LAN to LAN OpenVPN

3

For a while a wanted to have a LAN to LAN vpn between my own server and the server somewhere else. This would be usefull for backups and other stuff. I wanted to create a situation that clientA on network A could connect to clientB on network B, see the image below.

Network drawing

So i had some experience with setting up a OpenVPN server for clients but never LAN-to-LAN, it requires some special options to work which i will explain below. The connection will be made from ServerA to ServerB, so ServerA is the client and ServerB is the Server.

The OpenVPN config of ServerB looks like this:

client-to-client
port 1194
proto tcp
dev tun
ca ./easy-rsa/2.0/keys/ca.crt
cert ./easy-rsa/2.0/keys/server.crt
key ./easy-rsa/2.0/keys/server.key 
dh ./easy-rsa/2.0/keys/dh1024.pem
client-config-dir /etc/openvpn/ccd/
server 192.168.93.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.94.0 255.255.255.0"
route 172.30.20.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Notice the client-config-dir setting. This containts a file with the same name as the client. This is necessary for routing client to client, this site explains this option. The file looks like this:

iroute 172.30.20.0 255.255.255.0

The config name on the client and ccd filename must be the same. On serverB in the ccd dir i have a file ServerBtoServerA and the config on ServerA is named ServerBtoServerA.conf/crt/key.

We also need to enable ip4 forwarding and nat forwarding. I have added the following lines to my firewall script which runs at server boot:

VPNRANGE="192.168.93.0/24"
LANRANGE1="192.168.94.0/24"
IPTABLES="/sbin/iptables"
WAN_IF1="eth0"
WAN_IF2="tun1"
 
echo "checking if we need to enable IP forwarding"
IPFWDCHK="`cat /proc/sys/net/ipv4/ip_forward`"
if ( [ "$IPFWDCHK" != "1" ] ); then
  echo "IP forwarding not enabled yet enabling forwarding now"
  echo 1 > /proc/sys/net/ipv4/ip_forward
fi
 
echo "Setting NAT forwarding"
$IPTABLES -t nat -A POSTROUTING -s $VPNRANGE -o $WAN_IF1 -j MASQUERADE

That is all the config needed for ServerB. Below you can find the OpenVPN config for ServerA (the client):

client
dev tun
nobind
proto tcp
remote 223.11.124.22 1194
persist-key
persist-tun
ca ./config/ServerBtoServerA/ca.crt
cert ./config/ServerBtoServerA/ServerBtoServerA.crt
key ./config/ServerBtoServerA/ServerBtoServerA.key
comp-lzo
verb 3

This server only needs IP forwarding, also done in the firewall script at server boot.

echo "checking if we need to enable IP forwarding"
IPFWDCHK="`cat /proc/sys/net/ipv4/ip_forward`"
if ( [ "$IPFWDCHK" != "1" ] ); then
  echo "IP forwarding not enabled yet enabling forwarding now"
  echo 1 > /proc/sys/net/ipv4/ip_forward
fi

This is all the configuration that needs to be done on the servers. The only thing left to do is add routes on the client. On networkB the clients need the following routes

route add 192.168.93.0 MASK 255.255.255.0 172.30.20.1
route add 192.168.94.0 MASK 255.255.255.0 172.30.20.1

And the routes for networkA:

route add 192.168.93.0 MASK 255.255.255.0 192.168.94.15
route add 172.30.20.0 MASK 255.255.255.0 192.168.94.15

ServerA
Ubuntu server Ubuntu 9.04
OpenVPN 2.1_rc11 i486-pc-linux-gnu

ServerB:
Ubuntu server 10.04.1 LTS
OpenVPN 2.1.0 x86_64-pc-linux-gnu

References:
http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html
https://help.ubuntu.com/community/OpenVPN

  1. Tom D
    Tom D08-20-2011

    This looks really neat, i bet performance is really good.

  2. computer mouses
    computer mouses01-31-2012

    Good site, youve gotta tell us your secrets 😉 haha

  3. penumbuh rambut kumis
    penumbuh rambut kumis06-06-2016

    After I initially commented I appear to have clicked the
    -Notify me when new comments are added- checkbox and from now on whenever a comment is added I
    recieve 4 emails with the same comment. There has to be a way you can remove
    me from that service? Thanks!

Leave a Reply