The recipes in this chapter will provide an introduction to configuring OpenVPN. They are based on a point-to-point type of network, meaning that only a single client can connect at a given time.
A point-to-point network is very useful when connecting to a small number of sites or clients. It is easier to set up, as no certificates or public key infrastructure (PKI) is required. Also, routing is slightly easier to configure as no client-specific configuration files containing --iroute statements are required.
The drawbacks of a point-to-point network are as follows:
The lack of having perfect forward secrecy-a key compromise may result in a total disclosure of previous sessions
The secret key must exist in plaintext form on each VPN peer
This recipe will explain the shortest setup possible when using OpenVPN. For this setup, you require two computers that are connected over a network (LAN or Internet). We will use both a TUN-style network and a TAP-style network and will focus on the differences between them. A TUN device is used mostly for VPN tunnels where only IP traffic is used. A TAP device allows all the Ethernet frames to be passed over the OpenVPN tunnel, hence providing support for non-IP based protocols, such as IPX and AppleTalk.
While this may seem useless at first glance, it can be very useful to quickly test whether OpenVPN can connect to a remote system.
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 Pro 64bit and OpenVPN 2.3.10.
Here are the steps that you need to follow:
Launch the server-side (listening) OpenVPN process for the TUN-style network:
[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun
Then, launch the client-side OpenVPN process:
[WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --ifconfig 10.200.0.2 10.200.0.1 --dev tun \ --remote openvpnserver.example.com
The following screenshot shows how a connection is established:
As soon as the connection is established, we can ping the other end of the tunnel.
Next, stop the tunnel by pressing the F4 function key in the command window and restart both ends of the tunnel using the TAP device.
Launch the server-side (listening) OpenVPN process for the TAP-style network:
[root@server]# openvpn --ifconfig 10.200.0.1 255.255.255.0 \ --dev tap
Then launch the client-side OpenVPN process:
[WinClient] C:\>" \Program Files\OpenVPN\bin\openvpn.exe" \ --ifconfig 10.200.0.2 255.255.255.0 --dev tap \ --remote openvpnserver.example.com
The connection will now be established and we can again ping the other end of the tunnel.
The server listens on UDP port 1194, which is the OpenVPN default port for incoming connections. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with the IP address 10.200.0.1 and it expects the remote end (the Peer address) to be 10.200.0.2.
The client does the opposite: after the initial handshake, the first TUN or TAP-Win32 device is configured with the IP address 10.200.0.2. It expects the remote end (the Peer address) to be 10.200.0.1. After this, the VPN is established.
Let's look at a couple of different scenarios and check whether they would modify the process.
In the previous example, we chose the UDP protocol. It would not have made any difference if we had chosen the TCP protocol, provided that we had done that on the server side (the side without --remote) as well as the client side. The following is the code for doing this on the server side:
[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --proto tcp-server
Here's the code for the client side:
[root@client]# openvpn --ifconfig 10.200.0.2 10.200.0.1 \ --dev tun --proto tcp-client --remote openvpnserver.example.com
With the TAP-style interface, it is possible to run non-IP traffic over the tunnel. For example, if AppleTalk is configured correctly on both sides, we can query a remote host using the aecho command:
aecho openvpnserver 22 bytes from 65280.1: aep_seq=0. time=26. ms 22 bytes from 65280.1: aep_seq=1. time=26. ms 22 bytes from 65280.1: aep_seq=2. time=27. ms
A tcpdump -nnel -i tap0 command shows that the type of traffic is indeed non-IP-based AppleTalk.
This recipe uses OpenVPN secret keys to secure the VPN tunnel. It is very similar to the previous recipe, but this time, we will use a shared secret key to encrypt the traffic between the client and the server.
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 64 bit and OpenVPN 2.3.10.
