Installing and Configuring OpenVPN on Debian Jessie
What's up folks, here I will show you how to installing and configure the OpenVPN server and the clients, the process is not so hard, but we have a lot of information that may be misinterpreted, so pay a lot of attention.
Prepare your system with the following shell script http://wiki.douglasqsantos.com.br/doku.php/confinicialjessie_en if you do not use this script please, be aware that can be some problems during the progress.
Let's define some values that I will assume in this how to:
- External IP of HQ: 200.200.200.1
- External IP of Branch: 200.200.200.2
- HQ LAN Network: 192.168.10.0/24
- Branch Lan Network: 192.168.11.0/24
- OpenVPN Network: 10.254.0.0/24
- OpenVPN interface: tun0
- We will need to enable the forwarders: echo 1 > /proc/sys/net/ipv4/ip_forward
- We will need to masquerade the networks behind the OpenVPN Network: iptables -t nat -A POSTROUTING -s 10.254.0.0/24 -j MASQUERADE
HQ
Now we need to update the repositories and upgrade the whole system before start installing the new packets
aptitude update && aptitude dist-upgrade -y
Let's install the Openvpn service.
aptitude install openvpn -y
Now we need to copy the easy-rsa directory into the openvpn directory
cp -Rfa /usr/share/easy-rsa /etc/openvpn/easy-rsa
Now let's define some variables in vars file that define the key size, expire time and another stuffs.
vim /etc/openvpn/easy-rsa/vars [...] export KEY_SIZE=2048 # In how many days should the root CA key expire? export CA_EXPIRE=3650 # In how many days should certificates expire? export KEY_EXPIRE=3650 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="BR" export KEY_PROVINCE="PR" export KEY_CITY="Curitiba" export KEY_ORG="Douglas" export KEY_EMAIL="douglas.q.santos@gmail.com" export KEY_OU="HQ"
Now we need to load the variables to the environment.
cd /etc/openvpn/easy-rsa . ./vars
The following command-line is very dangerous, because it will remove all the keys of the OpenVPN, so only use it with careful
./clean-all
Now we need to generate the ca certificate that will use to generate the next certificates.
./build-ca Generating a 2048 bit RSA private key ...................................+++ ..............................................................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BR]: #ENTER State or Province Name (full name) [PR]: #ENTER Locality Name (eg, city) [Curitiba]: #ENTER Organization Name (eg, company) [Douglas]: #ENTER Organizational Unit Name (eg, section) [HQ]: #ENTER Common Name (eg, your name or your server's hostname) [Douglas CA]: #ENTER Name [EasyRSA]: #ENTER Email Address [douglas.q.santos@gmail.com]: #ENTER
Now we need to generate the server's certificates
./build-key-server server Generating a 2048 bit RSA private key ..................+++ ..........................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BR]: #ENTER State or Province Name (full name) [PR]: #ENTER Locality Name (eg, city) [Curitiba]: #ENTER Organization Name (eg, company) [Douglas]: #ENTER Organizational Unit Name (eg, section) [HQ]: #ENTER Common Name (eg, your name or your server's hostname) [server]: #ENTER Name [EasyRSA]: server Email Address [douglas.q.santos@gmail.com]: #ENTER Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #ENTER An optional company name []:Douglas Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'BR' stateOrProvinceName :PRINTABLE:'PR' localityName :PRINTABLE:'Curitiba' organizationName :PRINTABLE:'Douglas' organizationalUnitName:PRINTABLE:'HQ' commonName :PRINTABLE:'server' name :PRINTABLE:'server' emailAddress :IA5STRING:'douglas.q.santos@gmail.com' Certificate is to be certified until Aug 15 12:51:45 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Now we need to create one more certificate the Diffie Hellman that will be used to exchange information encrypted, that will work together with shared.key
./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...+.................+................................................................................................................................... .+..................+.................................................................................................................................... ...........................................................+.............................................+...................................+........... ......................+.....................................................+..........+................................................................ ...........................................+............................................................................................................... ...................+....................................................................................................................................... ................................................................................................................+...............+......................... .............+................+....+..................................+........................................................................+....... ...........................+.................................................................+.........................................+................ .........................................................................................................................................+................ .....................+...................+............................................................................................................... .............................................................................+...+....................................................................... ..........................................................................+.....................................+............+.......................... ............................................................................................+...........................++*++*
