Installing and Configuring OpenVPN on Debian Jessie

What's up folks, here I will show you how to installing and configure the OpenVPN server and the clients, the process is not so hard, but we have a lot of information that may be misinterpreted, so pay a lot of attention.

Prepare your system with the following shell script http://wiki.douglasqsantos.com.br/doku.php/confinicialjessie_en if you do not use this script please, be aware that can be some problems during the progress.

Let's define some values that I will assume in this how to:

  1. External IP of HQ: 200.200.200.1
  2. External IP of Branch: 200.200.200.2
  3. HQ LAN Network: 192.168.10.0/24
  4. Branch Lan Network: 192.168.11.0/24
  5. OpenVPN Network: 10.254.0.0/24
  6. OpenVPN interface: tun0
  7. We will need to enable the forwarders: echo 1 > /proc/sys/net/ipv4/ip_forward
  8. We will need to masquerade the networks behind the OpenVPN Network: iptables -t nat -A POSTROUTING -s 10.254.0.0/24 -j MASQUERADE

HQ

Now we need to update the repositories and upgrade the whole system before start installing the new packets

aptitude update && aptitude dist-upgrade -y

Let's install the Openvpn service.

aptitude install openvpn -y

Now we need to copy the easy-rsa directory into the openvpn directory

cp -Rfa /usr/share/easy-rsa /etc/openvpn/easy-rsa

Now let's define some variables in vars file that define the key size, expire time and another stuffs.

vim /etc/openvpn/easy-rsa/vars
[...]
export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="BR"
export KEY_PROVINCE="PR"
export KEY_CITY="Curitiba"
export KEY_ORG="Douglas"
export KEY_EMAIL="douglas.q.santos@gmail.com"
export KEY_OU="HQ"

Now we need to load the variables to the environment.

cd /etc/openvpn/easy-rsa
. ./vars

The following command-line is very dangerous, because it will remove all the keys of the OpenVPN, so only use it with careful

./clean-all

Now we need to generate the ca certificate that will use to generate the next certificates.

./build-ca
Generating a 2048 bit RSA private key
...................................+++
..............................................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]: #ENTER
State or Province Name (full name) [PR]: #ENTER
Locality Name (eg, city) [Curitiba]: #ENTER
Organization Name (eg, company) [Douglas]: #ENTER
Organizational Unit Name (eg, section) [HQ]: #ENTER
Common Name (eg, your name or your server's hostname) [Douglas CA]: #ENTER
Name [EasyRSA]: #ENTER
Email Address [douglas.q.santos@gmail.com]: #ENTER

Now we need to generate the server's certificates

./build-key-server server
Generating a 2048 bit RSA private key
..................+++
..........................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]: #ENTER
State or Province Name (full name) [PR]: #ENTER
Locality Name (eg, city) [Curitiba]: #ENTER
Organization Name (eg, company) [Douglas]: #ENTER
Organizational Unit Name (eg, section) [HQ]: #ENTER
Common Name (eg, your name or your server's hostname) [server]: #ENTER
Name [EasyRSA]: server
Email Address [douglas.q.santos@gmail.com]: #ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #ENTER
An optional company name []:Douglas
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'BR'
stateOrProvinceName   :PRINTABLE:'PR'
localityName          :PRINTABLE:'Curitiba'
organizationName      :PRINTABLE:'Douglas'
organizationalUnitName:PRINTABLE:'HQ'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'server'
emailAddress          :IA5STRING:'douglas.q.santos@gmail.com'
Certificate is to be certified until Aug 15 12:51:45 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Now we need to create one more certificate the Diffie Hellman that will be used to exchange information encrypted, that will work together with shared.key

./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...+.................+...................................................................................................................................
.+..................+....................................................................................................................................
...........................................................+.............................................+...................................+...........
......................+.....................................................+..........+................................................................
...........................................+...............................................................................................................
...................+.......................................................................................................................................
................................................................................................................+...............+.........................
.............+................+....+..................................+........................................................................+.......
...........................+.................................................................+.........................................+................
.........................................................................................................................................+................
.....................+...................+...............................................................................................................
.............................................................................+...+.......................................................................
..........................................................................+.....................................+............+..........................
............................................................................................+...........................++*++*

