OpenVPN Site-to-Site
This is a small how-to for OpenWRTs running OpenVPN and connecting them by creating a site-to-site VPN tunnel.
-We assign 2 IPs, one for each tun0 interface on each router
-This guide assumes that you have already install openvpn packages on both devices
-In this guide A router has 192.168.10.x network and 192.168.251.1 IP in tun0 interface, and router B has 192.168.22.x network with 192.168.251.2 IP in tun0 interface.
-You will need the file /etc/openvpn/static.key or generate a new one in one router and copy it to the other.
-Port 1195-1194 can be changed
-You can have multiple blocks of configuration in OpenVPN, one for Road Warriors (see here) and the one documented here.
-Follow the guide here for installing Open VPN and configuring the interfaces tun0/tun1 etc
Router A
config 'openvpn' 'site-to-site'
option 'enable' '1'
option 'port' '1195'
option 'proto' 'udp'
option 'dev' 'tun'
option 'secret' '/etc/openvpn/static.key'
option 'ifconfig' '192.168.251.1 192.168.251.2' #this device tun0 / remote device tun0
option 'keepalive' '10 120'
option 'comp_lzo' '1'
option 'verb' '10'
option 'float' '1'
option 'local' '192.168.10.1 1195'
option 'remote' 'remote.host.name 1194'
Add to /etc/firewall.user
iptables -t nat -A prerouting_wan -p udp --dport 1195 -j ACCEPT
iptables -A input_wan -p udp --dport 1195 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
Add a static route between the 2 LANs
route add -net netmask 255.255.255.0 gw 192.168.251.2
Router B
config 'openvpn' 'Site-to-site2'
option 'enabled' '1'
option 'dev' 'tun'
option 'ifconfig' '192.168.251.2 192.168.251.1'#this device tun0 / remote device tun0
option 'secret' '/etc/openvpn/remote.key'
option 'keepalive' '10 120'
option 'comp_lzo' '1'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'verb' '3'
Add to /etc/firewall.user
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
Add a static route between the 2 LANs
route add -net netmask 255.255.255.0 gw 192.168.251.1