Help Center Help Articles Community RMA & Warranty Downloads Tech Specs

EdgeRouter - OpenVPN Site-to-Site

Translated by AI

Overview

Readers will learn how to configure a Site-to-Site VPN between two EdgeRouters using OpenVPN.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.

OpenVPN Site-to-Site Setup

Back to Top

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.

Follow the steps below to add the OpenVPN Site-to-Site configuration to both EdgeRouters:

CLI: Access the Command Line Interface on the Site 1 EdgeRouter.

1. Generate the 2048 bit shared secret.

generate vpn openvpn-key /config/auth/secret

2. Display the shared secret and copy the output to a text file.

sudo cat /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----

3. Enter configuration mode.

configure

4. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

5. Create the OpenVPN virtual tunnel interface and link the shared secret.

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

6. Define the tunnel mode and local and remote ports.

set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194

7. Define the local and remote endpoints of the tunnel.

set interfaces openvpn vtun0 remote-host 192.0.2.1
set interfaces openvpn vtun0 local-host 203.0.113.1

8. Define the local and remote tunnel IP addresses.

set interfaces openvpn vtun0 local-address 10.255.12.1
set interfaces openvpn vtun0 remote-address 10.255.12.2  

9. Create a routing entry for the remote subnet.

set protocols static interface-route 172.16.1.0/24 next-hop-interface vtun0

10.  Tweak the OpenVPN options (see the OpenVPN manual for more information).

11. Commit the changes and save the configuration.

commit ; save
CLI: Access the Command Line Interface on the Site 2 EdgeRouter.

1. Copy the contents of the shared secret generated on Site 1 earlier to a new file in the /config/auth directory.

sudo cat > /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----

2. Use CTRL-D to save the file.

3. Change the file permissions and set the owner to the root user.

sudo chmod 600 /config/auth/secret
sudo chown root /config/auth/secret

4. Verify that the file is in the correct location and that it has the correct permissions.

ls -l /config/auth/
-rw------- 1 root vyattacf 636 Jan 1 13:00 secret

5. Enter configuration mode.

configure

6. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

7. Create the OpenVPN virtual tunnel interface and link the shared secret.

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

8.  Define the tunnel mode and local and remote ports.

set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194

9. Define the local and remote endpoints of the tunnel.

set interfaces openvpn vtun0 remote-host 203.0.113.1
set interfaces openvpn vtun0 local-host 192.0.2.1

10. Define the local and remote tunnel IP addresses.

set interfaces openvpn vtun0 local-address 10.255.12.2
set interfaces openvpn vtun0 remote-address 10.255.12.1  

11. Create a routing entry for the remote subnet.

set protocols static interface-route 192.168.1.0/24 next-hop-interface vtun0

12.  Tweak the OpenVPN options (see the OpenVPN manual for more information).

13. Commit the changes and save the configuration.

commit ; save  

You can verify the OpenVPN settings using the following commands:

show firewall name WAN_LOCAL statistics 
show interfaces
show interfaces openvpn detail       
show openvpn status site-to-site

Related Articles

Back to Top

EdgeRouter - OpenVPN Server

EdgeRouter - OpenVPN Layer 2 Tunnel

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
0 out of 0 found this helpful