First, generate a secret key on the server (listener):
[root@server]# openvpn --genkey --secret secret.keyTransfer this key to the client side over a secure channel (for example, using
scp).Next, launch the server-side (listening) OpenVPN process:
[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --secret secret.key
Then, launch the client-side OpenVPN process:
[WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --ifconfig 10.200.0.2 10.200.0.1 \ --dev tun --secret secret.key \ --remote openvpnserver.example.com
The connection is now established, as shown in the following screenshot:
This example works exactly as the first one: the server listens to the incoming connections on UDP port 1194. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with the IP address 10.200.0.1 and it expects the remote end (Peer address) to be 10.200.0.2. The client does the opposite.
By default, OpenVPN uses two symmetric keys when setting up a point-to-point connection:
A cipher key to encrypt the contents of the packets being exchanged.
An HMAC key to sign packets. When packets arrive that are not signed using the appropriate HMAC key, they are dropped immediately. This is the first line of defense against a "denial-of-service" attack.
The same set of keys are used on both ends and both keys are derived from the file specified using the
--secretparameter.
An OpenVPN secret key file is formatted as follows:
# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- <16 lines of random bytes> -----END OpenVPN Static key V1-----
From the random bytes, the OpenVPN Cipher and HMAC keys are derived. Note that these keys are the same for each session.
As stated in the previous recipe, OpenVPN uses two symmetric keys when setting up a point-to-point connection. However, it is also possible to use shared yet asymmetric keys in point-to-point mode. OpenVPN will use four keys in this case:
A cipher key on the client side
An HMAC key on the client side
A cipher key on the server side
An HMAC key on the server side
The same keying material is shared by both sides of the point-to-point connection, but the keys that are derived for encrypting and signing the data are different for each side. This recipe explains how to set up OpenVPN in this manner and how the keys can be made visible.
For this recipe, we use the secret.key file from the previous recipe. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 64 bit and OpenVPN 2.3.10. We'll use the secret.key file from the OpenVPN secret keys recipe here.
Launch the server-side (listening) OpenVPN process with an extra option to the
--secretparameter and with more verbose logging:[root@server]# openvpn \ --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --secret secret.key 0 \ --verb 7
Then launch the client-side OpenVPN process:
[WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --ifconfig 10.200.0.2 10.200.0.1 \ --dev tun --secret secret.key 1\ --remote openvpnserver \ --verb 7
The connection will be established with a lot of debugging messages.
If we look through the server-side messages (searching for crypt), we can find the negotiated keys on the server side. Note that the output has been reformatted for clarity:
... Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key ... Static Encrypt: CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f ... Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ... Static Encrypt: HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8 ... Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key ... Static Decrypt: CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99 ... Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ... Static Decrypt: HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27
On the client side, we will find the same keys but the "Encrypt" and "Decrypt" keys would have been reversed:
... Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key ... Static Encrypt: CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99 ... Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ... Static Encrypt: HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27 ... Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key ... Static Decrypt: CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f ... Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ... Static Decrypt: HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8
If you look at the keys carefully, you will see that each one of them is mirrored on the client and the server side.
OpenVPN derives all the keys from the static.key file, provided there is enough entropy (randomness) in the file to reliably generate four keys. All the keys generated using the following will have enough entropy:
$ openvpn --genkey --secret secret.key
An OpenVPN static key file is 2,048 bits in size. The cipher keys are each 128 bits, whereas the HMAC keys are 160 bits each, for a total of 776 bits. This allows OpenVPN to easily generate four random keys from the static key file, even if a cipher is chosen that requires a larger initialization key.
The same secret key files are used in a client/server setup when the tls-auth ta.key parameter is used.
The Setting up the public and private keys recipe from Chapter 2, Client-server IP-only Networks, in which the
tls-authkey is generated in a very similar manner
In the very first recipe, we created a tunnel in which the data traffic was not encrypted. To create a completely plain text tunnel, we also disable the HMAC authentication. This can be useful when debugging a bad connection, as all traffic over the tunnel can now easily be monitored. In this recipe, we will look at how to do this. This type of tunnel is also useful when doing performance measurements, as it is the least CPU-intensive tunnel that can be established.
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10.
As we are not using any encryption, no secret keys are needed.