Now we need to create the shared key that will be used as tls

openvpn --genkey --secret keys/shared.key

Now we need to create the hq configuration file /etc/openvpn/server.conf

vim /etc/openvpn/server.conf
# TCP/UDP port number or port name for both local and remote. The current default of 1194 represents the official IANA port number assignment for OpenVPN
port    1194

# Indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp". 
proto   tcp

# Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them,
# the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes. The default value is 1450.
mssfix 1450

# TUN/TAP virtual network device.  You must use either tun devices on both ends of the connection or tap devices on both ends.
#  You cannot mix them, as they represent different underlying network layers. 
dev tun

# Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application.
# The designation of client or server is only for the purpose of negotiating the TLS control channel. 
tls-server

# Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. 
tls-auth    keys/shared.key 0

# Certificate authority (CA) file in .pem format, also referred to as the root certificate. 
# This file can have multiple certificates in .pem format, concatenated together. 
ca  certs/ca.crt

# Local peer's signed certificate in .pem format -- must be signed by a certificate authority whose certificate is in --ca file
# Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file. 
# In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the --ca certificate authority file
cert    certs/server.crt

# Local peer's private key in .pem format. Use the private key which was generated when you built your peer's certificate 
key keys/server.key

# File containing Diffie Hellman parameters in .pem format (required for --tls-server only).
dh  keys/dh2048.pem

# A helper directive designed to simplify the configuration of OpenVPN's server mode. 
# This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. 
server  10.254.0.0 255.255.255.0

# Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600), as well as on program startup and shutdown. 
# The goal of this option is to provide a long-term association between clients (denoted by their common name)
# and the virtual IP address assigned to them from the ifconfig-pool.
ifconfig-pool-persist   ipp.txt

# Specify a directory dir for custom client config files. After a connecting client has been authenticated,
# OpenVPN will look in this directory for a file having the same name as the client's X509 common name.
#  If a matching file exists, it will be opened and parsed for client-specific configuration options.
client-config-dir   ccd

# Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically
# torn down in reverse order prior to TUN/TAP device close. 
# Here we are defining that the hq network can see the branch network
route 192.168.11.0 255.255.255.0

# Push a config file option back to the client for remote execution. Note that option must be enclosed in double quotes ("").
# The client must specify --pull in its config file. The set of options which can be pushed is limited by both feasibility and security. 
# Here we are defining that the branch can see the hq network
# Delay n seconds (default=0) after connection establishment, before adding routes. If n is 0, routes will be added immediately upon connection establishment.
push "route-delay 2 600"
# Add route to routing table after connection is established. Multiple routes can be specified.
# Routes will be automatically torn down in reverse order prior to TUN/TAP device close. 
push "route 192.168.10.0 255.255.255.0"

# Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. 
# def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. 
# This has the benefit of overriding but not wiping out the original default gateway. 
#push "redirect-gateway def1"

# This option can be used to set additional TCP/IP properties on the TAP-Win32 adapter, and is particularly useful
# for configuring an OpenVPN client to access a Samba server across the VPN. 
# DNS addr -- Set primary domain name server address. Repeat this option to set secondary DNS server addresses. 
# WINS addr -- Set primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat this option to set secondary WINS server addresses. 
#push "dhcp-option DNS 192.168.10.248"
#push "dhcp-option DNS 192.168.10.249"
#push "dhcp-option WINS 192.168.10.248"

# Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. 
# The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all
# client-originating traffic to the TUN/TAP interface. When this option is used, each client will "see" the other clients which are
# currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic
# using custom, per-client rules. 
client-to-client

