OpenVPN – Site-to-Site

Goal:

Link 2 remote nodes in between so that communication between them is "transparent". Channel stability, speed and, of course, safety are also important.

Imagine that there are 2 nodes:

  • Server - IP 1.1.1.1
  • Client - IP 2.2.2.2

Install OpenVPN on them

CentOS:

yum install -y epel-release
yum install -y openvpn easy-rsa

Ubuntu:

apt install -y openvpn

On the Server node, create a directory for storing keys:

mkdir -p /etc/openvpn/keys/ && cd /etc/openvpn/keys/

Generate a key:

openvpn --genkey --secret vpn.key

Create a configuration file:

vim /etc/openvpn/server.conf

With the following contents:

dev tun
proto tcp-server
local 1.1.1.1
lport 1194
remote 2.2.2.2
rport 1194
secret /etc/openvpn/keys/vpn.key 0
ifconfig 192.168.1.1 192.168.1.2
route 192.168.1.2 255.255.255.255
user nobody
group nobody
persist-tun
persist-key
keepalive 10 60
ping-timer-rem
verb 0
daemon
tun-mtu 48000
fragment 0
mssfix 0
comp-lzo
cipher aes-256-cbc
tcp-nodelay
sndbuf 0
rcvbuf 0
push "sndbuf 524288"
push "rcvbuf 524288"

Add to startup and run:

systemctl enable [email protected]
systemctl start [email protected]

Verify that you have access to the node on port 1194 TCP. Also note that for OpenVPN support for TUN/TAP tunnels is required, if you have an openVZ virtual machine, check with the hoster whether it has enabled support or not, often they do not provide TUN/TAP support at low rates.

Go to the Client node

Create a directory for storing keys:

mkdir -p /etc/openvpn/keys/ && cd /etc/openvpn/keys/
vim /etc/openvpn/keys/vpn.key

Here we paste the contents of the key that was generated on the Server node

Change the key permission:

chmod 600 /etc/openvpn/keys/vpn.key

Create a configuration file:

vim /etc/openvpn/client.conf

With the following contents:

dev tun
proto tcp-client
local 2.2.2.2
lport 1194
remote 1.1.1.1
rport 1194
secret /etc/openvpn/keys/vpn.key 1
ifconfig 192.168.1.2 192.168.1.1
route 192.168.1.1 255.255.255.255
user nobody
group nobody
persist-tun
persist-key
keepalive 10 60
ping-timer-rem
verb 0
daemon
tun-mtu 48000
fragment 0
mssfix 0
comp-lzo
cipher aes-256-cbc

Add to startup and run:

systemctl enable [email protected]
systemctl start [email protected]

That's it, Site-to-Site communication is configured, check.

Do not forget about the firewall.

 

Tagged: Tags