Home > General > OpenVPN Site to Site Setup

OpenVPN Site to Site Setup

I’ve had a big fight to get my OpenVPN setup working to properly connect my remote office to my home network via a Mac Mini serving as a gateway on one side. I’m going to leave all the security/certificate issues out of this, as this is very well covered elsewhere.

The desired network topology is a fully bidirectional site to site link and  looks like this:

Home (192.168.160.0)-> VPN (10.8.0.0) / Internet -> Remote Office (192.168.163.0)
Home <-> VPN Server (192.168.160.21) <-> Home Router (192.168.160.1)<-> Internet <-> Remote Router (192.168.163.1) <-> Office VPN Gateway (192.168.163.21) <-> Office Clients

To achieve this, the server configuration needs to contain:

local 192.168.160.21 	# The Network Interface to use 
proto udp				# We're using UDP
port 1194				# This UDP port must be forwarded to local by the home Router
dev tun					# We're using routing, so we need the tun device

server 10.8.0.0 255.255.255.0 # this is the transit network pool
ifconfig-pool-persist ipp.txt # persist the leases
topology subnet				  # more on this later

push "route 192.168.160.0 255.255.255.0" 	# make clients push packets for the home network into the VPN
route 192.168.163.0 255.255.255.0 10.8.0.2 	# route packets for the remote office into the tunnel

client-config-dir ccd				# next to the config file, create a directory "ccd" which will contain client specific settings
push "dhcp-option DNS 192.168.0.20" # anounce the home office dns server to the connected clients, we only want a single dns for active directory to work

keepalive 10 120 # check connectivity every ten seconds, kill link after two minutes

comp-lzo	# compression is a good idea to improve bandwith
status openvpn-status.log

In the ccd directory, we can create a file for each client that connects to make OpenVPN push client specific settings. To make this happen, create a file with the Common Name of the certificate the remote office gateway uses to authenticate itself to the server (I looked it up in the ipp.txt pool file after the client has connected).
That file needs to contain a single setting:

iroute 192.168.163.0 255.255.255.0 # do not push traffic for the remote network into the vpn, we _are_ the remote network

Note that because we persist the DHCP lease log in ipp.txt, the remote gateway will always be assigned 10.8.0.2 in our example (you can edit this by editing ipp.txt and restrarting the OpenVPN Server Service).

Additionally, we need to set up a cople of routes in our routers:

  • Home Router:
    • 10.8.0.0 to OpenVPN Server (192.168.160.21)
    • 192.168.163.0 to OpenVPN Server (192.168.160.21)
    • Obviously open up UDP port 1194 on the firewall and forward it to 192.168.0.21
  • Remote Router:
    • 192.168.160.0 to OpenVPN Gateway (192.168.163.21)

The topology subnet setting has caused some issue for me, but I finally got them resolved. The solution was to add the remote offices gateway adress to the route setting:

route 192.168.163.0 255.255.255.0 10.8.0.2 	# route packets for the remote office into the tunnel, make the remote offices vpn adress the gateway for this traffic.
If you don’t do this, you’ll get an error like this in the server log:
OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either –route-gateway or –ifconfig options
OpenVPN ROUTE: failed to parse/resolve route for host/network
It’s a shame this isn’t mentioned on the official OpenVPN HowTo, the otherwise sparse but sufficient documentation could be a bit more precise here.
Using the tracert tool was an invaluable help here to check if my packets are routed correctly, one thing learned.
Advertisements
Categories: General
  1. Dujan
    June 20, 2012 at 03:46

    Hi jorudolph

    Thanks for the additional help will try this myself.. I have one question though.Where should this route be place on the Openvpn Server of the Openvpn client

    route 192.168.163.0 255.255.255.0 10.8.0.2 # route packets for the remote off

    about the topology subnet..I realize its in the Openvpn server config at first then further down you talked about placing else where.. can you clarify for me please.. does it have to be on both the Openvpn server and openvpn client?

  2. June 20, 2012 at 08:14

    This line needs to be in the server config (it’s already in there in the first snippet).

    • Dujan
      June 20, 2012 at 17:28

      Thank jorudolph

      I have having some major problems. I cannot get Openvpn to route at all. i will send u a copy of the config

      local 192.168.2.7 #- your_server_ip goes here
      port 1194 #- port
      proto udp #- protocol
      dev tun
      topology subnet
      tun-mtu 1500
      tun-mtu-extra 32
      mssfix 1450
      ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
      cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
      key /etc/openvpn/easy-rsa/2.0/keys/server.key
      dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
      plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
      client-cert-not-required
      #username-as-common-name
      server 10.10.10.0 255.255.255.0
      ifconfig-pool-persist ipp.txt
      push “dhcp-option DNS 8.8.8.8”
      push “dhcp-option DNS 8.8.4.4”
      push “route 192.168.2.0 255.255.255.0”
      #push “route 192.168.1.0 255.255.255.0”
      route 192.168.1.0 255.255.255.0 10.10.10.6
      client-to-client
      client-config-dir /etc/openvpn/ccd/client
      keepalive 5 30
      comp-lzo
      persist-key
      persist-tun
      status 1194.log
      verb 3

      I am using dynamic public ip on both networks. I already have dynamic hosting working soi can able to connect both boxes over the internt My remote network is the 192.168.1.0/24 network 192.158.1.8 Client IP , my local network is 192.168.2.0/24 192.168.2.7 Openvpn server ip. I know i have to open port 1194 on both boxes to point to the Openvpn server and Client respectively. Can you please assist in my endeavor. Thanks in advance.

      Also do i need to put any static routes in the modem/routers on both sides?

  3. December 4, 2014 at 06:47

    Thanks man!!! You saved my day!!

  4. Dijk
    February 25, 2016 at 17:30

    Thanks for your article. This helped me out on solving the routing issue I spent too many days on.

  1. January 16, 2011 at 16:13

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: