Forums

exomic
exomic
Offline
Resolved
0 votes
Hi,

I tried to follow this tutorials to connect 2 lan with OpenVPN (https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_connecting_networks_with_openvpn#) but I have a problem.

Basically I have 2 server connected directly to the internet running ClearOS 6.7 and running the OpenVPN server so I can connect from my home to the lan using the vpn. Since I have 2 lan on 2 different VPN server I tought it would be easier and better to connect those 2 lan togehter so I can have access to both lan at the same time from the same vpn.

Server A:
Internet IP: dev.abc.com
Lan IP: 10.0.1.1
tun0: 10.8.0.2 ? (Default configuration of ClearOS clients.conf ?)
tun1: 10.8.1.2 (Default configuration of ClearOS clients-tcp.conf ?)
tun2: 10.8.2.2 (My attemp to connect to the other vpn server connect_to_b.conf)
Route:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
x.x.x.x * 255.255.255.255 UH 0 0 0 eth0
10.8.2.2 * 255.255.255.255 UH 0 0 0 tun2
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.1.2 * 255.255.255.255 UH 0 0 0 tun1
y.y.y.y * 255.255.255.0 U 0 0 0 eth0
10.0.1.0 * 255.255.255.0 U 0 0 0 eth1
10.0.2.0 10.8.2.2 255.255.255.0 UG 0 0 0 tun2
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.1.0 10.8.1.2 255.255.255.0 UG 0 0 0 tun1
default x.x.x.x 0.0.0.0 UG 0 0 0 eth0

connect_to_b.conf:
port 1195
proto udp
dev tun
remote dev1.abc.com
local dev.abc.com
secret static.key
comp-lzo
verb 2
ifconfig 10.8.2.1 10.8.2.2
route 10.0.1.0 255.255.255.0

Server B:
Internet IP: dev1.abc.com
Lan IP: 10.0.2.1
tun0: 10.8.0.2 ? (Default configuration of ClearOS clients.conf ?)
tun1: 10.8.1.2 (Default configuration of ClearOS clients-tcp.conf ?)
tun2: 10.8.2.1 (My attemp to connect to the other vpn server connect_to_a.conf)
Route:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
z.z.z.z * 255.255.255.255 UH 0 0 0 eth0
10.8.2.1 * 255.255.255.255 UH 0 0 0 tun2
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.1.2 * 255.255.255.255 UH 0 0 0 tun1
w.w.w.w * 255.255.255.0 U 0 0 0 eth0
10.0.1.0 10.8.2.1 255.255.255.0 UG 0 0 0 tun2
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth1
10.8.1.0 10.8.1.2 255.255.255.0 UG 0 0 0 tun1
default z.z.z.z 0.0.0.0 UG 0 0 0 eth0

connect_to_a.conf:
port 1195
proto udp
dev tun
remote dev.abc.com
local dev1.abc.com
secret static.key
comp-lzo
verb 2
ifconfig 10.8.2.2 10.8.2.1
route 10.0.2.0 255.255.255.0

On both server I can ping the other one fine 10.0.1.1 to 10.0.2.1 but they don't seems to be able to speak through eth1 (the lan).

What should I do to have a both lan speak to each other using the tunnel and also make sure that I can speak to both of them when I connect on the vpn from home.
In OpenVPN
Wednesday, December 14 2016, 09:22 PM
Share this post:

Accepted Answer

Thursday, December 15 2016, 07:19 PM - #Permalink
Resolved
1 votes
This is a bit more involved.
1 - Change one end's default OpenVPN subnets (perhaps the end you are not accessing directly but it does not matter). You would have to do this whichever LAN-LAN tunnel type you had. To do this, edit /etc/openvpn/clients.conf and /etc/openvpn/clients-tcp.conf and change the "server" line, perhaps changing the 8 to a 9. Restart that instance of OpenVPN for the change to take effect.
2 - The IPsec set up you need to do is more complicated if you are using the webconfig compared to editing the underlying files by hand (but that would break the webconfig). Set up an identical connection to the LAN-LAN connection except at the end where you'll be connecting to by openvpn, change the "Local LAN Subnet (CIDR Form)" to the OpenVPN subnet. At the other end change the "Remote LAN Subnet (CIDR Form)" to the same OpenVPN subnet. The Pre Shared Key must be the same for both tunnels.
3 - At the OpenVPN end, try adding the remote LAN subnet as the EXTRALANS parameter in /etc/clearos/network.conf and restarting OpenVPN. This should add a "push route" line to clients.conf. If it does not you'll need to add it manually

You should now be up and running.

