LAN to LAN OpenVPN
For a while a wanted to have a LAN to LAN vpn between my own server and the server somewhere else. This would be usefull for backups and other stuff. I wanted to create a situation that clientA on network A could connect to clientB on network B, see the image below.
So i had some experience with setting up a OpenVPN server for clients but never LAN-to-LAN, it requires some special options to work which i will explain below. The connection will be made from ServerA to ServerB, so ServerA is the client and ServerB is the Server.
The OpenVPN config of ServerB looks like this:
client-to-client port 1194 proto tcp dev tun ca ./easy-rsa/2.0/keys/ca.crt cert ./easy-rsa/2.0/keys/server.crt key ./easy-rsa/2.0/keys/server.key dh ./easy-rsa/2.0/keys/dh1024.pem client-config-dir /etc/openvpn/ccd/ server 192.168.93.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.94.0 255.255.255.0" route 172.30.20.0 255.255.255.0 keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Notice the client-config-dir setting. This containts a file with the same name as the client. This is necessary for routing client to client, this site explains this option. The file looks like this:
iroute 172.30.20.0 255.255.255.0
The config name on the client and ccd filename must be the same. On serverB in the ccd dir i have a file ServerBtoServerA and the config on ServerA is named ServerBtoServerA.conf/crt/key.
We also need to enable ip4 forwarding and nat forwarding. I have added the following lines to my firewall script which runs at server boot:
VPNRANGE="192.168.93.0/24" LANRANGE1="192.168.94.0/24" IPTABLES="/sbin/iptables" WAN_IF1="eth0" WAN_IF2="tun1" echo "checking if we need to enable IP forwarding" IPFWDCHK="`cat /proc/sys/net/ipv4/ip_forward`" if ( [ "$IPFWDCHK" != "1" ] ); then echo "IP forwarding not enabled yet enabling forwarding now" echo 1 > /proc/sys/net/ipv4/ip_forward fi echo "Setting NAT forwarding" $IPTABLES -t nat -A POSTROUTING -s $VPNRANGE -o $WAN_IF1 -j MASQUERADE
That is all the config needed for ServerB. Below you can find the OpenVPN config for ServerA (the client):
client dev tun nobind proto tcp remote 18.104.22.168 1194 persist-key persist-tun ca ./config/ServerBtoServerA/ca.crt cert ./config/ServerBtoServerA/ServerBtoServerA.crt key ./config/ServerBtoServerA/ServerBtoServerA.key comp-lzo verb 3
This server only needs IP forwarding, also done in the firewall script at server boot.
echo "checking if we need to enable IP forwarding" IPFWDCHK="`cat /proc/sys/net/ipv4/ip_forward`" if ( [ "$IPFWDCHK" != "1" ] ); then echo "IP forwarding not enabled yet enabling forwarding now" echo 1 > /proc/sys/net/ipv4/ip_forward fi
This is all the configuration that needs to be done on the servers. The only thing left to do is add routes on the client. On networkB the clients need the following routes
route add 192.168.93.0 MASK 255.255.255.0 172.30.20.1 route add 192.168.94.0 MASK 255.255.255.0 172.30.20.1
And the routes for networkA:
route add 192.168.93.0 MASK 255.255.255.0 192.168.94.15 route add 172.30.20.0 MASK 255.255.255.0 192.168.94.15
Ubuntu server Ubuntu 9.04
OpenVPN 2.1_rc11 i486-pc-linux-gnu
Ubuntu server 10.04.1 LTS
OpenVPN 2.1.0 x86_64-pc-linux-gnu