HowTo: OpenVPN Site to Multi-Site

Forums

Add a reply View Replies (0) →

Kiki Gak2

Offline

Task

HowTo: OpenVPN Site to Multi-Site

Resolved

5 votes

Environment
ClearOS Ver : ClearOS Community 6.9.0
Application : WAN Site to Multi-Site Connection
VPN Type : OpenVPN
VPN Mode : Shared Key
Net Type : Star Topology
Net Route : HQ-to-BR1 and HQ-to-BR2 only / No BR1 and BR2 route

Headquarters info
WAN IP : 172.16.0.102 (External,Static from ISP)
LAN IP : 192.168.50.254/24 (LAN,Static)

Branch1 info
WAN IP : 172.16.0.188 (External,Dynamic from ISP)
LAN IP : 192.168.51.254/24 (LAN,Static)

Branch2 info
WAN IP : 172.16.0.189 (External,Dynamic from ISP)
LAN IP : 192.168.52.254/24 (LAN,Static)

Instructions
1) For all Sites
a) Install OpenVPN, Incoming Firewall, Certificates
b) Config certificates

2) Headquarters(HQ)
a) Allow Incoming Firewalls

Name : oVPN HQ-BR1
Proto: UDP
Port : 1195

Name : oVPN HQ-BR2
Proto: UDP
Port : 1196

b) Create key certificates for BR1 and BR2

openvpn --genkey --secret /etc/openvpn/HQ-BR1.key
openvpn --genkey --secret /etc/openvpn/HQ-BR2.key

c) Copy "HQ-BR1.key" to Branch1 "/etc/openvpn/HQ-BR1.key"
Copy "HQ-BR2.key" to Branch2 "/etc/openvpn/HQ-BR2.key"

d) Create conf file in Headquarters "etc/openvpn/con_HQ-BR1.conf"

dev tun
port 1195
proto udp
ifconfig 10.8.144.50 10.8.144.51
route 192.168.51.0 255.255.255.0
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret hq-br1.key
log con_hq-br1.log
status con_hq-br1-stat.log
verb 2

e) Create conf file in Headquarters "etc/openvpn/con_HQ-BR2.conf"

dev tun
port 1196
proto udp
ifconfig 10.8.145.50 10.8.145.51
route 192.168.52.0 255.255.255.0
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret hq-br2.key
log con_hq-br2.log
status con_hq-br2-stat.log
verb 2

2) Branch1(BR1)
a) Allow Incoming Firewall

Name : oVPN HQ-BR1
Proto: UDP
Port : 1195

b) Create conf file in Branch1 "etc/openvpn/con_BR1-HQ.conf"

dev tun
port 1195
proto udp
remote 172.16.0.102 1195
ifconfig 10.8.144.51 10.8.144.50
route 192.168.50.0 255.255.255.0
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret hq-br1.key
log con_br1-hq.log
status con_br1-hq-stat.log
verb 2

3) Branch2(BR2)
a) Allow Incoming Firewall

Name : oVPN HQ-BR2
Proto: UDP
Port : 1196

b) Create conf file in Branch2 "etc/openvpn/con_BR2-HQ.conf"

dev tun
port 1196
proto udp
remote 172.16.0.102 1196
ifconfig 10.8.145.51 10.8.145.50
route 192.168.50.0 255.255.255.0
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret hq-br2.key
log con_br2-hq.log
status con_br2-hq-stat.log
verb 2

4) Checklist/Troubleshoot
a) Restart Headquarters, Branch1 and Branch2
b) From Headquarters
ping 10.8.144.50
ping 10.8.144.51
ping 10.8.145.50
ping 10.8.145.51
ping 192.168.51.254
ping 192.168.52.254
c) From Branch1
ping 10.8.144.50
ping 10.8.144.51
ping 192.168.50.254
d) From Branch2
ping 10.8.145.50
ping 10.8.145.51
ping 192.168.50.254
e) Check the following log files for errors
Headquarters /etc/openvpn/con_hq-br1.log
Headquarters /etc/openvpn/con_hq-br2.log
Branch1 /etc/openvpn/con_br1-hq.log
Branch2 /etc/openvpn/con_br2-hq.log
e) Check the following log files for status
Headquarters /etc/openvpn/con_hq-br1-stat.log
Headquarters /etc/openvpn/con_hq-br2-stat.log
Branch1 /etc/openvpn/con_br1-hq-stat.log
Branch1 /etc/openvpn/con_br2-hq-stat.log

5) Notes and remarks
a) On "remote" step 2-b and 3-b, use ClearOS FQDN if HQ is using Dynamic IP from ISP
b) OpenVPN auto config can be disabled but do not change any default conf of OpenVPN
c) No vice-versa Network Route of Branch1 and Branch2, no resources needed to access each site as per requirements