As a couple of tips with IPsec, at both ends set "Local LAN IP (Optional)", and don't set "Local Gateway IP (Optional)" and "Remote Gateway IP (Optional)".

It is possible to use IPsec on your roadwarrior, but I suggest is is not the easiest thing to set up. It is better with libreswan (ClearOS7) than in Openswan (ClearOS6), but it is still not easy.
The reply is currently minimized Show
Responses (10)
  • Accepted Answer

    Monday, December 19 2016, 05:58 PM - #Permalink
    Resolved
    0 votes
    I am afraid you are beyond my knowledge. You may need transport mode for IPsec and not tunnel mode but then you need other stuff as well (a GRE tunnel?). I also have no idea how to implement the sort of failover you are talking about (or really any failover).
    The reply is currently minimized Show
  • Accepted Answer

    exomic
    exomic
    Offline
    Monday, December 19 2016, 05:15 PM - #Permalink
    Resolved
    0 votes
    I have another question, would it be possible to merge both subnet together? I mean my goal would be to use the ipsec tunnel to connect 2 sites together allow a mysql server failover to a remote mysql server using an ipalias (virtual ip). Both my master and slave sql server would have eth0:0 ip abc.abc.abc.200 and only the active master will have the eth0:0 interface up. In case of failure the slave will bring his eth0:0 up so all sql request will be catched by the slave server (now running as a master). To do so I think I must be in the same subnet right? Will it be possible using the ipsec tunnel since it's has 2 subnet?

    Look forward for your great ideas.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, December 16 2016, 12:12 PM - #Permalink
    Resolved
    0 votes
    exomic wrote:
    Will this be a good idea or should I stick with my 3 tunnels setup?
    Lan A 10.1.0.0/24 + VPN A 10.1.1.0/24 <--> Lan B 10.2.0.0/24 + VPN B 10.2.1.0/24 (10.1.0.0/23 <--> 10.2.0.0/23)

    That would work OK. I like the single IPsec tunnel approach especially with the ClearOS webconfig interface the way it is. If manually configuring openswan/libreswan it can all be done with a single "conn" which would get round this.

    If you do go down this route, I think you have to be careful not to connect to both OpenVPN instances at the same time or you may end up in a routing loop.
    The reply is currently minimized Show
  • Accepted Answer

    exomic
    exomic
    Offline
    Thursday, December 15 2016, 10:12 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    exomic wrote:
    Based on your idea could I merge all 3 tunnel into one using the subnet 10.1.0.0/22?
    Lan A 10.1.0.0/24 + VPN A 10.1.2.0/24 <--> Lan B 10.1.1.0/24 + VPN B 10.1.3.0/24 (10.1.0.0/22 <--> 10.1.0.0/22)
    No you can't. You need different subnets at each end of the tunnel or no traffic will pass through the VPN


    Will this be a good idea or should I stick with my 3 tunnels setup?
    Lan A 10.1.0.0/24 + VPN A 10.1.1.0/24 <--> Lan B 10.2.0.0/24 + VPN B 10.2.1.0/24 (10.1.0.0/23 <--> 10.2.0.0/23)
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 15 2016, 10:06 PM - #Permalink
    Resolved
    0 votes
    exomic wrote:
    Based on your idea could I merge all 3 tunnel into one using the subnet 10.1.0.0/22?
    Lan A 10.1.0.0/24 + VPN A 10.1.2.0/24 <--> Lan B 10.1.1.0/24 + VPN B 10.1.3.0/24 (10.1.0.0/22 <--> 10.1.0.0/22)
    No you can't. You need different subnets at each end of the tunnel or no traffic will pass through the VPN
    The reply is currently minimized Show
  • Accepted Answer

