VPN Site to Site

[zmahomedy]

Hi

I am trying to setup site to site vpns

i have 3 networks

192.168.1.0
192.168.2.0
192.168.3.0

I been looking for help on using any type of vpn software such as openvpn.
The machines in each network must be able to talk to machines in other networks.

please any help or leads will be helpfull

thanks

zak

[kakariko81280]

In theory it's reasonably straight forward. Pick one computer at each site to be the VPN gateway, then set up openvpn on each of them so they can talk to each other directly.

Once that is done you need to configure them as gateways so they will forward packets from their own network over the VPN to the other networks. Finally, every computer at each site needs to have routes set up so they will use those machines as gateways to the other networks.

The important point is not to configure masquerading on the gateway computers or they will all only be able to see each vpn endpoint rather than the whole network behind it. IIRC this just means iptables has to accept the packets and ip forwarding has to be activated. Google for /proc/sys/net/ipv4/ip_forward.

I set something like this up with only two networks. To make things simple I made my Internet gateway the VPN endpoint too, then everything gets sent to the router which does all of the heavy lifting. It's completely transparent to the other computers on the network. (openwrt on my wireless router is frankly amazing)

In practice, you may have problems, but if you come back to us with error messages and relevant details we should be able to help you out.

Let us know how you get on,

Chris...

[zmahomedy]

thanks the help Chris

If i run into any problems I will give let you know

zak

[zmahomedy]

Hi i got my vpn setup between my two sites however i cant seem to get the subnets to talk to each other

Here are the settings for the local networks
Network A
IP 192.168.1.0/24
GW 192.168.1.1
VPN IP 10.8.0.1
VPN BOX IP 192.168.1.110

Network B
IP 192.168.5.0/24
GW 192.168.5.1
VPN IP 10.8.0.2
VPN BOX IP 192.168.5.111

Here are the server.conf and client.conf settings that I am using
On both machines the firewalls are turn off.
The two VPN boxes are not the Gateways for the local networks.

I got the route code from the openvpn.net man pages however I think it assumes the gateways to be the boxes as well. How do I fix this?


server.conf
dev tun
ifconfig 10.8.0.1 10.8.0.2
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
route add -net 192.168.5.0 netmask 255.255.255.0 gw 10.8.0.2
#daemon



client.conf file
proto udp
remote "MYPUBLICIP"
dev tun
ifconfig 10.8.0.2 10.8.0.1
resolv-retry infinite
persist-tun
persist-key
comp-lzo
user nobody
group nogroup
route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.1
#daemon

thanks

zak

[kakariko81280]

I think we'll need more information before we can sort this out.

Can you ping from one of your VPN endpoints to the other?

Then on one of the other computers:

Code:

route -n

Also try and ping both VPN endpoints from this other computer. Finally on one of the computers on the other network, run the route command again and try to ping both VPN endpoints and the other computer you ran route on.

Try all of that and post the output here and we might be able to help.

Let us know how you get on,

Chris...

[zmahomedy]

I manage to get it working. Silly mistakes on my part with the routing code in linux. Thanks for the info.

What type of server application would I use to allow my subnet machines to access the file shares on either side? Would Samba work? I need to let my windows pc access other windows pcs on the different network.

[kakariko81280]

Excellent, I'm glad that worked.

In terms of the VPN, you can run any network protocol you like over it, it should be totally transparent.

For file sharing, if you require windows integration, then samba would be a good choice. On the other hand, IIRC windows sharing works mostly via broadcast messages for finding hosts. These broadcasts are limited to the subnet you are on and will not travel over the VPN so computers on each side will not be able to see each other automatically. Also I think SMB has a reasonably large overhead which will become more apparent if your VPN has a significantly lower bandwidth than your LAN.

You should still be able to find them by hostname/ip and I think you can set Samba to announce itself to other networks but I'm not totally sure. I'd start another thread to get better help there.

Let us know how you get on,

Chris...

[zmahomedy]

Hi,

I have now configured my vpn to use server settings instead of point to point.
Everything still works except an odd problem.

I am using the following to customize my client connections
"client-config-dir ccd"

Since I want to make my vpn connection route to other subnets I decided to assign the client with its own VPN IP instead of it coming from the pool.

therefore in the ccd/ directory i have the client file with the following code inside

ifconfig-push 10.8.0.2 10.8.0.1
iroute 192.168.5.0 255.255.255.0

everythings works well except when I add the daemon command into the config file.

It seems to ignore the client-config-dir and assigns the VPN IP from the pool
As soon as I remove the daemon command everthing works fine, however now openvpn is running in the shell is is undesirable.

did I miss something?


server conf file

port 1194
proto udp
dev tun

#encryption
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem

#server will get 10.8.0.1
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "route 192.168.1.0 255.255.255.0"

client-config-dir ccd
route 192.168.5.0 255.255.255.0

keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
comp-lzo

#status openvpn-status.log
#log openvpn.log
#verb 4
#mute 10

#daemon


Zak