Launch the server-side (listening) OpenVPN process:
[root@server]# openvpn \ --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --auth none
Then launch the client-side OpenVPN process:
[root@client]# openvpn \ --ifconfig 10.200.0.2 10.200.0.1 \ --dev tun --auth none\ --remote openvpnserver.example.com
The connection will be established with the following two warning messages as the output:
... ******* WARNING *******: null cipher specified, no encryption will be used ... ******* WARNING *******: null MAC specified, no authentication will be used
With this setup, absolutely no encryption is performed. All of the traffic that is sent over the tunnel is encapsulated in an OpenVPN packet and then sent as is.
To actually view the traffic, we can use tcpdump; follow these steps:
Set up the connection as outlined.
Start
tcpdumpand listen on the network interface, not the tunnel interface itself:[root@client]# tcpdump -l -w - -i eth0 -s 0 host openvpnserver | stringsNow, send some text across the tunnel, using something like
nc(Netcat). First, launchncon the server side:[server]$ nc -l 31000On the client side, launch the
nccommand in client mode and typehelloandgoodbye:[client]$ nc 10.200.0.1 3100 hello goodbye
In the
tcpdumpwindow, you should now see the following:
Press Ctrl + C to terminate
tcpdumpas well asnc.
The point-to-point type of networks are great if you want to connect two networks together over a static, encrypted tunnel. If you only have a small number of endpoints (fewer than four), then routing is far easier than using a client/server setup as described in Chapter 2, Client-server IP-only Networks.
For this recipe, we will use the following network layout:
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 64 bit and OpenVPN 2.3.10. We'll use the secret.key file from the OpenVPN secret keys recipe here.
First, establish the connection, but also make sure OpenVPN has daemonized itself:
[root@server]# openvpn \ --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --secret secret.key \ --daemon --log /tmp/openvpnserver.log
Then, launch the client-side OpenVPN process:
[client]$ openvpn \ --ifconfig 10.200.0.2 10.200.0.1 \ --dev tun --secret secret.key \ --remote openvpnserver \ --daemon --log /tmp/openvpnclient.log
The connection is established:
[server]$ tail -1 /tmp/openvpnserver.log Initialization Sequence Completed
Now we add routing:
On the server side, we add a static route:
[root@server]# route add -net 192.168.4.0/24 gw 10.200.0.2On the client side, we need to do two things:
Make sure that you have the IP traffic forwarding enabled. On Linux, this can be achieved using the following:
[root@client]# sysctl -w net.ipv4.ip_forward=1On the Windows client on the client-side LAN, make sure there is a route back to the OpenVPN server:
C:> route add 10.200.0.0 mask 255.255.255.0 192.168.4.5From the server, we can now ping machines on the client LAN. First, ping the LAN IP of the OpenVPN client:
[root@server]# ping -c 2 192.168.4.5 PING 192.168.4.5 (192.168.4.5) 56(84) bytes of data. 64 bytes from 192.168.4.5: icmp_seq=0 ttl=64 time=31.7 ms 64 bytes from 192.168.4.5: icmp_seq=1 ttl=64 time=31.3 ms --- 192.168.4.5 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 31.359/31.537/31.716/0.251 ms, pipe 2
Then, ping the LAN IP of a machine on the OpenVPN client LAN:
[root@server]# ping -c 2 192.168.4.164 [server]$ ping -c 2 192.168.4.164 PING 192.168.4.164 (192.168.4.164) 56(84) bytes of data. 64 bytes from 192.168.4.164: icmp_seq=0 ttl=63 time=31.9 ms 64 bytes from 192.168.4.164: icmp_seq=1 ttl=63 time=31.4 ms --- 192.168.4.164 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 31.486/31.737/31.989/0.308 ms, pipe 2
In our network setup, the LAN we want to reach is behind the OpenVPN client, so we have to add a route to the server:
[server]$ route add -net 192.168.4.0/24 gw 10.200.0.2
On the client side, we need to do two things:
Make sure that the routing is enabled. If you want routing to remain enabled after a reboot, edit the
/etc/sysctl.cnffile:net.ipv4.ip_forward = 1
We also need to make sure that there is a route back to the OpenVPN server on the client LAN. This can be done by adding a route to the LAN gateway or by adding a static route to each of the machines on the client LAN. In this recipe, we added a route to a Windows client that is in the same LAN as the OpenVPN client:
C:> route add 10.200.0.0 mask 255.255.255.0 192.168.4.5
Here, 192.168.4.5 is the LAN IP address of the OpenVPN client.