# Run the --ping-exit / --ping-restart timer only if we have a remote address. Use this option if you are starting 
# the daemon in listen mode (i.e. without an explicit --remote peer), and you don't want to start clocking timeouts 
# until a remote peer connects. 
ping-timer-rem

# A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. 
# The server timeout is set twice the value of the second argument. This ensures that a timeout is detected on
# client side before the server side drops the connection. 
keepalive 10 120

# Encrypt data channel packets with cipher algorithm alg. The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
# Blowfish has the advantages of being fast, very secure, and allowing key sizes of up to 448 bits.
# Blowfish is designed to be used in situations where keys are changed infrequently. 
cipher  BF-CBC

# Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default). 
comp-lzo adaptive

# Limit server to a maximum of n concurrent clients. 
max-clients 10

# Optional user to be owner of this tunnel. 
user    nobody

# Optional group to be owner of this tunnel. 
group   nogroup

# Don't re-read key files across SIGUSR1 or --ping-restart. his option can be combined with --user nobody
# to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot 
# be restarted since it will now be unable to re-read protected key files.
persist-key

# Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. 
# SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options. 
persist-tun

# Write operational status to file every n seconds. 
# Status can also be written to the syslog by sending a SIGUSR2 signal. 
status  /var/log/openvpn/status.log

# Output logging messages to file, including output to stdout/stderr which is generated by called scripts. If file already exists it will be
# truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if --daemon or --inetd
# is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or --ping-restart.
log /var/log/openvpn/openvpn.log

# Append logging messages to file. If file does not exist, it will be created. This option behaves exactly like --log except
# that it appends to rather than truncating the log file
log-append  /var/log/openvpn/openvpn.log

# Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good
# summary of what's happening without being swamped by output. 
# 0 -- No output except fatal errors.
# 1 to 4 -- Normal usage range.
# 5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
# 6 to 11 -- Debug info range (see errlevel.h for additional information on debug levels). 
verb    4

# Log at most n consecutive messages in the same category. This is useful to limit repetitive logging of similar message types. 
mute    20

Now we need to generate the certificates that will be used by the branch

cd /etc/openvpn/easy-rsa
./build-key branch1
Generating a 2048 bit RSA private key
Generating a 2048 bit RSA private key
.............................................................................+++
.....................+++
writing new private key to 'branch1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]: #ENTER
State or Province Name (full name) [PR]: #ENTER
Locality Name (eg, city) [Curitiba]: #ENTER
Organization Name (eg, company) [Douglas]: #ENTER
Organizational Unit Name (eg, section) [HQ]: Branches
Common Name (eg, your name or your server's hostname) [branch1]: ENTER
Name [EasyRSA]:branch1
Email Address [douglas.q.santos@gmail.com]: ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ENTER
An optional company name []:branch1
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'BR'
stateOrProvinceName   :PRINTABLE:'PR'
localityName          :PRINTABLE:'Curitiba'
organizationName      :PRINTABLE:'Douglas'
organizationalUnitName:PRINTABLE:'Branches'
commonName            :PRINTABLE:'branch1'
name                  :PRINTABLE:'branch1'
emailAddress          :IA5STRING:'douglas.q.santos@gmail.com'
Certificate is to be certified until Aug 15 13:54:04 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Let's create some directories that are necessary and let's copy some files.

mkdir /etc/openvpn/{certs,ccd,keys}
cp /etc/openvpn/easy-rsa/keys/*.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa/keys/*.key /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn/keys/

Now we need to create the route's file

The file /etc/openvpn/ccd/branch1 is in charge of define the individual routes to the clients, hence without this guy the server will not know that the machines from LAN in both sides (HQ and Branch) want to communicate and the communication will be restricted to the server to client, without HQ Network to Branch Network. Note: The file name needs to match the Name [EasyRSA] defined in the certificate generation.

echo "iroute 192.168.11.0 255.255.255.0" > /etc/openvpn/ccd/branch1

Now we need to configure the permission of the files and directories in the OpenVPN root directory

cd /etc/openvpn
chown -R nobody:nogroup keys certs ccd
chmod 0400 keys/* certs/* ccd/*

