Setting Up Site-to-Site VPN with OpenVPN
2018-06-29 21:58 (6 years ago)
ytyng
Server
OpenVPN + Bridge
This time, with TCP.
Installing OpenVPN on Ubuntu 16.04 LTS
https://gtrt7.com/blog/linux/ubuntu-openvpn
This was extremely helpful. If you follow this article, there should be no issues.
This is how my server.conf turned out:
port 1194
proto tcp-server
tcp-nodelay
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
server-bridge 192.168.1.50 255.255.255.0 192.168.1.20 192.168.1.49
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
cipher AES-256-CBC
auth SHA512
compress lz4-v2
push "compress lz4-v2"
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
;mute 20
Starting
sudo systemcctl start openvpn@server
By bridging the network on this server, you can communicate within the same segment.
OpenVPN 2.0 Ethernet Bridging Japanese Translation
https://www.gsais.kyoto-u.ac.jp/staff/liang/oss/ovpn2_ether_ja.html
Using this information as a reference, I created a script (as-is)
#!/bin/bash
###########################################
# Start an Ethernet bridge on Linux
# Dependency: bridge-utils
###########################################
# Bridge interface
br="br0"
# List of TAP interfaces to bridge
# For example tap="tap0 tap1 tap2"
tap="tap0"
# Physical Ethernet interface to bridge with the above TAP interfaces
eth="enp2s0"
eth_ip="192.168.1.50"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
gw="192.168.1.1"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
sleep 1
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
sleep 1
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $gw
Once the server side is done, install the client on a Mac and check its operation.
Tunnelblick | Free open source OpenVPN VPN client server software for Mac OS X and macOS
https://tunnelblick.net/
Client Router
To allow everyone on the client-side segment to access, we will NAT the client to function as a router.
Client configuration file
Save as /etc/openvpn/client.conf
client
dev tap0
proto tcp
remote openvpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert my-client.crt
key my-client.key
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA512
compress lz4-v2
verb 3
Starting
sudo systemcctl start openvpn@server
Once started, check connectivity on the running machine.
Then, use iptables to configure routing
Creating a router on Ubuntu 16.04 - Qiita
https://qiita.com/nanbuwks/items/fe8145fc8b989be9d427
This article was helpful.
net.ipv4.ip_forward=1
After that
sudo iptables -t nat -F sudo iptables -F sudo iptables -L
sudo iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE sudo iptables -A FORWARD -i tap0 -o enp0s1 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i enp0s1 -o tap0 -j ACCEPT
With this, the router to the OpenVPN server is complete.
Then, using static routing at the client site
Route all packets destined for 192.168.1.0/24 to the router machine.
This way, everyone at the site can use the VPN without any additional configuration.
One IP address is assigned per client key,
so you cannot reuse the same client key on multiple devices.
Comments