => '10.0.5.0/24', 'range6' => 'fd10:0:5::/48', 'routes' => ['192.168.0.0/24', '192.168.1.0/24'], 'vpnProtoPorts' => ['udp/1194', 'tcp/1194'], ], // Administrators 'admin' => [ 'profileNumber' => 2, 'displayName' => 'Administrators', ... ... 'hostName' => 'admin.vpn.example', 'range' => '10.0.10.0/24', 'range6' => 'fd10:0:10::/48', 'routes' => ['192.168.0.0/24', '192.168.1.0/24', '192.168.5.0/24'], 'vpnProtoPorts' => ['udp/1195', 'tcp/1195'], ], ],
Look here for all supported configuration options.
It is best to use different
hostName values for the profiles as this gives
more flexibility to move to a setup with multiple machines in the future.
If you have multiple (public) IP addresses at your disposal for the VPN server,
you can use the
listen key to specify them. This will make you loose the IPv4
and IPv6 support though, but you can use the same port numbers for both
profiles. In most cases you will want to keep
:: as the value of
just use different ports.
NOTE: if you add/modify UDP and TCP ports you may also need to update the firewall!
To apply the configuration changes:
$ sudo vpn-maint-apply-changes
If the command is not available, install the
vpn-maint-scripts package first.