OpenVPN Site to Site Setup
I’ve had a big fight to get my OpenVPN setup working to properly connect my remote office to my home network via a Mac Mini serving as a gateway on one side. I’m going to leave all the security/certificate issues out of this, as this is very well covered elsewhere.
The desired network topology is a fully bidirectional site to site link and looks like this:
Home (192.168.160.0)-> VPN (10.8.0.0) / Internet -> Remote Office (192.168.163.0) Home <-> VPN Server (192.168.160.21) <-> Home Router (192.168.160.1)<-> Internet <-> Remote Router (192.168.163.1) <-> Office VPN Gateway (192.168.163.21) <-> Office Clients
To achieve this, the server configuration needs to contain:
local 192.168.160.21 # The Network Interface to use proto udp # We're using UDP port 1194 # This UDP port must be forwarded to local by the home Router dev tun # We're using routing, so we need the tun device server 10.8.0.0 255.255.255.0 # this is the transit network pool ifconfig-pool-persist ipp.txt # persist the leases topology subnet # more on this later push "route 192.168.160.0 255.255.255.0" # make clients push packets for the home network into the VPN route 192.168.163.0 255.255.255.0 10.8.0.2 # route packets for the remote office into the tunnel client-config-dir ccd # next to the config file, create a directory "ccd" which will contain client specific settings push "dhcp-option DNS 192.168.0.20" # anounce the home office dns server to the connected clients, we only want a single dns for active directory to work keepalive 10 120 # check connectivity every ten seconds, kill link after two minutes comp-lzo # compression is a good idea to improve bandwith status openvpn-status.log
In the ccd directory, we can create a file for each client that connects to make OpenVPN push client specific settings. To make this happen, create a file with the Common Name of the certificate the remote office gateway uses to authenticate itself to the server (I looked it up in the ipp.txt pool file after the client has connected).
That file needs to contain a single setting:
iroute 192.168.163.0 255.255.255.0 # do not push traffic for the remote network into the vpn, we _are_ the remote network
Note that because we persist the DHCP lease log in ipp.txt, the remote gateway will always be assigned 10.8.0.2 in our example (you can edit this by editing ipp.txt and restrarting the OpenVPN Server Service).
Additionally, we need to set up a cople of routes in our routers:
- Home Router:
- 10.8.0.0 to OpenVPN Server (192.168.160.21)
- 192.168.163.0 to OpenVPN Server (192.168.160.21)
- Obviously open up UDP port 1194 on the firewall and forward it to 192.168.0.21
- Remote Router:
- 192.168.160.0 to OpenVPN Gateway (192.168.163.21)
The topology subnet setting has caused some issue for me, but I finally got them resolved. The solution was to add the remote offices gateway adress to the route setting:
route 192.168.163.0 255.255.255.0 10.8.0.2 # route packets for the remote office into the tunnel, make the remote offices vpn adress the gateway for this traffic.
OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either –route-gateway or –ifconfig options
OpenVPN ROUTE: failed to parse/resolve route for host/network