Tuesday, June 19, 2012

Multi-Site OpenVPN Interconnect [Server-Client mode] + GRE tunnel over OpenVPN

Last time I connected two sites, with one site behind NAT router and had no direct Public access, so then I continued with the setup and wanted to add another node into my network and this time it was my another cousin's home I invaded, setup Vyatta at their home and created a 3-Site OpenVPN network in Server-Client fashion.This can grow from 3 to N sites if I need.


Here's the network topology I worked on.
Server-Client 3 Site OpenVPN network diagram
Main-Site
Now Starting from Main-Site Vyatta, create the required certificates and keys files for Server as well as the clients.

vyatta@Main-Vyatta:~$ sudo su -
root@Main-Vyatta:~# cd  /usr/share/doc/openvpn/examples/easy-rsa/2.0
root@Main-Vyatta:# cp * /etc/openvpn/
root@Main-Vyatta:# cd /etc/openvpn/
root@Main-Vyatta:# nano vars  

Edit the parameter
export KEY_DIR="/config/auth"

These parameters should be modified too.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

Save and Exit

Now execute
root@Main-Vyatta:# source ./vars
now Build CA

root@Main-Vyatta:# ./build-ca

Enter Data as inquired.

After this completes you should be able to have an output like this
root@Main-Vyatta:# ls /config/auth/
ca.crt  ca.key
Now time to Build Server side CA

root@Main-Vyatta:# touch /config/auth/index.txt
root@Main-Vyatta:# echo 01 > /config/auth/serial

root@Main-Vyatta:# ./build-key-server Main-Vyatta

This will ask at the end

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Next generate DH parameters file
root@Main-Vyatta:# ./build-dh

Now all set. Time to generate files for the Remote end points/Clients.

I've genrates Client files in password protected mode. This password will be asked whenever any client tries to use these files. If this matches then the setup will proceed on remote end.

root@Main-Vyatta:# ./build-key-pass site1

Again questions will be asked, type as you like.

Buliding another set of files for the second remote-site;

root@Main-Vyatta:# ./build-key-pass site2

At this point these are the contents of my /config/auth directory

root@Main-Vyatta:# ls /config/auth/
01.pem  03.pem           Main-Vyatta.csr  ca.crt  dh1024.pem  index.txt.attr      index.txt.old  serial.old  site1.csr  site2.crt  site2.key
02.pem  Main-Vyatta.crt  Main-Vyatta.key  ca.key  index.txt   index.txt.attr.old  serial         site1.crt   site1.key  site2.csr
root@Main-Vyatta:# exit


Do the last step of generating site certificates and keys for as many sites as could be in the network i.e "./build-key-pass siteN".I only had access to two distinct locations.

Now time to get back to Main-Router's Vyatta Console.

Explaining the lines below before it gets too complicated. I declared a server mode OpenVPN interface vtun0 on Main Vyatta. Set static IPs of each site into the node so they don't change their IPs on reboots and mess up with my static routes(see at the end). Also I declared the subnets on each site so vtun0 knows which subnet is located on which site.
Then I configured vtun0 to use the TLS keys and certificates for Main-Vyatta. Thats it. Server is done.

vyatta@Main-Vyatta:~$ configure
vyatta@Main-Vyatta# set interfaces openvpn vtun0 mode server
vyatta@Main-Vyatta# set interfaces openvpn vtun0 server subnet 172.16.15.0/24
vyatta@Main-Vyatta# set interfaces openvpn vtun0 server topology point-to-point
vyatta@Main-Vyatta# set interfaces openvpn vtun0 server client site1 ip 172.16.15.2
vyatta@Main-Vyatta# set interfaces openvpn vtun0 server client site1 subnet 192.168.114.0/24
vyatta@Main-Vyatta# set interfaces openvpn vtun0 server client site2 ip 172.16.15.3
vyatta@Main-Vyatta# set interfaces openvpn vtun0 server client site2 subnet 10.10.1.0/24
vyatta@Main-Vyatta# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
vyatta@Main-Vyatta# set interfaces openvpn vtun0 tls cert-file /config/auth/Main-Vyatta.crt
vyatta@Main-Vyatta# set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem
vyatta@Main-Vyatta# set interfaces openvpn vtun0 tls key-file /config/auth/Main-Vyatta.key
vyatta@Main-Vyatta# commit

Now time to export the files to the Site-1 and Site-2 so they use their files accordingly.
This should be done in a more secure way, make sure we don't atleast loose the ca.crt file to any hacker.