Let's discuss a bit about routing issues and how to automate the setup.
On the OpenVPN users mailing list, a large number of the problems that are reported have something to do with routing issues. Most of them have little to do with OpenVPN itself, but more with understanding the routing and the flow of packets over the network. Chapter 7, Troubleshooting OpenVPN - Routing, provides some recipes to diagnose and fix the most common routing problems.
It is also possible to add the appropriate routes when the tunnel first comes up. This can be done using the --route statement:
[server]$ openvpn \ --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --secret secret.key \ --daemon --log /var/log/openvpnserver-1.5.log \ --route 192.168.4.0 255.255.255.0
Note that on the client LAN, the route back to the server still has to be set manually.
The Three-way routing recipe, later on in this chapter, where a more complicated setup using three remote sites is explained
Chapter 7, Troubleshooting OpenVPN - Routing
Most recipes in this book can be carried out without using configuration files. However, in most real-life cases, a configuration file is much easier to use than a lengthy command line. It is important to know that OpenVPN actually treats configuration file entries and command-line parameters identically. The only difference is that all command-line parameters start with a double dash (--) whereas the configuration file entries do not. This makes it very easy to overrule the configuration file entries using an extra command-line parameter.
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 64 bit and OpenVPN 2.3.10. In this recipe, we'll use the secret.key file from the OpenVPN secret keys recipe.
Create a configuration file based on an earlier recipe:
dev tun port 1194 ifconfig 10.200.0.1 10.200.0.2 secret secret.key remote openvpnserver.example.com verb 3
Save this file as
example1-6-client.conf.Launch the server-side (listening) OpenVPN process on a non-standard port:
[root@server]# openvpn \ --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --secret secret.key \ --port 11000
Then launch the client-side OpenVPN process and add an extra command-line parameter:
[WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --config client.conf \ --port 11000
The connection is established:
Jan 11 16:14:04 2016 UDPv4 link local (bound): [undef] Jan 11 16:14:04 2016 UDPv4 link remote: [AF_INET]172.16.8.1:11000 Jan 11 16:14:06 2016 Peer Connection Initiated with [AF_INET]172.16.8.1:11000 Jan 11 16:14:12 2016 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up Jan 11 16:14:12 2016 Initialization Sequence Completed
The command line and the configuration file are read and parsed from left to right and top to bottom. This means that most options that are specified before the configuration file can be overruled by the entries in that file. Similarly, the options specified after the following directive overrule the entries in that file:
--config client.conf
Hence, the following option overruled the line "port 1194" from the configuration file:
--port 11000
However, some options can be specified multiple times, in which case, the first occurrence "wins." In such a case, it is also possible to specify the option before specifying the --config directive.
Here is another example that shows the importance of the ordering of the command-line parameters:
C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --verb 0 \ --config client.conf \ --port 11000
This produces the exact same connection log as shown before. The verb 3 command from the client.conf configuration file overruled --verb 0, as specified on the command line. However, refer to the following command line:
C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --config client.conf \ --port 11000 \ --verb 0
Using this command line, the connection log will remain entirely empty, yet the VPN connection will be in functioning mode.
Some of the newer features of OpenVPN deviate slightly from this principle, most notably the <connection> blocks and the inline certificates. Some people prefer to write the following command:
remote openvpnserver.example.com 1194
They prefer this instead of the following command:
port 1194 remote openvpnserver.example.com
The downside of this notation is that this is translated as a connection block by OpenVPN. For connection blocks, it is not possible to overrule the port using --port 11000.
