So we have a number of clients that have their own VPS instances which we host via Proxmox. The clients servers are all behind a NAT firewall and we forward ports per client request to our various public IP addresses. I know this isn't quite like most VPS hosting services as usually you get your own dedicated public IP, but we do this for security reasons and in most cases we end up managing the clients VPS's anyways as they don't usually have an IT staff (small / medium sized business).
We have a need to setup OpenVPN to allow some of our clients to directly connect to some of their services that aren't public facing. We want to set this up on our Linux gateway servers, which provide NAT, DHCP, etc… to our various client's servers. Each client has their own dedicated VLAN with a unique /20 subnet. So what we want to do is have OpenVPN connect each user to their correct VLAN/Subnet. For this we will need a different TAP bridge for each VLAN, which is fine as each client already has their own interface on the gateway the provides the NAT, DHCP, etc… to their servers
What i want to know how to do is how to get each client routed to their correct TAP device. Does OpenVPN support this functionality or will i have to run multiple instances of OpenVPN, one for each TAP device? Listening on different ports of course. If possible, i would love to pass the TAP device name over via LDAP and have OpenVPN use that device.
We would like the DHCP server to handle leases and IPtables to handle NAT, not OpenVPN. Which is why we want to use TAP devices.
Best Answer
After a lot of a research, and trial and error, it turns out this is pretty easy to do. You do have to run multiple instances, one per bridge, in order to isolate all of the users to their respective networks. You just add a new .conf file for each instance and Debian will automatically create a new instance per .conf file. Just make sure you use different ports! Other mainstream distros seem to handle this similarly.