Two VPN servers at one location

Can I run two VPN servers at one location?

Here's the ingredients, can I make a nice cake?

I have a FRITZ!Box router set up and working as good as it does for VPN both inbound and site to site. The router port forwards to my server.
I have a server on which I can set up another VPN service.
I have a fixed IP address as well as a block of eight (?)
I have a domain name and I can set up subdomains.

I'm thinking I can use one on my 'other' IP addresses to send traffic to the VPN on the server. So bypassing the router. Anyone who's set up a FRITZ!Box to use a second IP address please give me a wave and say this is a good/bad idea.

The idea is user John can connect to vpn.mydomain.tld while user Janet uses vpn2.mydomain.tld. If vpn.mydomain.tld points to IP address 12.34.56.01, vpn2 points to 12.34.56.02. Both users need to end up in the same file server, viewing the same files.

Why? Because Janet has a Windows 10 PC and is locked down at home. FRITZ!Box doesn't do VPN for Windows 10. Es sei denn, Sie sprechen Deutsch. John's Mac speaks English and connects to the FRITZ!Box VPN just fine.

Or, I can let her use WebDAV. But that's over the public interwebs and far less secure than using VPN to access the server?

Out of interest, what type of remote access VPN is running on the Fritzbox if Windows 10 can't connect (natively or otherwise) ?

Yes in principle if you have multiple IPs then port forwarding (destination NAT) can be specific to each external destination IP, in that it can have its own translations to internal IPs and port numbers.
This is also important for non TCP/UDP protocols like ESP and ICMP>Echo.

Not sure whether the Fritzbox can do it as I don't have an additional subnet, but it is a feature of more advanced routers.

Also - are you and your clients both on dual-stack networks - in which case you can simply permit the additional VPN traffic to the global IPv6 address of the new VPN server inside of your network.
(Fritz OS 07.21 > Internet > Permit Access > Port Sharing > Device > New Sharing > Internet Access via IPv6)

The bigger problem will be how the file server replies to clients, in that it won't know which VPN server to use as a gateway to reply via.
The Fritzbox is the probably default gateway for your network which is why that currently works, because it is automatically the next hop for replies from your File server.

Unless the second VPN server happens to run directly on the File server, you are likely to need some internal static routes to clarify the path back to the remote client's virtual IPs.

In larger organisations, user devices and servers usually don't have to know about multiple routers in their own subnet,
but whatever router acting as their default gateway is setup to learn the routes to other parts of the Intranet (including VPN IPs).

Edited by prlzx (Mon 23-Nov-20 13:01:02)

In reply to a post by prlzx:

Out of interest, what type of remote access VPN is running on the Fritzbox if Windows 10 can't connect (natively or otherwise) ?

The instructions for the settings it produces say use "IPSec or IPSec Xauth PSK". I'm sure this isn't the exact page I read before as it says 'use the German version or try this software meantime'. If I'd seen that earlier maybe I wouldn't have bothered bothering folk here...

Unless the second VPN server happens to run directly on the File server

I was going to run the VPN app on a Synology which has the files to share, so yes to the above?

So I need to see how the FRITZ!Box deals with another IP address, and if that's going to be easier than getting Jane to install Shrew Soft VPN

Thanks prizx!

By the way WebDav could be run on https
but given that you'd either need to be running an internal CA to issue a signed cert (and distribute the internal CA root to the user) or just having the user click through self-signed certs,
in the time it takes to make that safe it is probably better to have a VPN established seeing as you'd have more control over client and server (and mutual authentication if needed).

If Synology bring Wireguard to their platform it will help including such situations where another VPN server is already operating on the network (or gateway).

In reply to a post by prlzx:

By the way WebDav could be run on https

Ahead of you there! Yes, the server already has a certificate. The only issue getting it working was a wetware one, user reported a 404 error in their web browser

But even on https, I'd be better using VPN? I'll feel - if not actually - more secure.

If Synology bring Wireguard to their platform it will help including such situations where another VPN server is already operating on the network (or gateway).

I haven't poked around being as WebDAV works or I now have the other VPN client option but I guess Synology have their own VPN so unlikely to want to support Wireguard as well. Can it be run from a Docker container. Not that I really want to run the VPN on the server.

You could run two different types of VPN (or more) on the same IP address if you wanted.

If your VPN server is WireGuard or OpenVPN you can choose a custom port on the router to forward to the internal server. The VPN you connect to then depends on which client you use. The Mac happily connects directly to the Fritz!Box as before, and the Windows 10 PC uses a WireGuard or OpenVPN client to the same IP address but with a different protocol and port, forwarded to the server inside.

Edited by caffn8me (Mon 23-Nov-20 18:25:29)