In this recipe, we set up a complete site-to-site network, using most of the built-in security features that OpenVPN offers. It is intended as a "one-stop-shop" example of how to set up a point-to-point network.
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10. We'll use the secret.key file from the OpenVPN secret keys recipe here.
We will use the following network layout:
Make sure routing (IP forwarding) is configured on both the server and client.
Create the server configuration file:
dev tun proto udp local openvpnserver.example.com lport 1194 remote openvpnclient.example.com rport 1194 secret secret.key 0 ifconfig 10.200.0.1 10.200.0.2 route 192.168.4.0 255.255.255.0 user nobody group nobody # use "group nogroup" on some distros persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3 daemon log-append /tmp/openvpn.logSave it as
example1-7-server.conf.On the client side, create the configuration file:
dev tun proto udp local openvpnclient.example.com lport 1194 remote openvpnserver.example.com rport 1194 secret secret.key 1 ifconfig 10.200.0.2 10.200.0.1 route 172.31.32.0 255.255.255.0 user nobody group nobody # use "group nogroup" on some distros persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3 daemon log-append /tmp/openvpn.log
Save it as
example1-7-client.conf.Then start the tunnel on both ends. The following is for the server end:
[root@server]# openvpn --config example1-7-server.confHere's the code for the client end:
[root@client]# openvpn --config example1-7-client.confNow our site-to-site tunnel is established.
Check the log files on both the client and server to verify that the connection has been established.
After the connection comes up, the machines on the LANs behind both the end points can be reached over the OpenVPN tunnel. For example, when we ping a machine on the client-side LAN from the server, we will see the following:
The client and server configuration files are very similar:
The server listens only on one interface and one UDP port
The server accepts connections only from a single IP address and port
The client has these options mirrored
Here is the set of configuration options:
user nobody group nobody persist-tun persist-key keepalive 10 60 ping-timer-rem
These options are used to make the connection more robust and secure, as follows:
The OpenVPN process runs as user nobody and group nobody after the initial connection is established. Even if somebody is able to take control of the OpenVPN process itself, he or she would still only be nobody and not root. Note that on some Linux distributions, nogroup is used instead.
The persist-tun and persist-key options are used to ensure that the connection comes back automatically if the underlying network is disrupted. These options are necessary when using user nobody and group nobody (or group nogroup).
The keepalive and ping-timer-rem options cause OpenVPN to send a periodic "ping" message over the tunnel to ensure that both ends of the tunnel remain up and running.
This point-to-point setup can also be used to evade restrictive firewalls. The data stream between the two endpoints is not recognizable and very hard to decipher. When OpenVPN is run in client/server (see Chapter 2, Client-server IP-only Networks), the traffic is recognizable as OpenVPN traffic due to the initial TLS handshake.
The last recipe in this chapter, Using IPv6, which builds upon this recipe by adding support for IPv6 traffic
Chapter 7, Troubleshooting OpenVPN - Routing, in which the most common routing issues are explained
For a small number (less than four) of fixed endpoints, a point-to-point setup is very flexible. In this recipe, we set up three OpenVPN tunnels between three sites, including routing between the endpoints. By setting up three tunnels, we create redundant routing so that all the sites are connected even if one of the tunnels is disrupted.
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10.
We will use the following network layout:
Make sure that the routing (IP forwarding) is configured on all the OpenVPN endpoints.
