OpenVPN is a great way to setup secure site-to-site links between networks on different subnets. I recommend pfSense; it’s an open source FreeBSD based firewall OS that can run on embedded hardware (ALIX boards from PC Engines) or x86 hardware. In our current setup our OpenVPN server is an x68 install of pfSense running as a VMware Appliance under VMware ESXi 4.0. You will need to use the free VMware converter to put the appliance on ESXi. If you used static routes to the other subnets on your main router you would not have to replace your main router if you wanted to run pfSense on the side to make the OpenVPN link. In our setup our client routers are ALIX boards in the various location running as the main router. To get started I would use this document on pfSense’s website as I’m not going to go step by step but just point out a few problems I ran into.
Server Setup
Protocal: UDP
Dynamic IP: Checked
Local port: (1194 is the default)
Address pool: (Set this to a /24 subnet outside of the range of all your networks; this is used for the back end routing for OpenVPN)
Use static IPs: unchecked
Local network: (I leave this blank and use custom options)
Remote network: (I also leave this blank and use custom options)
Client-to-client VPN: Checked
Cryptography: BF-CBC (128-bit)
Auth metyhod: PKI
Shared key: Grayed out
CA Cert, Server Cert, Server Key, DH Paramers: (All filled out with the certs generated by the steps in the pfSense document)
DHCP-Opt.: (These settings don’t do anything in Site-to-Site links; I did how ever disable NetBIOS)
LZO compression: checked
Now for the server’s custom options; this will all depends on your setup and how many networks you are going to link. Each one of these should be separated by a semicolon and I will try to explain each one.
//This is so the OpenVPN server will configure the IP for the interface if you want to be able to filter VPN trafic.
dev tun0;//This is the WAN IP the OpenVPN server will use on the router; make sure you have a rule added or have Auto-added VPN rules enabled under advanced.
local xxx.xxx.xxx.xxx;//You need one of these for ever subnet you have; this pushes the router out to the client routers so they know how to get to the other networks. When the VPN link goes down these routes are automatically removed.
push “route xxx.10.1.0 255.255.255.0”; //Server’s subnet
push “route xxx.0.1.0 255.255.255.0”; //Client subnet
push “route xxx.0.2.0 255.255.255.0”; //Client subnet
push “route xxx.0.3.0 255.255.255.0”; //Client subnet
push “route xxx.0.4.0 255.255.255.0”; //Client subnet
push “route xxx.168.0.0 255.255.255.0”; //Client subnet//There are for the server to add the routers to the client networks. Make sure not to have the server’s local subnet here.
route xxx.0.1.0 255.255.255.0;
route xxx.0.2.0 255.255.255.0;
route xxx.0.3.0 255.255.255.0;
route xxx.0.4.0 255.255.255.0;
route xxx.168.0.0 255.255.255.0
Now to need to tell the server what subnet should go to what client. This is done why using the Client-specific configuration.
Disabled: unchecked
Common name: (the name assigned to the client router in the cert.)
Blocked: unchecked
Push reset: unchecked
Interface IP: (Leave this blank)
Custom options: iroute XXX.0.2.0 255.255.255.0
Now for the client settings.
Protocal: UDP
Server address: (WAN IP of the server)
Server port: (what ever you setup on the server)
Cert Settings: (Same as the server but of course you use a custom client cert and key)
LZO compression: Checked
Dynamic sourceport: (You can enable this is you want)
Custom options: dev tun0
On the client routers you will want to setup an entire domain override setting for the DNS Forwarder to send all DNS request for your internal domains to you Active Directory or DNS servers else ware on your network. This will allow client computers on a client network to go to internal sites on your network. Send all DNS in this setup is not recommended because if the link goes down no DNS means no internet. Best to only redirect what you need.
In a later post I will explain how to send all traffic and DNS from a client site over the VPN connection and have it fail back to the local connection if the link goes down.