EdgeRouter - OpenVPN Site-to-Site
Overview
Readers will learn how to configure a Site-to-Site VPN between two EdgeRouters using OpenVPN.
OpenVPN Site-to-Site Setup
The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.
Follow the steps below to add the OpenVPN Site-to-Site configuration to both EdgeRouters:
1. Generate the 2048 bit shared secret.
generate vpn openvpn-key /config/auth/secret
2. Display the shared secret and copy the output to a text file.
sudo cat /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----
3. Enter configuration mode.
configure
4. Add a firewall rule for the OpenVPN traffic to the local firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
5. Create the OpenVPN virtual tunnel interface and link the shared secret.
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
6. Define the tunnel mode and local and remote ports.
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
7. Define the local and remote endpoints of the tunnel.
set interfaces openvpn vtun0 remote-host 192.0.2.1
set interfaces openvpn vtun0 local-host 203.0.113.1
8. Define the local and remote tunnel IP addresses.
set interfaces openvpn vtun0 local-address 10.255.12.1
set interfaces openvpn vtun0 remote-address 10.255.12.2
9. Create a routing entry for the remote subnet.
set protocols static interface-route 172.16.1.0/24 next-hop-interface vtun0
10. Tweak the OpenVPN options (see the OpenVPN manual for more information).
11. Commit the changes and save the configuration.
commit ; save
1. Copy the contents of the shared secret generated on Site 1 earlier to a new file in the /config/auth directory.
sudo cat > /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----
2. Use CTRL-D to save the file.
3. Change the file permissions and set the owner to the root user.
sudo chmod 600 /config/auth/secret
sudo chown root /config/auth/secret
4. Verify that the file is in the correct location and that it has the correct permissions.
ls -l /config/auth/
-rw------- 1 root vyattacf 636 Jan 1 13:00 secret
5. Enter configuration mode.
configure
6. Add a firewall rule for the OpenVPN traffic to the local firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
7. Create the OpenVPN virtual tunnel interface and link the shared secret.
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
8. Define the tunnel mode and local and remote ports.
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
9. Define the local and remote endpoints of the tunnel.
set interfaces openvpn vtun0 remote-host 203.0.113.1
set interfaces openvpn vtun0 local-host 192.0.2.1
10. Define the local and remote tunnel IP addresses.
set interfaces openvpn vtun0 local-address 10.255.12.2
set interfaces openvpn vtun0 remote-address 10.255.12.1
11. Create a routing entry for the remote subnet.
set protocols static interface-route 192.168.1.0/24 next-hop-interface vtun0
12. Tweak the OpenVPN options (see the OpenVPN manual for more information).
13. Commit the changes and save the configuration.
commit ; save
You can verify the OpenVPN settings using the following commands:
show firewall name WAN_LOCAL statistics
show interfaces
show interfaces openvpn detail
show openvpn status site-to-site
Related Articles
EdgeRouter - OpenVPN Layer 2 Tunnel
Intro to Networking - How to Establish a Connection Using SSH