Page 1 of 1
NET-TO-NET example
Posted: Wed Mar 16, 2011 10:35 pm
by the_rale
Can't seem to find working openvpn net-to-net manual. Anyone knows where to find it?
Re: NET-TO-NET example
Posted: Thu Mar 17, 2011 2:06 am
by Bebop
the_rale wrote:Can't seem to find working openvpn net-to-net manual
By
net-to-net do you mean
lan-to-lan?
Theres a breif overview here:
topic98.html
You need a firm understanding of the
iroute command.
Re: NET-TO-NET example
Posted: Thu Mar 17, 2011 8:21 am
by janjust
net-to-net (or lan-to-lan) can be configured using both static keys and certificates; using static keys is easier if you wish to hook up two sites , and two sites only. If you wish roadwarrior access or more clients then a cert/key setup is easier to use.
For a cert/key cilent/server setup the 'iroute' command is quite useful, as is explained in the HOWTO page:
http://openvpn.net/index.php/open-sourc ... html#scope
Re: NET-TO-NET example
Posted: Sun Mar 20, 2011 11:37 pm
by the_rale
Thanks guys, got it working. Still have to figure how to add more tunnels but looks promising so far.
Re: NET-TO-NET example
Posted: Mon Mar 21, 2011 1:18 am
by Douglas
the_rale wrote:Thanks guys, got it working. Still have to figure how to add more tunnels but looks promising so far.
How far have you gotten with that? We can help.
Re: NET-TO-NET example
Posted: Mon Mar 21, 2011 2:38 am
by the_rale
Douglas wrote:How far have you gotten with that? We can help.
this is what i got so far, below are all changes i did to original server.conf. Tunnel is working fine and compared to ipsec, firewalling is a joke, great stuff I love it!!
Not sure how to add second tunnel. If I just add additional remote,ifconfig and route line how will openvpn figure what is what? Must be something like tunnel definition similar to ipsec.conf. This server is center of my 7 point star network.
local 42.x.x.x
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
auth SHA512
tls-auth /etc/openvpn/ta.key 0 # This file is secret
tls-server
tls-cipher DHE-RSA-AES256-SHA
tls-remote "WHOLE/THING/FOR/MY/REMOTE/SERVER"
cipher AES-256-CBC
user nobody
group nobody
float
remote remote_site1.mydomain.com
ifconfig 10.3.0.100 10.3.0.2 255.255.255.0
route 10.65.10.0 255.255.255.0 10.3.0.2
Re: NET-TO-NET example
Posted: Mon Mar 21, 2011 7:27 am
by janjust
if the server is the center of your 7 point star setup then you should consider switching to an OpenVPN client/server setup - that way you need only a single openvpn instance running on the centre and each "spoke" connects as a client. Your server config would look something like
Code: Select all
local 42.x.x.x
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
auth SHA512
tls-auth /etc/openvpn/ta.key 0 # This file is secret
tls-server
tls-cipher DHE-RSA-AES256-SHA
tls-remote "WHOLE/THING/FOR/MY/REMOTE/SERVER"
cipher AES-256-CBC
user nobody
group nobody
client-config-dir /etc/openvpn/clients
server 10.3.0.0 255.255.255.0
route 10.65.10.0 255.255.255.0
dev tun
(I was missing the mandatory 'dev tun' in your setup, or are you using 'dev tap' ?)
create a 'client-config-dir' file :
Code: Select all
$ echo "iroute 10.65.10.0 255.255.255.0 " > /etc/openvpn/clients/clientN
The client configs would look something like
Code: Select all
ca /etc/openvpn/ca.crt
cert /etc/openvpn/clientN.crt
key /etc/openvpn/clientN.key
auth SHA512
tls-auth /etc/openvpn/ta.key 1 # This file is secret
tls-cipher DHE-RSA-AES256-SHA
tls-remote "WHOLE/THING/FOR/MY/REMOTE/SERVER"
cipher AES-256-CBC
user nobody
group nobody
client-to-client
remote 42.xx.xx.xx
first try to get the VPN running without additional routing , make sure all VPN endpoints can see each other, then hook up the LANs behind each client
Re: NET-TO-NET example
Posted: Fri Mar 25, 2011 6:34 am
by the_rale
junjust,
Can you add another client into the picture above just to get better idea where to put what?
Re: NET-TO-NET example
Posted: Fri Mar 25, 2011 4:37 pm
by janjust
let's say there are 2 clients, with certificates client1.crt and client2.crt
client1.crt has network 10.65.10.0/24 behind it.
client2.crt has network 10.65.20.0/24 behind it.
with some ASCII art:
Code: Select all
10.65.10.0/24 - client1 --VPN-- server --VPN-- client2 - 10.65.20.0/24
In the server config you'd need to add the 'client-config-dir' option , as well as a route to both networks:
(this will cover all 10.65 nets)
Next, create two client-config files:
Code: Select all
echo "iroute 10.65.10.0 255.255.255.0 " > /etc/openvpn/clients/client1
echo "iroute 10.65.20.0 255.255.255.0 " > /etc/openvpn/clients/client2
The client config file for each client differs only in the name of the certificate+key.
Does this clarify things?
Re: NET-TO-NET example
Posted: Fri Mar 25, 2011 5:12 pm
by the_rale
janjust wrote:
In the server config you'd need to add the 'client-config-dir' option , as well as a route to both networks:
(this will cover all 10.65 nets)
Can I have more than one route line? My networks don't relate as much. Some of them are in 10.65. and some in 172.16.
Re: NET-TO-NET example
Posted: Sat Mar 26, 2011 8:51 pm
by Douglas
the_rale wrote:janjust wrote:
In the server config you'd need to add the 'client-config-dir' option , as well as a route to both networks:
(this will cover all 10.65 nets)
Can I have more than one route line? My networks don't relate as much. Some of them are in 10.65. and some in 172.16.
Yes you can have multiple route lines