NET-TO-NET example

the_rale · Post by **the_rale** » Wed Mar 16, 2011 10:35 pm

Can't seem to find working openvpn net-to-net manual. Anyone knows where to find it?

Post by **Bebop** » Thu Mar 17, 2011 2:06 am

the_rale wrote:Can't seem to find working openvpn net-to-net manual

By net-to-net do you mean lan-to-lan?

Theres a breif overview here: topic98.html

You need a firm understanding of the iroute command.

Post by **janjust** » Thu Mar 17, 2011 8:21 am

net-to-net (or lan-to-lan) can be configured using both static keys and certificates; using static keys is easier if you wish to hook up two sites , and two sites only. If you wish roadwarrior access or more clients then a cert/key setup is easier to use.

For a cert/key cilent/server setup the 'iroute' command is quite useful, as is explained in the HOWTO page:
http://openvpn.net/index.php/open-sourc ... html#scope

the_rale · Post by **the_rale** » Sun Mar 20, 2011 11:37 pm

Thanks guys, got it working. Still have to figure how to add more tunnels but looks promising so far.

Post by **Douglas** » Mon Mar 21, 2011 1:18 am

the_rale wrote:Thanks guys, got it working. Still have to figure how to add more tunnels but looks promising so far.

How far have you gotten with that? We can help.

the_rale · Post by **the_rale** » Mon Mar 21, 2011 2:38 am

Douglas wrote:How far have you gotten with that? We can help.

this is what i got so far, below are all changes i did to original server.conf. Tunnel is working fine and compared to ipsec, firewalling is a joke, great stuff I love it!!
Not sure how to add second tunnel. If I just add additional remote,ifconfig and route line how will openvpn figure what is what? Must be something like tunnel definition similar to ipsec.conf. This server is center of my 7 point star network.

local 42.x.x.x
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
auth SHA512
tls-auth /etc/openvpn/ta.key 0 # This file is secret
tls-server
tls-cipher DHE-RSA-AES256-SHA
tls-remote "WHOLE/THING/FOR/MY/REMOTE/SERVER"
cipher AES-256-CBC
user nobody
group nobody

float
remote remote_site1.mydomain.com
ifconfig 10.3.0.100 10.3.0.2 255.255.255.0
route 10.65.10.0 255.255.255.0 10.3.0.2

Post by **janjust** » Mon Mar 21, 2011 7:27 am

if the server is the center of your 7 point star setup then you should consider switching to an OpenVPN client/server setup - that way you need only a single openvpn instance running on the centre and each "spoke" connects as a client. Your server config would look something like

Code: Select all

local 42.x.x.x
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
auth SHA512
tls-auth /etc/openvpn/ta.key 0 # This file is secret
tls-server
tls-cipher DHE-RSA-AES256-SHA
tls-remote "WHOLE/THING/FOR/MY/REMOTE/SERVER"
cipher AES-256-CBC
user nobody
group nobody

client-config-dir /etc/openvpn/clients
server 10.3.0.0 255.255.255.0
route 10.65.10.0 255.255.255.0 
dev tun

(I was missing the mandatory 'dev tun' in your setup, or are you using 'dev tap' ?)

create a 'client-config-dir' file :

Code: Select all

$ echo "iroute 10.65.10.0 255.255.255.0 " > /etc/openvpn/clients/clientN

The client configs would look something like

Code: Select all

ca /etc/openvpn/ca.crt
cert /etc/openvpn/clientN.crt
key /etc/openvpn/clientN.key
auth SHA512
tls-auth /etc/openvpn/ta.key 1 # This file is secret
tls-cipher DHE-RSA-AES256-SHA
tls-remote "WHOLE/THING/FOR/MY/REMOTE/SERVER"
cipher AES-256-CBC
user nobody
group nobody

client-to-client
remote 42.xx.xx.xx

first try to get the VPN running without additional routing , make sure all VPN endpoints can see each other, then hook up the LANs behind each client

the_rale · Post by **the_rale** » Fri Mar 25, 2011 6:34 am

junjust,

Can you add another client into the picture above just to get better idea where to put what?

Post by **janjust** » Fri Mar 25, 2011 4:37 pm

let's say there are 2 clients, with certificates client1.crt and client2.crt
client1.crt has network 10.65.10.0/24 behind it.
client2.crt has network 10.65.20.0/24 behind it.

with some ASCII art:

Code: Select all

10.65.10.0/24 - client1 --VPN-- server --VPN-- client2 - 10.65.20.0/24

In the server config you'd need to add the 'client-config-dir' option , as well as a route to both networks:

Code: Select all

route 10.65.0.0 255.255.0.0

(this will cover all 10.65 nets)

Next, create two client-config files:

Code: Select all

echo "iroute 10.65.10.0 255.255.255.0 " > /etc/openvpn/clients/client1
echo "iroute 10.65.20.0 255.255.255.0 " > /etc/openvpn/clients/client2

The client config file for each client differs only in the name of the certificate+key.

Does this clarify things?

the_rale · Post by **the_rale** » Fri Mar 25, 2011 5:12 pm

janjust wrote: In the server config you'd need to add the 'client-config-dir' option , as well as a route to both networks:
Code: Select all
route 10.65.0.0 255.255.0.0
(this will cover all 10.65 nets)

Can I have more than one route line? My networks don't relate as much. Some of them are in 10.65. and some in 172.16.

Post by **Douglas** » Sat Mar 26, 2011 8:51 pm

the_rale wrote:
janjust wrote: In the server config you'd need to add the 'client-config-dir' option , as well as a route to both networks:
Code: Select all
route 10.65.0.0 255.255.0.0
(this will cover all 10.65 nets)
Can I have more than one route line? My networks don't relate as much. Some of them are in 10.65. and some in 172.16.

Yes you can have multiple route lines

OpenVPN Support Forum

NET-TO-NET example

NET-TO-NET example

Re: NET-TO-NET example

Re: NET-TO-NET example

Re: NET-TO-NET example

Re: NET-TO-NET example

Re: NET-TO-NET example

Re: NET-TO-NET example

Re: NET-TO-NET example

Re: NET-TO-NET example

Re: NET-TO-NET example

Re: NET-TO-NET example