    exomic
    exomic
    Offline
    Thursday, December 15 2016, 09:55 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Thinking about it, and seeing what I've done on my system, you can be more cute and do it with a single tunnel. To do that, if you are connecting to Server A by OpenVPN, set its OpenVPN subnet to 10.0.0.0/24, then use for the IPsec local subnet 10.0.0.0/23 and at the other end set the IPsec remote subnet as 10.0.0.0/23. Similarly if you are connecting by OpenVPN to Server B, make its OpenVPN subnet 10.0.3.0 and use the local IPsec subnet of 10.0.2.0/23 and at the other end set the IPsec remote subnet to the same 10.0.2.0/23.


    That's a good idea but what I did is created 3 Tunnels:
    Lan A <--> Lan B (10.0.1.0/24 <--> 10.0.2.0/24)
    VPN A <--> Lan B (10.8.0.0/24 <--> 10.0.2.0/24)
    VPN B <--> Lan A (10.9.0.0/24 <--> 10.0.1.0/24)

    Based on your idea could I merge all 3 tunnel into one using the subnet 10.1.0.0/22?
    Lan A 10.1.0.0/24 + VPN A 10.1.2.0/24 <--> Lan B 10.1.1.0/24 + VPN B 10.1.3.0/24 (10.1.0.0/22 <--> 10.1.0.0/22)
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 15 2016, 08:12 PM - #Permalink
    Resolved
    1 votes
    Thinking about it, and seeing what I've done on my system, you can be more cute and do it with a single tunnel. To do that, if you are connecting to Server A by OpenVPN, set its OpenVPN subnet to 10.0.0.0/24, then use for the IPsec local subnet 10.0.0.0/23 and at the other end set the IPsec remote subnet as 10.0.0.0/23. Similarly if you are connecting by OpenVPN to Server B, make its OpenVPN subnet 10.0.3.0 and use the local IPsec subnet of 10.0.2.0/23 and at the other end set the IPsec remote subnet to the same 10.0.2.0/23.
    The reply is currently minimized Show
  • Accepted Answer

    exomic
    exomic
    Offline
    Thursday, December 15 2016, 05:52 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    BTW, Have you considered a Basic IPsec VPN between the two sites? It should work out of the box for LAN-LAN connections, but will require an extra more specific setup to allow an OpenVPN roadwarrior connection through the VPN.


    I just installed it and seems to work out of the box I can access both lan from any host in the lan. Now how can I forward OpenVPN traffic into that or can I use IPSec for my road warrior (home connection)?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 15 2016, 12:44 PM - #Permalink
    Resolved
    0 votes
    BTW, Have you considered a Basic IPsec VPN between the two sites? It should work out of the box for LAN-LAN connections, but will require an extra more specific setup to allow an OpenVPN roadwarrior connection through the VPN.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 14 2016, 10:06 PM - #Permalink
    Resolved
    0 votes
    You've got a few different issues. Firstly you need to get LAN to talk to LAN. You may need something in the firewall. The docs don't mention it but someone posted recently. I am not sure why you need another rule but it is worth looking - perhaps search the forum for "openvpn iptables". You could also dump you firewall with:
    iptables -nvL
    iptables -nvL -t nat
    but please put your answer between code tags.

    To connect from a roadwarrior, it is probably better not to connect into one server then through the vpn to the other, but it can be done. You need to push an extra route in your clients.conf to the remote subnet. You can do this by adding the remote subnet to the EXTRALANS parameter in /etc/clearos/network.conf, but I don't know if it will have other side-effects. There is also another parameter you may need in your configuration file, but you'll need to research the docs. The parameter allows routing between two openvpn connected devices. It may just be for connections between two roadwarriors in which case you don't need it, but you can try it. If you want to remote in to both sides together, you can, but I'd suggest you change the default subnets on one server so they don't clash.

    I can't absorb the rest of your post tonight.
    The reply is currently minimized Show
Your Reply