VPN Gateway for multiple customers

Computeruser1488 · March 13, 2025, 11:41am

Hello everyone,

I need some advice / recommendations on a mobile vpn gateway for multiple clients. Currently we have our clients connect using an openvpn to their firewalls and from their firewalls we have a site-to-site vpn tunnel from their equipment to our hosted environment.

We have had many clients start asking about disaster recovery situations where their office loses power or their firewall is otherwise unreachable. In the past for those scenarios we have configured access to the openvpn server running on our firewall and reconfigured it to be bridged to their vlan on the fly.

I want to know if anyone has experience with a vpn server that can accept connections from multiple different organizations and then using ACLs determine what network their mobile vpn can have access to.

I have been reading the documentation for OpenVPN’s access server but it doesn’t explain whether my scenario is achievable.

I also understand that Wireguard can do this since I can bind specific wg interfaces to specific vlans and using iptables drop other packets. but I am not sure if this will be simple for my tier 1s to work with.

routetehpacketz · March 13, 2025, 11:41am

So you want a dial-up VPN hosted by your infrastructure that limits what subnets/IPs a given user can access?

In000 · March 13, 2025, 11:41am

I have been very impressed with the capability of the OpenVPN Access Server.

I have mine hosted in a cloud platform and from there you can very easily assign each VPN user to a group that you can grant/restrict access to/from resources.

If I were you I would spin up an OpenVPN Access Server for each of your clients, map a URL to it so that the gateway is publicly accessible for your users to service themselves.

something like vpn01.yourcustomersdomain.com

The OpenVPN Access Server support team have been very nice to work with, you describe your problem and they say “Let me test this in my lab” and then come back with a great answer.

DarkAlman · March 13, 2025, 11:41am

I assume you are hosting some kind of SaaS application or something the users have to connect to?

Most commerical VPN concentrators can do what you’re talking about.

Talk to the big vendors Palo Alto, Fortinet, Sonicwall, etc and see what they offer and if it’s a good fit for what you are trying to accomplish.

They have the upside that their VPN clients are easy to setup and use.

shoesli_1 · March 13, 2025, 11:41am

We use Always on VPN (RRAS) ikev2 with SSTP fallback, works perfectly. It can be automatically deployed using group policy and groups so minimal client config is required (none). But it requires PKI and multiple servers so maybe not the best for small businesses.

One of the main benefits is that it connects automatically when out of office and disconnects when connected to the office network