We generate three static keys:
[root@siteA]# openvpn --genkey --secret AtoB.key [root@siteA]# openvpn --genkey --secret AtoC.key [root@siteA]# openvpn --genkey --secret BtoC.key
Transfer these keys to all the endpoints over a secure channel (for example, using
scp).Create the server (listener) configuration file named
example1-8-serverBtoA.conf:dev tun proto udp port 1194 secret AtoB.key 0 ifconfig 10.200.0.1 10.200.0.2 route 192.168.4.0 255.255.255.0 vpn_gateway 5 route 192.168.6.0 255.255.255.0 vpn_gateway 10 route-delay keepalive 10 60 verb 3
Next, create an
example1-8-serverCtoA.conffile:dev tun proto udp port 1195 secret AtoC.key 0 ifconfig 10.200.0.5 10.200.0.6 route 192.168.4.0 255.255.255.0 vpn_gateway 5 route 192.168.5.0 255.255.255.0 vpn_gateway 10 route-delay keepalive 10 60 verb 3
Also, create an
example1-8-serverBtoC.conffile:dev tun proto udp port 1196 secret BtoC.key 0 ifconfig 10.200.0.9 10.200.0.10 route 192.168.4.0 255.255.255.0 vpn_gateway 10 route 192.168.6.0 255.255.255.0 vpn_gateway 5 route-delay keepalive 10 60 verb 3
Now, create the client (connector) configuration files,
example1-8-clientAtoB.conf:dev tun proto udp remote siteB port 1194 secret AtoB.key 1 ifconfig 10.200.0.2 10.200.0.1 route 192.168.5.0 255.255.255.0 vpn_gateway 5 route 192.168.6.0 255.255.255.0 vpn_gateway 10 route-delay keepalive 10 60 verb 3
Also, create an
example1-8-clientAtoC.conffile:dev tun proto udp remote siteC port 1195 secret AtoC.key 1 ifconfig 10.200.0.6 10.200.0.5 route 192.168.5.0 255.255.255.0 vpn_gateway 10 route 192.168.6.0 255.255.255.0 vpn_gateway 5 route-delay verb 3
And finally, create
example1-8-clientCtoB.conf:dev tun proto udp remote siteB port 1196 secret BtoC.key 1 ifconfig 10.200.0.10 10.200.0.9 route 192.168.4.0 255.255.255.0 vpn_gateway 10 route 192.168.5.0 255.255.255.0 vpn_gateway 5 route-delay keepalive 10 60 verb 3
First, we start all the listener tunnels:
[root@siteB]# openvpn --config example1-8-serverBtoA.conf [root@siteB]# openvpn --config example1-8-serverBtoC.conf [root@siteC]# openvpn --config example1-8-serverCtoA.conf
These are followed by the connector tunnels:
[root@siteA]# openvpn --config example1-8-clientAtoB.conf [root@siteA]# openvpn --config example1-8-clientAtoC.conf [root@siteC]# openvpn --config example1-8-clientCtoB.conf
And with that, our three-way site-to-site network is established.
It can be clearly seen that the number of configuration files gets out of hand too quickly. In principle, two tunnels would have been sufficient to connect three remote sites, but then there would have been no redundancy.
With the third tunnel and with the configuration options, there are always two routes available for each remote network:
route 192.168.5.0 255.255.255.0 vpn_gateway 5 route 192.168.6.0 255.255.255.0 vpn_gateway 10 route-delay keepalive 10 60
For example, site A has two routes to site B (LAN 192.168.5.0/24), as seen from the following routing table:
[siteA]$ ip route show [...] 192.168.5.0/24 via 10.200.0.1 dev tun0 metric 5 192.168.5.0/24 via 10.200.0.5 dev tun1 metric 10 [...]
These are the two routes to site A:
Via the "direct" tunnel to site B; this route has the lowest metric
Via an indirect tunnel: first to site C and then to site B; this route has a higher metric and is not chosen until the first route is down
This setup has the advantage that if one tunnel fails, then after 60 seconds, the connection and its corresponding routes are dropped and restarted. The backup route to the other network then automatically takes over and all three sites can reach each other again.
When the direct tunnel is restored, the direct routes are also restored and the network traffic will automatically choose the best path to the remote site.
Let's discuss a bit about scalability and routing protocols.
In this recipe, we connect three remote sites. This results in six different configuration files that provide the limitations of the point-to-point setup. In general, to connect n number of possible sites with full redundancy, you will have n * ( n - 1 ) configuration files. This is manageable for up to four sites, but after that, a server/multiple-client setup, as described in the next chapters, is much easier.
Chapter 7, Troubleshooting OpenVPN - Routing, in which the most common routing issues are explained
In this recipe, we extend the complete site-to-site network recipe to include support for IPv6.