Now we need to create the shared key that will be used as tls
openvpn --genkey --secret keys/shared.key
Now we need to create the hq configuration file /etc/openvpn/server.conf
vim /etc/openvpn/server.conf # TCP/UDP port number or port name for both local and remote. The current default of 1194 represents the official IANA port number assignment for OpenVPN port 1194 # Indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp". proto tcp # Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, # the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes. The default value is 1450. mssfix 1450 # TUN/TAP virtual network device. You must use either tun devices on both ends of the connection or tap devices on both ends. # You cannot mix them, as they represent different underlying network layers. dev tun # Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. # The designation of client or server is only for the purpose of negotiating the TLS control channel. tls-server # Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. tls-auth keys/shared.key 0 # Certificate authority (CA) file in .pem format, also referred to as the root certificate. # This file can have multiple certificates in .pem format, concatenated together. ca certs/ca.crt # Local peer's signed certificate in .pem format -- must be signed by a certificate authority whose certificate is in --ca file # Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file. # In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the --ca certificate authority file cert certs/server.crt # Local peer's private key in .pem format. Use the private key which was generated when you built your peer's certificate key keys/server.key # File containing Diffie Hellman parameters in .pem format (required for --tls-server only). dh keys/dh2048.pem # A helper directive designed to simplify the configuration of OpenVPN's server mode. # This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. server 10.254.0.0 255.255.255.0 # Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600), as well as on program startup and shutdown. # The goal of this option is to provide a long-term association between clients (denoted by their common name) # and the virtual IP address assigned to them from the ifconfig-pool. ifconfig-pool-persist ipp.txt # Specify a directory dir for custom client config files. After a connecting client has been authenticated, # OpenVPN will look in this directory for a file having the same name as the client's X509 common name. # If a matching file exists, it will be opened and parsed for client-specific configuration options. client-config-dir ccd # Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically # torn down in reverse order prior to TUN/TAP device close. # Here we are defining that the hq network can see the branch network route 192.168.11.0 255.255.255.0 # Push a config file option back to the client for remote execution. Note that option must be enclosed in double quotes (""). # The client must specify --pull in its config file. The set of options which can be pushed is limited by both feasibility and security. # Here we are defining that the branch can see the hq network # Delay n seconds (default=0) after connection establishment, before adding routes. If n is 0, routes will be added immediately upon connection establishment. push "route-delay 2 600" # Add route to routing table after connection is established. Multiple routes can be specified. # Routes will be automatically torn down in reverse order prior to TUN/TAP device close. push "route 192.168.10.0 255.255.255.0" # Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. # def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. # This has the benefit of overriding but not wiping out the original default gateway. #push "redirect-gateway def1" # This option can be used to set additional TCP/IP properties on the TAP-Win32 adapter, and is particularly useful # for configuring an OpenVPN client to access a Samba server across the VPN. # DNS addr -- Set primary domain name server address. Repeat this option to set secondary DNS server addresses. # WINS addr -- Set primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat this option to set secondary WINS server addresses. #push "dhcp-option DNS 192.168.10.248" #push "dhcp-option DNS 192.168.10.249" #push "dhcp-option WINS 192.168.10.248" # Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. # The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all # client-originating traffic to the TUN/TAP interface. When this option is used, each client will "see" the other clients which are # currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic # using custom, per-client rules. client-to-client # Run the --ping-exit / --ping-restart timer only if we have a remote address. Use this option if you are starting # the daemon in listen mode (i.e. without an explicit --remote peer), and you don't want to start clocking timeouts # until a remote peer connects. ping-timer-rem # A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. # The server timeout is set twice the value of the second argument. This ensures that a timeout is detected on # client side before the server side drops