EdgeRouter: OpenVPN site-to-site VPN

By | March 20, 2016

I have two sites hosting my home servers so I wanted a solution to have a permanent link between the sites.

On site one I have an EdgeRouter POE and on the other site an EdgeRouter Lite and the obvious solution is to have a site to site VPN on a permanent basis.

There is a great tutorial that I followed on the UBNT forum site see here

Here is my setup derived from the tutorial with some extra steps.

Router 1:
External IP/Name: site1.mooo.com (can also use an external IP address)
Internal IP: 192.168.2.1

Router 2:
External IP/Name: site2.mooo.com (can also use an external IP address)
Internal IP: 192.168.9.1

Steps


Step 1: On Router 1, access the command line and create a pre-shared key (NOT in Configure mode, but in Operational Mode).

Step 2: Transfer the pre-shared key to the other machine

View the pre-shared key on Router 1:

Copy the contents onto your clipboard.

Login to Router 2 using ssh. Create the file:

Paste the text from your clipboard.

Hit CTRL-D to save the file.

Change permissions on the file you just created:

Step 3: Configure Router 1

# Enter configuration mode

# Configure the OpenVPN to use vtun0

# Assign ports for use by OpenVPN

# Assign a local address for use by OpenVPN

# Assign a remote address for use by OpenVPN

# Tell OpenVPN the public address of the remote system

# Tell OpenVPN where to find the secret file

# Enable Compression (optional:  Must do on both sides or neither)

# Enable Float, Ping, and Other Security Options (optional:  See OpenVPN Man Page for details)

# Tell EdgeRouter the remote subnet

# Commit, Save, and Exit Configuration Mode

Step 4: Configure Router 2

# Enter configuration mode

# Configure the OpenVPN

# Assign ports for use by OpenVPN

# Assign a local address for use by OpenVPN

# Assign a remote address for use by OpenVPN

# Tell OpenVPN the public address of the remote system

# Tell OpenVPN where to find the secret file

# Enable Compression (optional:  Must do on both sides or neither)

# Enable Float, Ping, and Other Security Options (optional:  See OpenVPN Man Page for details)

# Tell Edgerouter the remote subnet

# Commit, Save, and Exit Configuration Mode

 

At this point I am able to ping from one router to the other but still the servers from diferent sides do not see each other directly

Check on the status of the tunnel on Router 2

If you need to restart the tunnel because of changes to the configuration. Do the following on both routers

In the end list the final configuration of Router1:

In the end list the final configuration of Router2:

Step 5: Configure Routers Hair-Pin
At this point:

1. I am able to ping from Router1
– the internal IP of Router2 192.168.9.1

2. I am able to ping from Router2
– the internal IP of Router1 192.168.2.1

Note that I am still not able to ping anything also from one site to another. This is the same old story of the router trying to send everything through the WAN.
To solve this issue one last configuration must be done, enable Hair-Pin on both sites.

From the Router1 GUI go to Firewall/NAT -> Port Forwarding:
– Check “Hairpin NAT” check-box
– add “LAN interface” switch0 (all my servers I want to be visible on the other site are on this interface)
– Apply to save the new config

From the Router2 GUI go to Firewall/NAT -> Port Forwarding:
– Check “Hairpin NAT” check-box
– add “LAN interface” eth1 (all my servers I want to be visible on the other site are on this interface)
– Apply to save the new config.

After this step I can view all my servers from my desktop as they are on the same site. Also all the servers see each other does not matter on what site they actually reside.

Update: I was asked about the speed of the connection between sites. It is not the best connection but is OK for management. There is no limitation due to upload/download speeds of the two sites.

Advertisements

5 thoughts on “EdgeRouter: OpenVPN site-to-site VPN

  1. Pingback: Linux: How to remote desktop to Fedora Linux from a Windows 10 – blog.voina.org

  2. Pingback: EdgeRouter: Dual WAN + Hair Pin+ Multiple networks + OpenVPN site-to-site VPN | blog.voina.org

  3. Pingback: EdgeRouter: OpenVPN site-to-site performance | blog.voina.org