Omada OpenVPN Server config oddities
I have a configuration with two sites, run off one OC200 controller, with an auto-VPN connection between the two sites. Both sites are fronted by TL-R605. I was a little hesitant, but was excited to see that once I plugged in the pre-configured controller at the second site, I was quickly able to get the VPN to come up, and the two sites to talk to one another.
I also wanted to add client-to-site OpenVPN access at both sites. That worked smoothly at my first site, but at the second site I was getting errors about not being able to run multiple OpenVPN servers on the same WAN port. This seemed odd, as there wasn't an OpenVPN server already running on the second gateway. I think this is just a bug in the Omada controller - it sees the WAN port server on the first gateway, and won't let you set up a WAN port OpenVPN server on the second gateway - even though I can't think of any reason not to.
The solution seems to be to move the Internet connection to WAN/LAN1 on the second gateway. Then when adding an OpenVPN connection to that site, it doesn't see a conflict between the WAN interface at the first site, and the WAN/LAN1 interface at the second site.
When configuring an OpenVPN Server in this way, it would be nice if one could specify other known LANs than just the ones on the local site as the applicable networks for the connection. For instance, if I could also add the network(s) at the other site(s), so that I can VPN in to the one site, and then tunnel traffic over the site-to-site connection to access resources on the remote network. However, there doesn't seem to be a way to configure that - only the immediately local networks are accessible.
I've also run into problems on Mac OS when setting up my laptop to access the OpenVPN servers at each site. It seems that the certificate used to identify the client always has the common name of client_server0, rather than being anything distinctive or related to the site in question. I seem to run into problems getting multiple of these certificates to co-exist in my Mac's keychain, which my VPN client software uses. The CA's certificates are also unique per gateway device, but with the same name, but having multiple of those doesn't seem to cause a problem. I presume that naming the certificates more dynamically would help solve this (and also make it easier to tell them apart on the client end).
It would useful - possibly even essential - to be able to see when a VPN connection between clients or sites is actually active, and get some stats on it. Currently there is no feedback to know that a connection is made, or troubleshoot anything that goes wrong, as far as I can tell.
Being able to add some concept of username/password controls to client-to-site OpenVPN is also essential, as otherwise anyone with the magic config file can get access to your network, and there is no way to even know that they are doing it, as far as I can tell.