Now we need to create the Openvpn's log directory, that will store some information about the connections, status and other things.

mkdir /var/log/openvpn

Now we need to put the Openvpn service in the boot launch time

systemctl -f enable openvpn@server.service

Now we need to start the OpenVPN service

systemctl start openvpn@server.service

Now we can take a look at the log files and make sure that the OpenVPN was started successfully

tail -f /var/log/openvpn/openvpn.log 
Tue Aug 18 11:05:38 2015 us=957004 GID set to nogroup
Tue Aug 18 11:05:38 2015 us=957203 UID set to nobody
Tue Aug 18 11:05:38 2015 us=957253 Listening for incoming TCP connection on [undef]
Tue Aug 18 11:05:38 2015 us=957287 TCPv4_SERVER link local (bound): [undef]
Tue Aug 18 11:05:38 2015 us=957305 TCPv4_SERVER link remote: [undef]
Tue Aug 18 11:05:38 2015 us=957328 MULTI: multi_init called, r=256 v=256
Tue Aug 18 11:05:38 2015 us=957598 IFCONFIG POOL: base=10.254.0.4 size=62, ipv6=0
Tue Aug 18 11:05:38 2015 us=957655 IFCONFIG POOL LIST
Tue Aug 18 11:05:38 2015 us=957683 MULTI: TCP INIT maxclients=10 maxevents=14
Tue Aug 18 11:05:38 2015 us=957728 Initialization Sequence Completed

Now we need to configure the files that will send to the Branch.

Let's create a structure to store the certificates that we will need to use in the Branch side.

cd /etc/openvpn
mkdir -p branch1/{certs,keys}
cp certs/{ca.crt,branch1.crt} branch1/certs/
cp keys/{branch1.key,shared.key} branch1/keys/

Now we need to create the main configuration file /etc/openvpn/branch1/branch1.conf

vim /etc/openvpn/branch1/branch1.conf
# A helper directive designed to simplify the configuration of OpenVPN's client mode. 
client

# Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different 
# OpenVPN server. Specifying multiple --remote options for this purpose is a special case of the more general connection-profile feature.
remote  200.200.200.1

# TCP/UDP port number or port name for both local and remote. The current default of 1194 represents the official IANA port number assignment for OpenVPN
port    1194

# Indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp".
proto   tcp

# Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them,
# the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes. The default value is 1450.
mssfix 1450

# TUN/TAP virtual network device.  You must use either tun devices on both ends of the connection or tap devices on both ends.
# You cannot mix them, as they represent different underlying network layers.
dev tun

# Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". 
# This is a useful security option for clients, to ensure that the host they connect with is a designated server. 
ns-cert-type    server

# Enable TLS and assume client role during TLS handshake.
tls-client

# Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.
tls-auth    keys/shared.key 1

# Certificate authority (CA) file in .pem format, also referred to as the root certificate.
# This file can have multiple certificates in .pem format, concatenated together.
ca  certs/ca.crt

# Local peer's signed certificate in .pem format -- must be signed by a certificate authority whose certificate is in --ca file
# Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file.
# In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the --ca certificate authority file
cert    certs/branch1.crt

# Local peer's private key in .pem format. Use the private key which was generated when you built your peer's certificate
key keys/branch1.key

# Run the --ping-exit / --ping-restart timer only if we have a remote address. Use this option if you are starting
# the daemon in listen mode (i.e. without an explicit --remote peer), and you don't want to start clocking timeouts
# until a remote peer connects.
ping-timer-rem

# A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations.
# The server timeout is set twice the value of the second argument. This ensures that a timeout is detected on
# client side before the server side drops the connection.
keepalive 10 120

# Encrypt data channel packets with cipher algorithm alg. The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
# Blowfish has the advantages of being fast, very secure, and allowing key sizes of up to 448 bits.
# Blowfish is designed to be used in situations where keys are changed infrequently.
cipher  BF-CBC

# Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default).
comp-lzo adaptive

# If hostname resolve fails for --remote, retry resolve for n seconds before failing. 
# Set n to "infinite" to retry indefinitely. 
resolv-retry    infinite

# Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic 
# port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. 
nobind

# Optional user to be owner of this tunnel.
user    nobody

# Optional group to be owner of this tunnel.
group   nogroup

# Don't re-read key files across SIGUSR1 or --ping-restart. his option can be combined with --user nobody
# to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot
# be restarted since it will now be unable to re-read protected key files.
persist-key

# Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
# SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.
persist-tun

# Write operational status to file every n seconds.
# Status can also be written to the syslog by sending a SIGUSR2 signal.
status  /var/log/openvpn/openvpn-status.log

# Output logging messages to file, including output to stdout/stderr which is generated by called scripts. If file already exists it will be
# truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if --daemon or --inetd
# is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or --ping-restart.
log /var/log/openvpn/openvpn.log

# Append logging messages to file. If file does not exist, it will be created. This option behaves exactly like --log except
# that it appends to rather than truncating the log file
log-append  /var/log/openvpn/openvpn.log

# Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good
# summary of what's happening without being swamped by output.
# 0 -- No output except fatal errors.
# 1 to 4 -- Normal usage range.
# 5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
# 6 to 11 -- Debug info range (see errlevel.h for additional information on debug levels).
verb    4

# Log at most n consecutive messages in the same category. This is useful to limit repetitive logging of similar message types.
mute    20

Now we need to create a tarball with all the files that we group

tar -czvf branch1.tar.gz branch1/
branch1/
branch1/branch1.conf
branch1/keys/
branch1/keys/branch1.key
branch1/keys/shared.key
branch1/certs/
branch1/certs/ca.crt
branch1/certs/branch1.crt

Now we need to send the tarball to the Branch

scp branch1.tar.gz 200.200.200.2:/tmp

Branch

Now we need to update the repositories and upgrade the whole system

aptitude update && aptitude dist-upgrade -y 

Now we need to install the Openvpn service

aptitude install openvpn -y

Now we need to decompress the tarball and move it to the correct directory.

cd /tmp
tar -xzvf branch1.tar.gz
mv branch1/* /etc/openvpn/
rm -rf /tmp/branch1*

Now we need to create the Openvpn's log directory

mkdir /var/log/openvpn

Now we need to put the openvpn service in the launch boot time

systemctl -f enable openvpn@branch1.service

Now we need to start the Openvpn service.

systemctl start openvpn@branch1.service

Now we can take a look at the Openvpn's log file.

tail -f /var/log/openvpn/openvpn.log 
Tue Aug  18 12:42:19 2015 OPTIONS IMPORT: route-related options modified
Tue Aug  18 12:42:19 2015 ROUTE default_gateway=10.0.0.254
Tue Aug  18 12:42:19 2015 TUN/TAP device tun0 opened
Tue Aug  18 12:42:19 2015 TUN/TAP TX queue length set to 100
Tue Aug  18 12:42:19 2015 /sbin/ifconfig tun0 10.254.0.6 pointopoint 10.254.0.5 mtu 1500
Tue Aug  18 12:42:22 2015 /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.254.0.5
Tue Aug  18 12:42:22 2015 /sbin/route add -net 10.254.0.0 netmask 255.255.255.0 gw 10.254.0.5
Tue Aug  18 12:42:22 2015 GID set to nogroup
Tue Aug  18 12:42:22 2015 UID set to nobody
Tue Aug  18 12:42:22 2015 Initialization Sequence Completed

Let's run some tests

Now from the Branch1 we need to ping the internal ip from the HQ

ping 192.168.10.1 -c 3
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_req=1 ttl=64 time=1.42 ms
64 bytes from 192.168.10.1: icmp_req=2 ttl=64 time=1.01 ms
64 bytes from 192.168.10.1: icmp_req=3 ttl=64 time=1.05 ms

