# [SOLVED] How do I make a site to site VPN with OpenVPN?

## Uwe

Hello there,

I am currently experimenting with OpenVPN. I want to create a static tunnel (site-to-site) with another Network, we both have dyndns Adresses. I got kind of a connectio working with the two configs mentioned below but I cannot do anything TCP/IP through the tunnel. First I thought that there was no connection at all, but yesterday, I got an IP Adress from the other site's DHCP Server  :Smile:  (thats maybe a reason why tun devices could be better for me??)).

I perhaps should further explain my network's config:

Site A: (me)

192.168.74.64/26

Router: 192.168.74.65 (Lancom 1511)

Gentoo machine: 192.168.74.70

```
remote          [...]

port            1197

proto           udp

dev             tap3

float

ca              /etc/openvpn/uwe-kraft/ca.crt

cert            /etc/openvpn/uwe-kraft/uwe.crt

key             /etc/openvpn/uwe-kraft/uwe.key

dh              /etc/openvpn/uwe-kraft/dh1024.pem

ifconfig 192.168.73.9 255.255.255.252

# timeouts

ping            15

ping-restart    300 # 5 minutes

resolv-retry    300 # 5 minutes

persist-tun

persist-key

# compression (optional)

comp-lzo

tls-server

reneg-sec       60

verb            5

```

Site B: (remote site)

192.168.74.128/26

Router: 192.168.74.134 (Shorewall)

Gentoo Machine: 192.168.74.134

```
remote          [...]

port            1197

proto           udp

dev             tap1

float

ca              /etc/openvpn/kraft-uwe/ca.crt

cert            /etc/openvpn/kraft-uwe/kraft.crt

key             /etc/openvpn/kraft-uwe/kraft.key

ifconfig 192.168.73.10 255.255.255.252

# timeouts

ping            15

ping-restart    300 # 5 minutes

resolv-retry    300 # 5 minutes

persist-tun

persist-key

# compression (optional)

comp-lzo

tls-client

reneg-sec       60

verb            5

```

So the questions are:

what must I change in my configs and routes to:

 - let all machines inside both networks communicate with each other in the remote network

 - not get IP Adresses from the remote DHCP Server but from my own local one

Perhaps somebody can show me a sample config of a working tunnel, I read the OpenVPN Manuals and Howtos up and down but dont get it working... Thanks!!!Last edited by Uwe on Sun May 21, 2006 2:53 pm; edited 1 time in total

----------

## jamapii

 *Uwe wrote:*   

> 
> 
> Site A: (me)
> 
> 192.168.74.64/26
> ...

 

I think the machine at site A can have in its config (to push its route to site B):

```
push "route 192.168.74.64  255.255.255.192"
```

Alternatively, machine at site B can have:

```
route 192.168.74.64  255.255.255.192
```

To connect the other site network, a corresponding option is required.

----------

## Uwe

Thank you, but it seems that more is required, as I also dont want to route DHCP Traffic through the Tunnel. Besides that (dont ask me why, I tried) the routes are ot set properly.

----------

## xtlosx

hey! 

did you ever get this working.. i'm looking for some docs on how to setup a site to site vpn as well, the creation of keys and certs... where'd you find your information at? Thanks!

----------

## PMcCauley

You could use iptables to only allow dhcp traffic to the wanted dhcp server as a workaround.

Patrick

----------

## magic919

 *xtlosx wrote:*   

> hey! 
> 
> did you ever get this working.. i'm looking for some docs on how to setup a site to site vpn as well, the creation of keys and certs... where'd you find your information at? Thanks!

 

www.openvpn.net covers all this stuff.

----------

## Uwe

Argh, it still does not work... But it seems that it has something to to with the routes.... I always get Destination Host unreachable messages from the VPN IP...

What exactly should i route to each other? (That means, how should the routing table look?)

Or can there be another problem with the VPN itself?

I installed two fresh Gentoo Virtual Machines nd put them into a LAN-LAN routing scenario, I get the exact same problem. A Windows Guy whith whom I set up a Test VPB could access my network, but I again got stuck with the Desination Host unreachable messages...

And why doesn't Traceroute find my tap device?

----------

## thepustule

All you need to do is put your routes in properly.

For instance, on side A put 

```
route 192.168.74.128 255.255.255.192 192.168.73.10
```

And do the opposite for side B.

Just to verify, can you ping 192.168.73.9 from side B and 192.168.73.10 from Side A?  I mean, can you ping these addresses directly from the Linux machines running the tunnel?  Just to make sure the tunnel is actually passing traffic...

Traceroute probably doesn't find your tap device because there isn't any correct routing to tell it to go there.

----------

## Uwe

ANd this is exactly my problem.... The VPN Tunnel does not route any IP TRaffic (but when useing TAP Devices, I can get an IP fromn the remote DHCP Range and fully access his network (because i am virtually part of it)... so I cannot ping my VPN Networks... strange

----------

## thepustule

One thing you might try is commenting out the "comp-lzo" setting on both ends - to test.

I've had a situation where an OpenVPN between two different platforms wouldn't work with comp-lzo enabled.

----------

## Uwe

I'll try this with my two VMs.... But these are both inherited from the same Image/installation, so they should be very identical...

----------

## Uwe

Okay, partly solved now. The problem was that I hat to set the routes against the bridge interface and not against the tun/tap interfaces.