vyatta@Main-Vyatta# sudo cp /config/auth/site* /tmp/
vyatta@Main-Vyatta# sudo chown vyatta /tmp/site*
vyatta@Main-Vyatta# sudo cp /config/auth/ca.crt /tmp/
vyatta@Main-Vyatta# sudo chown vyatta /tmp/ca.crt


Copy-pasted the files in /tmp directory and changed the ownership of files so that they can be fetched by remote ends via SCP.
Site-1
Goto Site1 Router and fetch the files from the Main-Site:

Goto Linux root console

root@Site1-Vyatta~:# scp vyatta@172.16.31.101:/tmp/site1.* /tmp/
root@Site1-Vyatta~:# scp vyatta@172.16.31.101:/tmp/ca.crt /tmp/
root@Site1-Vyatta~:# mv /tmp/* /config/auth/
root@Site1-Vyatta~:# exit

Back to Vyatta console


vyatta@Site1-Vyatta:#set interface openvpn vtun0 mode client
vyatta@Site1-Vyatta:#set interface openvpn vtun0 remote-host 123.111.222.2
vyatta@Site1-Vyatta:#set interface openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
vyatta@Site1-Vyatta:#set interface openvpn vtun0 tls cert-file /config/auth/site1.crt
vyatta@Site1-Vyatta:#set interface openvpn vtun0 tls key-file /config/auth/site1.key
vyatta@Site1-Vyatta:#commit


In above steps I've only defined that the remote server is on IP 123.111.222.2 and the mode of this OpenVPN interface vtun0 is client then certificates and keys are configured.

Once you commit it , it'll ask about the passphrase that we entered on server while creating it.


vyatta@Site1-Vyatta:#save
vyatta@Site1-Vyatta:#exit

vyatta@Site1-Vyatta:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.137.2/24                  u/u
eth1             192.168.114.2/24                  u/u
lo                 127.0.0.1/8                            u/u
                    ::1/128
vtun0           172.16.15.3/24                      u/u
vyatta@vyatta:~$

Repeat the same steps of Site1 on Site2.

After this just add Static Routes in Main-Router for each subnets and Viola !!
vyatta@Main-Vyatta# set protocols static route 10.10.1.0/24 next-hop 172.16.15.3
vyatta@Main-Vyatta# set protocols static route 192.168.114.0/24 next-hop 172.16.15.2

vyatta@Main-Vyatta# run show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] via 172.16.2.50, eth0
S>* 10.10.1.0/24 [1/0] via 172.16.15.3 , vtun0
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.16.0.0/16 is directly connected, eth0
K>* 172.16.15.0/24 via 172.16.15.2, vtun0
C>* 172.16.15.2/32 is directly connected, vtun0
C>* 192.168.30.0/24 is directly connected, eth1
S>* 192.168.114.0/24 [1/0] via 172.16.15.2, vtun0
[edit]

vyatta@Main-Vyatta# ping 192.168.114.2
PING 192.168.114.2 (192.168.114.2) 56(84) bytes of data.
64 bytes from 192.168.114.2: icmp_req=1 ttl=64 time=2.25 ms
^C
--- 192.168.114.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.250/2.250/2.250/0.000 ms
[edit]

vyatta@Main-Vyatta# ping 10.10.1.1
PING 10.10.1.1 (10.10.1.1) 56(84) bytes of data.
64 bytes from 10.10.1.1: icmp_req=1 ttl=64 time=21.9 ms
64 bytes from 10.10.1.1: icmp_req=2 ttl=64 time=3.29 ms
^C
--- 10.10.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 3.297/12.603/21.909/9.306 ms
[edit]
vyatta@Main-Vyatta#


Thats it, we are done here. I did something interesting while doing it as well. Like Creating a GRE tunnel over OpenVPN.

GRE over OpenVPN

This has nothing to do with the static Routes. Once the OpenVPN is set and I was able to ping between the 172.16.15.0/24 subnet I went to Main-Vyatta created a tun0 GRE interface and set the remote and local IPs to use for this tunnel.


vyatta@Main-Vyatta# set interfaces tunnel tun0 encapsulation gre
vyatta@Main-Vyatta# set interfaces tunnel tun0 remote-ip 172.16.15.2
vyatta@Main-Vyatta# set interfaces tunnel tun0 local-ip 172.16.15.1
vyatta@Main-Vyatta# set interfaces tunnel tun0 address 10.20.20.1/30

vyatta@Main-Vyatta# set interfaces tunnel tun1 address 10.20.20.5/30
vyatta@Main-Vyatta# set interfaces tunnel tun1 remote-ip 172.16.15.3
vyatta@Main-Vyatta# set interfaces tunnel tun1 local-ip 172.16.15.1
vyatta@Main-Vyatta# set interfaces tunnel tun1 encapsulation gre
vyatta@Main-Vyatta# commit