the connection. keepalive 10 120 # Encrypt data channel packets with cipher algorithm alg. The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. # Blowfish has the advantages of being fast, very secure, and allowing key sizes of up to 448 bits. # Blowfish is designed to be used in situations where keys are changed infrequently. cipher BF-CBC # Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default). comp-lzo adaptive # Limit server to a maximum of n concurrent clients. max-clients 10 # Optional user to be owner of this tunnel. user nobody # Optional group to be owner of this tunnel. group nogroup # Don't re-read key files across SIGUSR1 or --ping-restart. his option can be combined with --user nobody # to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot # be restarted since it will now be unable to re-read protected key files. persist-key # Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. # SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options. persist-tun # Write operational status to file every n seconds. # Status can also be written to the syslog by sending a SIGUSR2 signal. status /var/log/openvpn/status.log # Output logging messages to file, including output to stdout/stderr which is generated by called scripts. If file already exists it will be # truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if --daemon or --inetd # is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or --ping-restart. log /var/log/openvpn/openvpn.log # Append logging messages to file. If file does not exist, it will be created. This option behaves exactly like --log except # that it appends to rather than truncating the log file log-append /var/log/openvpn/openvpn.log # Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good # summary of what's happening without being swamped by output. # 0 -- No output except fatal errors. # 1 to 4 -- Normal usage range. # 5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets. # 6 to 11 -- Debug info range (see errlevel.h for additional information on debug levels). verb 4 # Log at most n consecutive messages in the same category. This is useful to limit repetitive logging of similar message types. mute 20
Now we need to generate the certificates that will be used by the branch
cd /etc/openvpn/easy-rsa ./build-key branch1 Generating a 2048 bit RSA private key Generating a 2048 bit RSA private key .............................................................................+++ .....................+++ writing new private key to 'branch1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BR]: #ENTER State or Province Name (full name) [PR]: #ENTER Locality Name (eg, city) [Curitiba]: #ENTER Organization Name (eg, company) [Douglas]: #ENTER Organizational Unit Name (eg, section) [HQ]: Branches Common Name (eg, your name or your server's hostname) [branch1]: ENTER Name [EasyRSA]:branch1 Email Address [douglas.q.santos@gmail.com]: ENTER Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ENTER An optional company name []:branch1 Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'BR' stateOrProvinceName :PRINTABLE:'PR' localityName :PRINTABLE:'Curitiba' organizationName :PRINTABLE:'Douglas' organizationalUnitName:PRINTABLE:'Branches' commonName :PRINTABLE:'branch1' name :PRINTABLE:'branch1' emailAddress :IA5STRING:'douglas.q.santos@gmail.com' Certificate is to be certified until Aug 15 13:54:04 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Let's create some directories that are necessary and let's copy some files.
mkdir /etc/openvpn/{certs,ccd,keys} cp /etc/openvpn/easy-rsa/keys/*.crt /etc/openvpn/certs/ cp /etc/openvpn/easy-rsa/keys/*.key /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn/keys/
Now we need to create the route's file
The file /etc/openvpn/ccd/branch1 is in charge of define the individual routes to the clients, hence without this guy the server will not know that the machines from LAN in both sides (HQ and Branch) want to communicate and the communication will be restricted to the server to client, without HQ Network to Branch Network. Note: The file name needs to match the Name [EasyRSA] defined in the certificate generation.
echo "iroute 192.168.11.0 255.255.255.0" > /etc/openvpn/ccd/branch1
Now we need to configure the permission of the files and directories in the OpenVPN root directory
cd /etc/openvpn chown -R nobody:nogroup keys certs ccd chmod 0400 keys/* certs/* ccd/*
Now we need to create the Openvpn's log directory, that will store some information about the connections, status and other things.
mkdir /var/log/openvpn
Now we need to put the Openvpn service in the boot launch time
systemctl -f enable openvpn@server.service
Now we need to start the OpenVPN service
systemctl start openvpn@server.service
Now we can take a look at the log files and make sure that the OpenVPN was started successfully
tail -f /var/log/openvpn/openvpn.log Tue Aug 18 11:05:38 2015 us=957004 GID set to nogroup Tue Aug 18 11:05:38 2015 us=957203 UID set to nobody Tue Aug 18 11:05:38 2015 us=957253 Listening for incoming TCP connection on [undef] Tue Aug 18 11:05:38 2015 us=957287 TCPv4_SERVER link local (bound): [undef] Tue Aug 18 11:05:38 2015 us=957305 TCPv4_SERVER link remote: [undef] Tue Aug 18 11:05:38 2015 us=957328 MULTI: multi_init called, r=256 v=256 Tue Aug 18 11:05:38 2015 us=957598 IFCONFIG POOL: base=10.254.0.4 size=62, ipv6=0 Tue Aug 18 11:05:38 2015 us=957655 IFCONFIG POOL LIST Tue Aug 18 11:05:38 2015 us=957683 MULTI: TCP INIT maxclients=10 maxevents=14 Tue Aug 18 11:05:38 2015 us=957728 Initialization Sequence Completed
Now we need to configure the files that will send to the Branch.