But now I have an new problem: When sending more than just a ping through the traffic, the sessions die (no matter which port)

Imagine I want to make a SSH sesson to a machine on the other side of the VPN. WOrks fine until "too much" traffic goes through the interface. I cannot open any config files or make emerge --update world -p because thats too much... weird....


Fixed it! Useing tcp now and I had to make some mtu changes. Works like a charm, yee-ha!

----------

## thepustule

Is it completely essential for you to do bridging with this tunnel?

I have had tunnels work for weeks without any problems, carrying very heavy traffic.  But those were all routed tunnels, not bridged.

----------

## Uwe

Strange thing is: I am using tun devices noe (at least I think that sould make them tunnel devices  :Wink: ), but still I sometimes get a DHCP Adress from the other range (damn!)... It shouldn't work but it does...

----------

## thepustule

but you're bridging, no?  So you're likely sending the packets through...

----------

## Uwe

br0 = (eth0 && tun1), yes, if thats what you would call "Bridging"... But the VPN goes through a tun Interface, a tunnel, int it?

----------

## thepustule

Sure, but when you link the tun and eth devices into br0, any broadcast packet from the eth device gets copied and sent through the tunnel.  If you are also runing a br0 device at the other end, the packet gets copied again and sent out to that LAN.  That is exactly what bridging does.  This is why your DHCP server is still sending responses to clients on the other side of the tunnel.

If you don't want that to happen, you need to disable bridging - i.e. don't bind the interfaces into br0.  Just route the traffic instead.Last edited by thepustule on Wed May 24, 2006 7:44 pm; edited 1 time in total

----------

## Uwe

Thought about that, but I wasnt sure as every Howto begins with the bridging part  :Smile: . And because leaving the bridge away did work in my test environment but not in my "real" one.... must have forgotten something  :Smile: . Thanks for the explanation about bridging.

----------

## Uwe

Okay, next step in progress (must make use of having a network guru anwering my questions  :Wink: ): I now have successfully created the routend environment. Suppose that I have not (yet) installed iptables on my machine. What must I do to route traffic from the network behind eth0 to the tun device? (So including the whole network instead of only one machine. Worked automatically with the bridge config)...

----------

## thepustule

Yes.  

Well, there are two things you need to do:

1.  Make sure routing is enabled.

```
echo 1 > /proc/sys/net/ipv4/ip_forward

```

Also, edit /etc/sysctl.conf to make sure the 

```
ipv4/ip_forward=1
```

 line is set properly.

2.  Add the proper routes to your openvpn configs.

Once you have this set up, check the output of the route command.  You should see routes indicating how to send packets to the other LAN.

----------

## Uwe

I did, but something is still missing... The Servers can communicate with each other, but not the network behind them

routing table side A

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.73.0    0.0.0.0         255.255.255.252 U     0      0        0 tun1

192.168.74.64   0.0.0.0         255.255.255.192 U     0      0        0 eth0

192.168.74.128  0.0.0.0         255.255.255.192 U     0      0        0 tun1

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         192.168.74.65   0.0.0.0         UG    0      0        0 eth0

```

routing table side b

```
84.58.128.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

192.168.73.0    0.0.0.0         255.255.255.252 U     0      0        0 tun1

192.168.74.64   0.0.0.0         255.255.255.192 U     0      0        0 tun1

192.168.74.128  0.0.0.0         255.255.255.192 U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         84.58.128.1     0.0.0.0         UG    0      0        0 ppp0

```

side b has a shorewall with the following policy

```
net             all             DROP

loc             loc             ACCEPT

$FW             loc             ACCEPT

loc             $FW             ACCEPT

$FW             net             ACCEPT

loc             net             ACCEPT

# Regeln für VPN

loc             vpn             ACCEPT

vpn             loc             ACCEPT

$FW             vpn             ACCEPT

vpn             $FW             ACCEPT

# Deny all Regel zum Schluss

all             all             REJECT

```

traceroute from a windows machine on side a to server b

```
C:\Dokumente und Einstellungen\uwe>tracert 192.168.74.134

Routenverfolgung zu 192.168.74.134 über maximal 30 Abschnitte

  1    <1 ms    <1 ms    <1 ms  RT-UWE.immer-lan.lan [192.168.74.65]

  2    <1 ms     1 ms    <1 ms  dw.serveblog.net [192.168.74.70]

  3     *        *        *     Zeitüberschreitung der Anforderung.

  4     *        *        *     Zeitüberschreitung der Anforderung.

  5     *        *        *     Zeitüberschreitung der Anforderung.

  6     *        *        *     Zeitüberschreitung der Anforderung.

  7     *        *        *     Zeitüberschreitung der Anforderung.
```

192.168.74.65 is my router, 192.168.74.70 is my openvpn server on side a, 192.168.74.134 is openvpn server on side b. Netmask 255.255.255.192

```
Chain tun1_fwd (1 references)

target     prot opt source               destination

dynamic    all  --  anywhere             anywhere            state INVALID,NEW    <--------?????

all2all    all  --  anywhere             anywhere

vpn2loc    all  --  anywhere             anywhere

Chain tun1_in (1 references)

target     prot opt source               destination

dynamic    all  --  anywhere             anywhere            state INVALID,NEW    <--------?????

vpn2fw     all  --  anywhere             anywhere

Chain vpn2fw (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

Chain vpn2loc (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

```

----------

