Goal:
Link 2 remote nodes in between so that communication between them is "transparent". Channel stability, speed and, of course, safety are also important.
Imagine that there are 2 nodes:
- Server – IP 1.1.1.1
- Client – IP 2.2.2.2
Install OpenVPN on them
CentOS:
yum install -y epel-release yum install -y openvpn easy-rsa
Ubuntu:
apt install -y openvpn
On the Server node, create a directory for storing keys:
mkdir -p /etc/openvpn/keys/ && cd /etc/openvpn/keys/
Generate a key:
openvpn --genkey --secret vpn.key
Create a configuration file:
vim /etc/openvpn/server.conf
With the following contents:
dev tun proto tcp-server local 1.1.1.1 lport 1194 remote 2.2.2.2 rport 1194 secret /etc/openvpn/keys/vpn.key 0 ifconfig 192.168.1.1 192.168.1.2 route 192.168.1.2 255.255.255.255 user nobody group nobody persist-tun persist-key keepalive 10 60 ping-timer-rem verb 0 daemon tun-mtu 48000 fragment 0 mssfix 0 comp-lzo cipher aes-256-cbc tcp-nodelay sndbuf 0 rcvbuf 0 push "sndbuf 524288" push "rcvbuf 524288"
Add to startup and run:
systemctl enable openvpn@server
systemctl start openvpn@server
Verify that you have access to the node on port 1194 TCP. Also note that for OpenVPN support for TUN/TAP tunnels is required, if you have an openVZ virtual machine, check with the hoster whether it has enabled support or not, often they do not provide TUN/TAP support at low rates.
Go to the Client node
Create a directory for storing keys:
mkdir -p /etc/openvpn/keys/ && cd /etc/openvpn/keys/
vim /etc/openvpn/keys/vpn.key
Here we paste the contents of the key that was generated on the Server node
Change the key permission:
chmod 600 /etc/openvpn/keys/vpn.key
Create a configuration file:
vim /etc/openvpn/client.conf
With the following contents:
dev tun proto tcp-client local 2.2.2.2 lport 1194 remote 1.1.1.1 rport 1194 secret /etc/openvpn/keys/vpn.key 1 ifconfig 192.168.1.2 192.168.1.1 route 192.168.1.1 255.255.255.255 user nobody group nobody persist-tun persist-key keepalive 10 60 ping-timer-rem verb 0 daemon tun-mtu 48000 fragment 0 mssfix 0 comp-lzo cipher aes-256-cbc
Add to startup and run:
systemctl enable openvpn@client
systemctl start openvpn@client
That’s it, Site-to-Site communication is configured, check.
Do not forget about the firewall.