Site to Site OpenVPN IPSEC Tunnel

From KlavoWiki
Jump to navigationJump to search

I've accomplished the following using 2 Raspberry Pi's at different locations. Even thought the following is using raspbian there is no reason s to why it should not work with any Linux flavour.

Installation

Debian

apt-get install openvpn

CentOS

yum install openvpn
chkconfig openvpn on

Enable Routing

Temporary

By default the file /proc/sys/net/ipv4/ip_forward contains the number 0. This means that the system will not allow routing. To temporary enable routing change the 0 to a 1. The reason I say temporary is because this file does not allow permenate routing. On a reoot the system will turn routing off. 

echo 1 > /proc/sys/net/ipv4/ip_forward

NOTE: I could not get the above command to work unless I was logged in as root. Even using the command with sudo would not work.

Permanent

vi /etc/sysctl.conf

Remove the # from the line 

#net.ipv4.ip_forward=1

Reboot to enable IP forwarding if you have not already applied the temporary setting.

Security Key

Create a security key so the 2 servers can establish a tunnel. 

openvpn --genkey --secret /etc/openvpn/syd-per.key

The contents of this new file /etc/openvpn/syd-per.key needs to be copied to the other server that the tunnel will be established with.

If you would rather use a certificate rather than a key I would suggest referring to Sébastien Wains site.

Tunnel Configuration

Site A

vi /etc/openvpn/sydney-perth.conf



remote connection.dyndns.org
float
port 8000
dev tun
ifconfig 172.30.30.1 172.30.30.2
persist-tun
persist-local-ip
persist-remote-ip
comp-lzo
ping 15
secret /etc/openvpn/syd-per.key
route 192.168.10.0 255.255.255.0
chroot /var/empty
user nobody
group nogroup
# If using RedHat replace with
# group nobody
log sydney-perth.log
verb 1

Site B

vi /etc/openvpn/sydney-perth.conf



remote 136.15.3.121
float
port 8000
dev tun
ifconfig 172.30.30.2 172.30.30.1
persist-tun
persist-local-ip
persist-remote-ip
comp-lzo
ping 15
secret /etc/openvpn/syd-per.key
route 192.168.5.0 255.255.255.0
chroot /var/empty
user nobody
group nogroup
# If using RedHat replace with
# group nobody
log sydney-perth.log
verb 1

Create Folder

mkdir /var/empty

Start Tunnel

Automaic

vi /etc/default/openvpn

AUTOSTART="all"

service openvpn start

Manually

While the openvpn service is stopped.. 

openvpn --config /etc/openvpn/sydney-perth.conf

Network Map

Site Subnet Tunnel IP
A 192.168.5.0/24 172.30.30.1
B 192.168.10.0/24 172.30.30.2
Retrieved from ‘https://klaverstyn.com.au/david/wiki/index.php?title=Site_to_Site_OpenVPN_IPSEC_Tunnel&oldid=1609