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10. We'll use the secret.key file from the OpenVPN secret keys recipe here.
We will use the following network layout:
Create the server configuration file:
dev tun proto udp local openvpnserver.example.com lport 1194 remote openvpnclient.example.com rport 1194 secret secret.key 0 ifconfig 10.200.0.1 10.200.0.2 route 192.168.4.0 255.255.255.0 tun-ipv6 ifconfig-ipv6 2001:db8:100::1 2001:db8:100::2 user nobody group nobody # use "group nogroup" on some distros persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3 daemon log-append /tmp/openvpn.log
Save it as
example1-9-server.conf.On the client side, create the configuration file:
dev tun proto udp local openvpnclient.example.com lport 1194 remote openvpnserver.example.com rport 1194 secret secret.key 1 ifconfig 10.200.0.2 10.200.0.1 route 172.31.32.0 255.255.255.0 tun-ipv6 ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1 user nobody group nobody # use "group nogroup" on some distros persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3
Save it as
example1-9-client.conf.Then start the tunnel on both ends The following is for the server end:
[root@server]# openvpn --config example1-9-server.confThis is the code for the client end:
[root@client]# openvpn --config example1-9-client.confNow our site-to-site tunnel is established.
After the connection comes up, the machines on the LANs behind both end points can be reached over the OpenVPN tunnel. Notice that the client OpenVPN session is running in the foreground.
Next, ping the IPv6 address of the server endpoint to verify that IPv6 traffic over the tunnel is working:
[client]$ ping6 -c 4 2001:db8:100::1 PING 2001:db8:100::1(2001:db8:100::1) 56 data bytes 64 bytes from 2001:db8:100::1: icmp_seq=1 ttl=64 time=7.43 ms 64 bytes from 2001:db8:100::1: icmp_seq=2 ttl=64 time=7.54 ms 64 bytes from 2001:db8:100::1: icmp_seq=3 ttl=64 time=7.77 ms 64 bytes from 2001:db8:100::1: icmp_seq=4 ttl=64 time=7.42 ms --- 2001:db8:100::1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 7.425/7.546/7.778/0.177 ms
Finally, abort the client-side session by pressing Ctrl + C. The following screenshot lists the full client-side log:
Both client and server configuration files are very similar to the ones from the Complete site-to-site setup recipe, with the addition of the following two lines:
tun-ipv6 ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1
This enables IPv6 support, next to the default IPv4 support.
Also, in the client configuration, the options daemon and log-append are not present, hence all of the OpenVPN output is sent to the screen and the process continues running in the foreground.
Let's talk a bit about log file errors and the IPv6-only tunnel.
If we take a closer look at the client-side connection output, we will see a few error messages after pressing Ctrl + C , most notably the following:
RTNETLINK answers: operation not permitted
This is a side-effect when you use the user nobody option to protect an OpenVPN setup, and it often confuses new users. What happens is this:
OpenVPN starts as root, opens the appropriate tun device, and sets the right IPv4 and IPv6 addresses on this tun interface.
For extra security, OpenVPN then switches to nobody, dropping all the privileges associated with root.
When OpenVPN terminates (in our case, by pressing
Ctrl
+
C
), it closes the access to the tun device and tries to remove the IPv4 and IPv6 addresses assigned to that device. At this point, the error messages appear, as nobody is not allowed to perform these operations.
Upon termination of the OpenVPN process, the Linux kernel closes the tun device and all the configuration settings are removed.
In this case, these error messages are harmless, but in general, one should pay close attention to the warning and error messages that are printed by OpenVPN.
The recipe Complete site-to-site setup, earlier in this chapter, in which an IPv4-only site-to-site setup is explained in detail.
The last recipe of Chapter 6, Troubleshooting OpenVPN - Configurations, which explains how to interpret the OpenVPN log files in detail.
![SSL Complete Guide 2021: HTTP to HTTPS [Video]](https://static.packt-cdn.com/products/9781839211508/cover/9781839211508-original.jpeg)