--- 192.168.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.015/1.166/1.428/0.187 ms

Let's check the route table from the Branch1

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.254.0.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.254.0.0      10.254.0.5      255.255.255.0   UG    0      0        0 tun0
192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    10.254.0.5      255.255.255.0   UG    0      0        0 tun0
10.0.0.0        0.0.0.0         255.255.254.0   U     0      0        0 eth0
0.0.0.0         10.0.0.254      0.0.0.0         UG    0      0        0 eth0

Now from the HQ we need to ping the internal ip from the Branch1

ping 192.168.11.1 -c 3
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
64 bytes from 192.168.11.1: icmp_req=1 ttl=64 time=0.454 ms
64 bytes from 192.168.11.1: icmp_req=2 ttl=64 time=0.853 ms
64 bytes from 192.168.11.1: icmp_req=3 ttl=64 time=0.804 ms

--- 192.168.11.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.454/0.703/0.853/0.180 ms

Let's check the routes tables from the HQ

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.254.0.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.254.0.0      10.254.0.2      255.255.255.0   UG    0      0        0 tun0
192.168.11.0    10.254.0.2      255.255.255.0   UG    0      0        0 tun0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.0.0.0        0.0.0.0         255.255.254.0   U     0      0        0 eth0
0.0.0.0         10.0.0.254      0.0.0.0         UG    0      0        0 eth0

Don't forget to allow the forwarding into the servers, because it you forget it you will access only the HQ and the Branch1 machines because we have a per-to-per connection.

Let's enable the forwaring

echo 1 > /proc/sys/net/ipv4/ip_forward

Another feature very important is create a masquerade for the Openvpn network

iptables -t nat -A POSTROUTING -s 10.254.0.0/24 -j MASQUERADE

Everything is working properly so far. Sometimes we do not have access to the Openvpn server if this guy is behind a firewall or ips then we need to allow the connection, and sometimes we need to create a redirect from the firewall to the Openvpn server. The default port for Openvpn is 1194 and we can work with either protocols tcp or udp. Another note is the Openvpn will send and receive the data from the tun0 or tap0.

In case you need to configure another branch, let's follow the process to create the branch1, do not forgetting to change the branch name as we can seen below.

We need to add the new entries to the server.conf to load the new route to the new clients.

Note: the → filial1 and → filial2 is only to display that is happening, please do not use it in your configuration file.

route 192.168.11.0 255.255.255.0 -> filial1
route 192.168.12.0 255.255.255.0 -> filial2

After that we need to create the new route to the new client, hence the server need to check this directory to know which route is to what client.

echo "iroute 192.168.12.0 255.255.255.0" > /etc/openvpn/ccd/filial2

If you need to send more route to the branches we can use the following lines.

push "route 192.168.10.0 255.255.255.0"
push "route 192.168.9.0 255.255.255.0"

Now if we need that some branch access other branch we need to create the route in the branch configuration file.

Let's assume the following configuration to the branches that need to exchange information.

  1. Branch 3 → 192.168.3.0/24
  2. Branch 4 → 192.168.4.0/24

The Branch 3 need to send information to the Branch 4, but we need to set up the way they need to get to arrive in the other side.

In the branch3.conf file we need to add the route as follow.

vim /etc/openvpn/branch3.conf
[...]
route 192.168.4.0 255.255.255.0

Now we need to do the same process to the Branch 3, but changing the network as follow

vim /etc/openvpn/branch4.conf
[...]
route 192.168.3.0  255.255.255.0

After that the Branches will have routes to the other, because we are using the client-to-client parameter in the server.conf

The same old history as we have before, if you need to access another machines/server in any Branch we need to enable the forwarding in both Branches, we can do it with the following command-line.

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

The last configuration we need in order the Branches can exchange information without any problems, we need to create the masquerade rule in the firewall as follow.

iptables -t nat -A POSTROUTING -s 10.254.0.0/24 -j MASQUERADE

Refereces