Let's create a structure to store the certificates that we will need to use in the Branch side.
cd /etc/openvpn mkdir -p branch1/{certs,keys} cp certs/{ca.crt,branch1.crt} branch1/certs/ cp keys/{branch1.key,shared.key} branch1/keys/
Now we need to create the main configuration file /etc/openvpn/branch1/branch1.conf
vim /etc/openvpn/branch1/branch1.conf # A helper directive designed to simplify the configuration of OpenVPN's client mode. client # Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different # OpenVPN server. Specifying multiple --remote options for this purpose is a special case of the more general connection-profile feature. remote 200.200.200.1 # TCP/UDP port number or port name for both local and remote. The current default of 1194 represents the official IANA port number assignment for OpenVPN port 1194 # Indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp". proto tcp # Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, # the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes. The default value is 1450. mssfix 1450 # TUN/TAP virtual network device. You must use either tun devices on both ends of the connection or tap devices on both ends. # You cannot mix them, as they represent different underlying network layers. dev tun # Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". # This is a useful security option for clients, to ensure that the host they connect with is a designated server. ns-cert-type server # Enable TLS and assume client role during TLS handshake. tls-client # Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. tls-auth keys/shared.key 1 # Certificate authority (CA) file in .pem format, also referred to as the root certificate. # This file can have multiple certificates in .pem format, concatenated together. ca certs/ca.crt # Local peer's signed certificate in .pem format -- must be signed by a certificate authority whose certificate is in --ca file # Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file. # In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the --ca certificate authority file cert certs/branch1.crt # Local peer's private key in .pem format. Use the private key which was generated when you built your peer's certificate key keys/branch1.key # Run the --ping-exit / --ping-restart timer only if we have a remote address. Use this option if you are starting # the daemon in listen mode (i.e. without an explicit --remote peer), and you don't want to start clocking timeouts # until a remote peer connects. ping-timer-rem # A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. # The server timeout is set twice the value of the second argument. This ensures that a timeout is detected on # client side before the server side drops the connection. keepalive 10 120 # Encrypt data channel packets with cipher algorithm alg. The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. # Blowfish has the advantages of being fast, very secure, and allowing key sizes of up to 448 bits. # Blowfish is designed to be used in situations where keys are changed infrequently. cipher BF-CBC # Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default). comp-lzo adaptive # If hostname resolve fails for --remote, retry resolve for n seconds before failing. # Set n to "infinite" to retry indefinitely. resolv-retry infinite # Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic # port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. nobind # Optional user to be owner of this tunnel. user nobody # Optional group to be owner of this tunnel. group nogroup # Don't re-read key files across SIGUSR1 or --ping-restart. his option can be combined with --user nobody # to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot # be restarted since it will now be unable to re-read protected key files. persist-key # Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. # SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options. persist-tun # Write operational status to file every n seconds. # Status can also be written to the syslog by sending a SIGUSR2 signal. status /var/log/openvpn/openvpn-status.log # Output logging messages to file, including output to stdout/stderr which is generated by called scripts. If file already exists it will be # truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if --daemon or --inetd # is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or --ping-restart. log /var/log/openvpn/openvpn.log # Append logging messages to file. If file does not exist, it will be created. This option behaves exactly like --log except # that it appends to rather than truncating the log file log-append /var/log/openvpn/openvpn.log # Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good # summary of what's happening without being swamped by output. # 0 -- No output except fatal errors. # 1 to 4 -- Normal usage range. # 5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets. # 6 to 11 -- Debug info range (see errlevel.h for additional information on debug levels). verb 4 # Log at most n consecutive messages in the same category. This is useful to limit repetitive logging of similar message types. mute 20
Now we need to create a tarball with all the files that we group
tar -czvf branch1.tar.gz branch1/ branch1/ branch1/branch1.conf branch1/keys/ branch1/keys/branch1.key branch1/keys/shared.key branch1/certs/ branch1/certs/ca.crt branch1/certs/branch1.crt
Now we need to send the tarball to the Branch
scp branch1.tar.gz 200.200.200.2:/tmp
Branch
Now we need to update the repositories and upgrade the whole system
aptitude update && aptitude dist-upgrade -y
Now we need to install the Openvpn service
aptitude install openvpn -y
Now we need to decompress the tarball and move it to the correct directory.
cd /tmp tar -xzvf branch1.tar.gz mv branch1/* /etc/openvpn/ rm -rf /tmp/branch1*
Now we need to create the Openvpn's log directory
mkdir /var/log/openvpn
Now we need to put the openvpn service in the launch boot time
systemctl -f enable openvpn@branch1.service
Now we need to start the Openvpn service.
systemctl start openvpn@branch1.service
Now we can take a look at the Openvpn's log file.
