OpenVPN site to site VPN

takapro · May 20, 2019, 2:01am

I do not understand well if you look at the OpenVPN manual, so I will ask you a question.
The environment is as follows.

・ OpenWRT router * 3
Base A Global IP 111.111.111.111 (Dummy)
Private IP 192.168.1.0/24
OpenVPN IP 192.168.8.1/24

Base B Global IP 222.222.222.222 (Dummy)
Private IP 192.168.2.0/24
OpenVPN IP 192.168.8.2/24

Base C Global IP 333.333.333.333 (Dummy)
Private IP 192.168.3.0/24
OpenVPN IP 192.168.8.3/24

As a requirement
I would like to access the private IPs of bases A and B and bases C and C.
In addition, I want to access the private IP of the base A from the base B and the base C.
In order to solve the above, we are verifying the introduction of OpenVPN.

Currently, we are working with the following configuration file for the time being.

[Base A]
verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
fragment 1280
mssfix 1280
link-mtu 1400

-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----

-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

[Base B]
[Base C]
verb 3
dev tun
nobind
client
remote 111.111.111.111 1194 udp
auth-nocache
remote-cert-tls server
fragment 1280
mssfix 1280
link-mtu 1400

-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

With the above settings, all Internet access from sites B and C would go through site A, resulting in a slow phenomenon.
I think that the cause is that "redirect-gateway def1" is set in the server configuration file, but I do not know how to set iptables routing and how to write it.

How can I use OpenVPN to communicate only with the private LAN between sites?

vgaetera · May 20, 2019, 5:09am

takapro · May 20, 2019, 5:24am

Thank you for the information.
I did not realize that such a page existed.
Let's use it for reference and experiment.

diizzy · May 20, 2019, 6:03am

If you have control of all nodes you probably want to look at Wireguard at this point.

takapro · May 20, 2019, 6:28am

Is it a shell like the one below?

VPN_CCD="/etc/openvpn/ccd"
mkdir -p "${VPN_CCD}"

cat << EOF > "${VPN_CCD}/vpnclient1"
ifconfig-push 192.168.8.2 255.255.255.0
iroute 192.168.2.0 255.255.255.0
EOF

cat << EOF > "${VPN_CCD}/vpnclient2"
ifconfig-push 192.168.8.3 255.255.255.0
iroute 192.168.3.0 255.255.255.0
EOF

cat << EOF >> /etc/openvpn/vpnserver.conf
client-config-dir ${VPN_CCD}
route 192.168.2.0 255.255.255.0 192.168.8.2
route 192.168.3.0 255.255.255.0 192.168.8.3
push "route 192.168.1.0 255.255.255.0"
EOF
service openvpn restart

reinerotto · May 20, 2019, 11:37am

+1 to wireguard.
Simpler to configure, and faster.