SSL VPN Listen on two Interfaces with different IPs

Hi Marco Hald,

Thank you for reaching out to the Community! 

You should be able to override the hostname under the SSL VPN setting, but it will only allow you to add one IP address. 

However, you could use the FQDN to override the hostname and use A record to maps that domain to the required IP address. 

Thanks,

Hi H_Patel,

when i do it with a Records it is just a round robin. So when one of our providers fail 50% of the connects will also fail if I have two different IPs for the A record vpn.example.com

And the firewall would still listen on port XXX on all available IPs

So it is not possible to use Webserver Protection and SSL VPN both on Port 443 when the VPN bind the Port on all IPs

Or am I wrong with this ?

Hi Marco Hald,

You would have to override the hostname with the domain and download the new configuration, but this does not mean that you can configure the same port for SSL VPN and WAF. 

It is not possible to use the same port for both SSL VPN and WAF at the same time, but it might become possible in future releases. 

Thanks,

If you don't select an interface but "any interface" you can establish SSL-VPN to every interface-IP.

To configure more than one IP (or a special one) open the .ovpn Config-file and change the line containing IP or FQDN.

To allow more than one destination (for example with multiple ISP-connections at the SG) copy the line containing IP or FQDN and change the settings within the second. The Client try the second entry if the first fails / times out.

Hello Marco,

as Dirk already suggested, you can have more than one "remote ...." line in your Client OpenVPN config file.

So if you use:

remote "first FQDN or IP" 443

remote "second FQDN or IP" 443

the client will try each gateway and use the first, that works.

Hope this helps.

Hallo Marco and welcome to the UTM Community!

Dirk and Philipp gave you the answer - the issue is not with the UTM settings in WebAdmin, but the content of the OpenVPN Config File (.ovpn) distributed to the clients.

Cheers - Bob
PS It's easier to help if you say what you're trying to accomplish instead of just asking about how to implement a solution you've posited.

Hi dirkkotte,

when I don't select a interface and any Interface is used, the Port will be bound to all available IPs or I am wront with this ?

When i use port 443 for SSL VPN then i cannot use Port 443 because it is already  bound on all Interfaces with the SSL VPN.

I would like to use one IP from each Provider for SSL VPN on Port 443 and still be able to use one other IP of each Provider for Webserver Protection on Port 443.

The configuration on the client side makes perfectly sense.

Thanks for explaining.

1. "when I don't select a interface and any Interface is used, the Port will be bound to all available IPs or I am wront with this ?" - correct

2. thats the reason why i use port 1194 (TCP or UDP) ... the default openVPN-port -