tail -f /var/log/openvpn/openvpn.log Tue Aug 18 12:42:19 2015 OPTIONS IMPORT: route-related options modified Tue Aug 18 12:42:19 2015 ROUTE default_gateway=10.0.0.254 Tue Aug 18 12:42:19 2015 TUN/TAP device tun0 opened Tue Aug 18 12:42:19 2015 TUN/TAP TX queue length set to 100 Tue Aug 18 12:42:19 2015 /sbin/ifconfig tun0 10.254.0.6 pointopoint 10.254.0.5 mtu 1500 Tue Aug 18 12:42:22 2015 /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.254.0.5 Tue Aug 18 12:42:22 2015 /sbin/route add -net 10.254.0.0 netmask 255.255.255.0 gw 10.254.0.5 Tue Aug 18 12:42:22 2015 GID set to nogroup Tue Aug 18 12:42:22 2015 UID set to nobody Tue Aug 18 12:42:22 2015 Initialization Sequence Completed
Let's run some tests
Now from the Branch1 we need to ping the internal ip from the HQ
ping 192.168.10.1 -c 3 PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data. 64 bytes from 192.168.10.1: icmp_req=1 ttl=64 time=1.42 ms 64 bytes from 192.168.10.1: icmp_req=2 ttl=64 time=1.01 ms 64 bytes from 192.168.10.1: icmp_req=3 ttl=64 time=1.05 ms --- 192.168.10.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 1.015/1.166/1.428/0.187 ms
Let's check the route table from the Branch1
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.254.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.254.0.0 10.254.0.5 255.255.255.0 UG 0 0 0 tun0 192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.10.0 10.254.0.5 255.255.255.0 UG 0 0 0 tun0 10.0.0.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0 0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 eth0
Now from the HQ we need to ping the internal ip from the Branch1
ping 192.168.11.1 -c 3 PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data. 64 bytes from 192.168.11.1: icmp_req=1 ttl=64 time=0.454 ms 64 bytes from 192.168.11.1: icmp_req=2 ttl=64 time=0.853 ms 64 bytes from 192.168.11.1: icmp_req=3 ttl=64 time=0.804 ms --- 192.168.11.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.454/0.703/0.853/0.180 ms
Let's check the routes tables from the HQ
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.254.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.254.0.0 10.254.0.2 255.255.255.0 UG 0 0 0 tun0 192.168.11.0 10.254.0.2 255.255.255.0 UG 0 0 0 tun0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 10.0.0.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0 0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 eth0
Don't forget to allow the forwarding into the servers, because it you forget it you will access only the HQ and the Branch1 machines because we have a per-to-per connection.
Let's enable the forwaring
echo 1 > /proc/sys/net/ipv4/ip_forward
Another feature very important is create a masquerade for the Openvpn network
iptables -t nat -A POSTROUTING -s 10.254.0.0/24 -j MASQUERADE
Everything is working properly so far. Sometimes we do not have access to the Openvpn server if this guy is behind a firewall or ips then we need to allow the connection, and sometimes we need to create a redirect from the firewall to the Openvpn server. The default port for Openvpn is 1194 and we can work with either protocols tcp or udp. Another note is the Openvpn will send and receive the data from the tun0 or tap0.
In case you need to configure another branch, let's follow the process to create the branch1, do not forgetting to change the branch name as we can seen below.
We need to add the new entries to the server.conf to load the new route to the new clients.
Note: the → filial1 and → filial2 is only to display that is happening, please do not use it in your configuration file.
route 192.168.11.0 255.255.255.0 -> filial1 route 192.168.12.0 255.255.255.0 -> filial2
After that we need to create the new route to the new client, hence the server need to check this directory to know which route is to what client.
echo "iroute 192.168.12.0 255.255.255.0" > /etc/openvpn/ccd/filial2
If you need to send more route to the branches we can use the following lines.
push "route 192.168.10.0 255.255.255.0" push "route 192.168.9.0 255.255.255.0"
Now if we need that some branch access other branch we need to create the route in the branch configuration file.
Let's assume the following configuration to the branches that need to exchange information.
- Branch 3 → 192.168.3.0/24
- Branch 4 → 192.168.4.0/24
The Branch 3 need to send information to the Branch 4, but we need to set up the way they need to get to arrive in the other side.
In the branch3.conf file we need to add the route as follow.
vim /etc/openvpn/branch3.conf [...] route 192.168.4.0 255.255.255.0
Now we need to do the same process to the Branch 3, but changing the network as follow
vim /etc/openvpn/branch4.conf [...] route 192.168.3.0 255.255.255.0
After that the Branches will have routes to the other, because we are using the client-to-client parameter in the server.conf
The same old history as we have before, if you need to access another machines/server in any Branch we need to enable the forwarding in both Branches, we can do it with the following command-line.
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p
The last configuration we need in order the Branches can exchange information without any problems, we need to create the masquerade rule in the firewall as follow.
iptables -t nat -A POSTROUTING -s 10.254.0.0/24 -j MASQUERADE