Then on the 172.16.15.2/Site1 I ran the following commands


vyatta@Site1-Vyatta:~$ configure
vyatta@Site1-Vyatta#set interfaces tunnel tun0 address 10.20.20.2/30
vyatta@Site1-Vyatta#set interfaces tunnel tun0 local-ip 172.16.15.2
vyatta@Site1-Vyatta#set interfaces tunnel tun0 remote-ip 172.16.15.1
vyatta@Site1-Vyatta#set interfaces tunnel tun0 encapsulation gre
vyatta@Site1-Vyatta#commit


Then on the 172.16.15.3/Site2 I ran the following commands


vyatta@Site2-Vyatta:~$ configure
vyatta@Site2-Vyatta#set interfaces tunnel tun0 address 10.20.20.6/30
vyatta@Site2-Vyatta#set interfaces tunnel tun0 local-ip 172.16.15.3
vyatta@Site2-Vyatta#set interfaces tunnel tun0 remote-ip 172.16.15.1
vyatta@Site2-Vyatta#set interfaces tunnel tun0 encapsulation gre
vyatta@Site2-Vyatta#commit


That's it I was able to ping between Main-Site IP:10.20.20.1 and Site-1 10.20.20.2, similarly site-2 10.20.20.6 was able to ping Main-Site tunnel interface 10.20.20.5 :)

I've couple more ideas in mind to play with VPNs on Vyatta and then I'll revert back to VoIP Stuff.


6 comments:

  1. I have question, about this readme. I setup 2 vyatta routers 6.2 and 6.5 using openvpn site to site. Connection is established successfully. I can ping both site over local-ip. After create gre tunnel using local-ip of openvpn tunnel, but gre0 interface is down. I can ping using ip of gre tunnel.
    This is my config:
    R1

    openvpn vtun10 {
    local-address 10.20.1.2 {
    }
    local-port 5599
    mode site-to-site
    protocol udp
    remote-address 10.20.1.1
    remote-host
    remote-port 5599
    tls {
    ca-cert-file /config/auth/ca.crt
    cert-file /config/auth/vpn.crt
    key-file /config/auth/vpn.key
    role active
    }
    }
    tunnel tun10 {
    address 10.20.2.2/30
    encapsulation gre
    local-ip 10.20.1.2
    remote-ip 10.20.1.1
    }


    R2

    openvpn vtun10 {
    local-address 10.20.1.1
    local-port 5599
    mode site-to-site
    protocol udp
    remote-address 10.20.1.2
    remote-host
    remote-port 5599
    tls {
    ca-cert-file /config/auth/ca.crt
    cert-file /config/auth/OpenVPN.crt
    dh-file /config/auth/dh1024.pem
    key-file /config/auth/OpenVPN.key
    role passive
    }
    }
    tunnel tun10 {
    address 10.20.2.1/30
    encapsulation gre
    local-ip 10.20.1.1
    remote-ip 10.20.1.2
    }

    ReplyDelete
    Replies
    1. Hi,
      I hope its already taken care of and is done. Its nothing to worry about state. If you can Ping the GRE interfaces then that means the routing and everything is done perfect.
      Vyatta takes some time to show it up, possibly a bug, m not sure why...but I've seen Vyatta saying "down" to interfaces in OpenVPN too which were pinging.

      Delete
  2. Is there a reason you switch from site to site configuration in your previous post to point to point?

    ReplyDelete
    Replies
    1. Im not sure I understood this correctly...kindly explain..Also do forgive my memory it has been some years since I wrote that and Vyatta is now VyOS so this may not be accurate anymore.

      Delete
    2. set interfaces openvpn vtun0 server topology point-to-point

      vs

      set interfaces openvpn vtun0 server topology site-to-site

      Delete
    3. Main-Vyatta#set interfaces openvpn vtun0 mode site-to-site
      Vs.
      vyatta@Main-Vyatta# set interfaces openvpn vtun0 mode server
      vyatta@Main-Vyatta# set interfaces openvpn vtun0 server topology point-to-point

      I think it has something to do with the vpn architecture, how many sites to be connected and what I wanted to achieve. Honestly at that point of publishing I tried two different ways and both of them worked.
      Now going through the OpenVPN book and all those articles which I consulted again I realize that these two differ in a way that one of them is useful for hub-and-spoke and the other one is useful for direct one-to-one link.

      There are other things coming to my mind on finding the facts behind these two, I must thank you for asking such an intriguing question.

      Delete