In this recipe, we set up a complete site-to-site network, using most of the built-in security features that OpenVPN offers. It is intended as a "one-stop-shop" example of how to set up a point-to-point network.
We use the following network layout:
Install OpenVPN 2.0 or higher on two computers. Make sure that the computers are connected over a network. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1 and the client was running Fedora 13 Linux and OpenVPN 2.1.1. We'll use the secret.key file from the OpenVPN Secret keys recipe here.
Make sure routing (IP forwarding) is configured on both the server and client.
- Create the server configuration file:
dev tun proto udp local openvpnserver.example.com lport 1194 remote openvpnclient.example.com rport 1194 secret secret.key 0 ifconfig 10.200.0.1 10.200.0.2 route 192.168.4.0 255.255.255.0 user nobody group nobody persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3 daemon log-append /tmp/openvpn.log
Save it as
example1-7-server.conf. - On the client side, we create the configuration file:
dev tun proto udp local openvpnclient.example.com lport 1194 remote openvpnserver.example.com rport 1194 secret secret.key 1 ifconfig 10.200.0.2 10.200.0.1 route 172.31.32.0 255.255.255.0 user nobody group nobody persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3 daemon log-append /tmp/openvpn.log
Save it as
example1-7-client.conf. - We start the tunnel on both ends:
[root@server]# openvpn --config example1-7-server.confAnd:
[root@client]# openvpn --config client.confNow our site-to-site tunnel is established.
- Check the log files on both the client and server, to verify that the connection has been established.
After the connection comes up, the machines on the LANs behind both end points can be reached over the OpenVPN tunnel.
- For example, when we ping a machine on the client-side LAN from the server, we see the following:
The client and server configuration files are very similar:
- The server listens only on one interface and one UDP port
- The server accepts connections only from a single IP address and port
- The client has these options mirrored
Here is the set of configuration options:
user nobody group nobody persist-tun persist-key keepalive 10 60 ping-timer-rem
They are used to make the connection more robust and secure, as follows:
- The OpenVPN process runs as user
nobody, groupnobody, after the initial connection is established. Even if somebody is able to take control of the OpenVPN process itself he would still only be usernobodyand notroot. Note that on some Linux distributions the groupnogroupis used instead. - The
persist-tunandpersist-keyoptions are used to ensure that the connection comes back up automatically if the underlying network is disrupted. These options are necessary when usinguser nobodyandgroup nobody(orgroup nogroup). - The
keepaliveandping-timer-remoptions cause OpenVPN to send a periodic 'ping' message over the tunnel to ensure that both ends of the tunnel remain up and running.
This point-to-point setup can also be used to evade restrictive firewalls. The data stream between the two endpoints is not recognizable and very hard to decipher. When OpenVPN is run in client/server (see Chapter 2, Multi-client TUN-style Networks), the traffic is recognizable as OpenVPN traffic due to the initial TLS handshake.
- Chapter 8, Troubleshooting OpenVPN: Routing Issues, in which the most common routing issues are explained.