Expand

Blog Navigation

«
»

Site-to-Site OpenVPN in Vyatta

Friday, September 24th, 2010
By: Andrew

Site-to-site VPN is better than user-to-server if you want to bridge two locations over a public network. If you do a client-to-server setup, the server cannot see the clients. To bridge two locations so each location can see users on the other network, we want to use a site-to-site setup.

Most OpenVPN implementations will be similar, but here is the specific process for Vyatta. It takes about 10 minutes.

1. Generate Preshared Key
2. Configure tunnel.
3. Set routing.

1. Generate Preshared Key.
On one end we need to generate the key. vpn openvpn-key generate "keyname" I like to use source and destination like BRANCH1-BRANCH2 names so I know what they are for. Then you can make unique keys for each connection. This process is super fast. The file is created in your ~/ folder if you don’t specify. I create a /rsa/keys/ folder. chmod 700 /rsa/keys -R
Then you copy the key to the other side. You can use a flash drive, scp or any secure way to transfer this file. Don’t send it over the public internet or email.

2. Configure Tunnel.
configure
set interfaces openvpn vtun5 mode site-to-site
set interfaces openvpn vtun5 shared-secret-file /rsa/keys/(filename)
set interfaces openvpn vtun5 local-address 172.16.5.1 (I use the same class c number that I use for the vtun# to keep everything straight.)
set interfaces openvpn vtun5 remote-address 172.16.5.2
set interfaces openvpn vtun5 remote-port 11180 (I choose a non standard port)
set interfaces openvpn vtun5 local-port 11180
set interfaces openvpn vtun5 remote-host (public static ip of the remote device)

Easy. Now do the other side and swap the local and remote addresses, and set the public ip of the first host as remote-host.

3. Routing.
One line. set protocols static route (remote network/mask) next-hop 172.16.5.2 (The other end of the tunnel from the box you are on)

commit
save
exit

Once you get the commands in both ends, the tunnel should come up by itself. The site-to-site model allows either end to innitiate so as long as they can see each other you should be already set. To verify that it works, try this.
First make sure you can ping the other end public ip. Obviouslly, the other end has to be set to accept pings.
Second, try show interfaces openvpn You should see “up up”.
Third, ping the remote tunnel ip.
Last, ping a machine in the remote subnet.

This entry was posted on Friday, September 24th, 2010 at 9:00 pm and is filed under Computers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.