Site-to-site doc critical omissions

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
gwideman
OpenVpn Newbie
Posts: 7
Joined: Tue Oct 16, 2018 2:24 am

Site-to-site doc critical omissions

Post by gwideman » Wed Oct 24, 2018 4:59 am

As part of my continuing quest to make sense of OpenVPN docs relating to gateway configuration, I have now studied "Site-to-site routing explained in detail", https://docs.openvpn.net/connecting/sit ... in-detail/ , which tries to explain how such a setup operates, and how to configure the OpenVPN AS server and OpenVPN clients accordingly

I have created a diagram that consolidates all the technical details mentioned (instead of scattered over 8 pages and 8 miniscule diagrams):

Image

I have added several annotations in red, which are not present in the article, but needed for a full discussion.

Having done so, it's clear that there a few crucial pieces missing, absent which the setup won't work, is less than robust, or just remains mysterious.

Critical omissions

1. Configuring the clients to know IP address of server.
The article mentions in passing that the Headquarters router must be configured for "port forwarding". However, the article does NOT tell how or where to configure the clients so they can reach the OpenVPN AS server, using the port forwarding of the router.

Presumably, both the Subsidiary's OpenVPN client/gateway, and also external WAN OpenVPN clients, will need to be told the externally-visible WAN address of HQ's router. Where is this config performed?

In OVPN AS Server Network Settings there is a setting for Hostname or IP Address. But it is not clear what that setting does. Is this where to set the IP address that is handed over in the ovpn file to clients so they know how to contact the server, or does this setting do something else?

2. Still on the topic of port forwarding: What ports will need to be forwarded for purposes of the OVPN AS? (And presumably some additional ones for the OVPN AS web server).

3. The point of the 172.16.x.x network? The article makes much of the 172.16.0.0/20 network. But what is the purpose of this network? Is there any reason why any of the clients would actually want to talk to an address on that network? Or is it just for the internal workings of the OVPN AS server? Do machines on the LAN subnets map to IPs on the 172.16 network, and if so, should any be set to static IP addresses?

4. New user provisos. The section on creating a new user does not make it clear whether this user will need to be dedicated to just running the Subsidiary site gateway machine. I am pretty sure that, for practical purposes, that is the case, but that is in contrast to the article https://openvpn.net/vpn-server-resource ... e-subnets/ , which seems to imply that it can be the account of a user ("fred") who might want to also do other things with the account.

5. Robustness A scenario like site-to-site connectivity will surely want robustness of that connectivity -- reconnecting if there's a network outage or other temporary problem. How is that addressed?

It would be a great help if these holes in the discussion could be filled in. Thanks.

Post Reply