February 18

OpenVPN Site-to-Site

This is a small how-to for OpenWRTs running OpenVPN and connecting them by creating a site-to-site VPN tunnel.

 

-We assign 2 IPs, one for each tun0 interface on each router

-This guide assumes that you have already install openvpn packages on both devices

-In this guide A router has 192.168.10.x network and 192.168.251.1 IP in tun0 interface, and router B has 192.168.22.x network with 192.168.251.2 IP in tun0 interface.

-You will need  the file /etc/openvpn/static.key or generate a new one in one router and copy it to the other.

-Port 1195-1194 can be changed

-You can have multiple blocks of configuration in OpenVPN, one for Road Warriors  (see here) and the one documented here.

-Follow the guide here for installing Open VPN and configuring the interfaces tun0/tun1 etc

 

Router A


config 'openvpn' 'site-to-site'
        option 'enable' '1'
        option 'port' '1195'
        option 'proto' 'udp'
        option 'dev' 'tun'
        option 'secret' '/etc/openvpn/static.key'
        option 'ifconfig' '192.168.251.1 192.168.251.2' #this device tun0 / remote device tun0
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'verb' '10'
        option 'float' '1'
        option 'local' '192.168.10.1 1195'
        option 'remote' 'remote.host.name 1194'

Add to  /etc/firewall.user


iptables -t nat -A prerouting_wan -p udp --dport 1195 -j ACCEPT
iptables -A input_wan -p udp --dport 1195 -j ACCEPT

iptables -I INPUT -i tun+ -j ACCEPT 
iptables -I FORWARD -i tun+ -j ACCEPT 
iptables -I OUTPUT -o tun+ -j ACCEPT 
iptables -I FORWARD -o tun+ -j ACCEPT

 

Add  a static route between the 2 LANs


route add -net  netmask 255.255.255.0 gw 192.168.251.2

Router B

 


config 'openvpn' 'Site-to-site2'
	option 'enabled' '1'
	option 'dev' 'tun'
	option 'ifconfig' '192.168.251.2 192.168.251.1'#this device tun0 / remote device tun0
	option 'secret' '/etc/openvpn/remote.key'
	option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'verb' '3'

Add to /etc/firewall.user


iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT

iptables -I INPUT -i tun+ -j ACCEPT 
iptables -I FORWARD -i tun+ -j ACCEPT 
iptables -I OUTPUT -o tun+ -j ACCEPT 
iptables -I FORWARD -o tun+ -j ACCEPT

 

Add a static route between the 2 LANs


route add -net   netmask 255.255.255.0 gw 192.168.251.1