I'm trying to set up a site-to-site VPN connection between 2 of our offices. The VPN servers i'm using are 2 "Edgerouter lite" and the tunneling software i'm using is OpenVPN.
This is how the setup is at the moment:
-
R1:
LAN subnet: 192.168.2.0/24
LAN port: 192.168.2.1
WAN port: X.X.X.X
-
R2:
LAN subnet: 10.10.0.0/24
LAN port: 10.10.0.34
WAN port: Y.Y.Y.Y
-
R1 Open VPN config:
openvpn vtun0 {
local-address 192.168.2.1 {
}
local-port 1194
mode site-to-site
openvpn-option --comp-lzo
openvpn-option --float
openvpn-option "--ping 10"
openvpn-option "--ping-restart 20"
openvpn-option --ping-timer-rem
openvpn-option --persist-tun
openvpn-option --persist-key
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
remote-address 10.10.0.39
remote-host X.X.X.X
remote-port 1194
shared-secret-key-file /config/auth/secret
}
-
R2 Open VPN config:
openvpn vtun0 {
local-address 10.10.0.39 {
}
local-port 1194
mode site-to-site
openvpn-option --comp-lzo
openvpn-option --float
openvpn-option "--ping 10"
openvpn-option "--ping-restart 20"
openvpn-option --ping-timer-rem
openvpn-option --persist-tun
openvpn-option --persist-key
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
remote-address 192.168.2.1
remote-host Y.Y.Y.Y
remote-port 1194
shared-secret-key-file /config/auth/secret
}
-
show openvpn status site-to-site on R1
OpenVPN client status on vtun0 []
Remote CN Remote IP Tunnel IP TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK) Y.Y.Y.Y 10.10.0.39 51.6K 51.0K N/A
-
show openvpn status site-to-site on R2
OpenVPN client status on vtun0 []
Remote CN Remote IP Tunnel IP TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK) X.X.X.X 192.168.2.1 85.3K 84.5K N/A
-
Routing table R1:
IP Next hop INT TYPE
0.0.0.0/0 X.X.X.XGW eth1 static
127.0.0.0/8 lo connected
192.168.2.0/24 eth0 connected
X.X.X.X/X eth1 connected
10.10.0.0/24 vtun0 static
10.10.0.39/32 vtun0 connected
-
Routing table R2:
IP Next hop INT TYPE
0.0.0.0/0 Y.Y.Y.YGW eth0 static
127.0.0.0/8 lo connected
10.10.0.0/24 eth1 connected
Y.Y.Y.Y/Y eth0 connected
192.168.2.0/24 vtun0 static
192.168.2.1/32 vtun0 connected
From a host on the 192.168.2.0 LAN (On R1) i can ping 10.10.0.34 (LAN port IP on R2) but i can't ping 10.10.0.4 (a host on the R2 LAN).
Is there anything wrong in my configuration?
This usually has to do with routing. If you can get from one OpenVPN endpoint to the other, you should be pretty close to a working setup - but:
Make sure IP forwarding is enabled if there is a LAN that needs to be accessible beyond a particular endpoint.
Clients on the remote side of a connection do not know how to get back to the other side of the connection. This is true both ways through the tunnel.
You can fix this by using the
irouteandpushstatements in theopenvpn.confof your choice. If you are joining two networksx.x.x.xandy.y.y.y, then on the server side (sayx.x.x.x), you can do this:push "route net mask"orpush "route x.x.x.x 255.255.255.0"for instance. This hands the remote clients ony.y.y.ythe correct route back tox.x.x.xthrough the tunnel.If the server side (
x.x.x.x) needs to be able to see stations beyond the OpenVPN gateway aty.y.y.y, you also need to use theiroutestatement. Putiroute y.y.y.y 255.255.255.0on the server side to make this happen. This basically lets OpenVPN know which client is responsible for a particular subnet.iroutestatements need to go into theccd(Client Config Directory I think). This would usually be in files named/etc/openvpn/ccd/<client name>.This should get you going, I would think. Also, have a look at the excellent OpenVPN documentation - like this bit on LANs. Hope it works out for you!