Last time I connected two sites, with one site behind NAT router and had no direct Public access, so then I continued with the setup and wanted to add another node into my network and this time it was my another cousin's home I invaded, setup Vyatta at their home and created a 3-Site OpenVPN network in Server-Client fashion.This can grow from 3 to N sites if I need.
Here's the network topology I worked on.
Main-Site
Now Starting from Main-Site Vyatta, create the required certificates and keys files for Server as well as the clients.
Edit the parameter
export KEY_DIR="/config/auth"
These parameters should be modified too.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
Save and Exit
Now execute
now Build CA
Enter Data as inquired.
After this completes you should be able to have an output like this
This will ask at the end
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Next generate DH parameters file
Now all set. Time to generate files for the Remote end points/Clients.
I've genrates Client files in password protected mode. This password will be asked whenever any client tries to use these files. If this matches then the setup will proceed on remote end.
Again questions will be asked, type as you like.
Buliding another set of files for the second remote-site;
At this point these are the contents of my /config/auth directory
Do the last step of generating site certificates and keys for as many sites as could be in the network i.e "./build-key-pass siteN".I only had access to two distinct locations.
Now time to get back to Main-Router's Vyatta Console.
Explaining the lines below before it gets too complicated. I declared a server mode OpenVPN interface vtun0 on Main Vyatta. Set static IPs of each site into the node so they don't change their IPs on reboots and mess up with my static routes(see at the end). Also I declared the subnets on each site so vtun0 knows which subnet is located on which site.
Then I configured vtun0 to use the TLS keys and certificates for Main-Vyatta. Thats it. Server is done.
Now time to export the files to the Site-1 and Site-2 so they use their files accordingly.
This should be done in a more secure way, make sure we don't atleast loose the ca.crt file to any hacker.
Copy-pasted the files in /tmp directory and changed the ownership of files so that they can be fetched by remote ends via SCP.
Site-1
Goto Site1 Router and fetch the files from the Main-Site:
Goto Linux root console
Back to Vyatta console
In above steps I've only defined that the remote server is on IP 123.111.222.2 and the mode of this OpenVPN interface vtun0 is client then certificates and keys are configured.
Once you commit it , it'll ask about the passphrase that we entered on server while creating it.
Repeat the same steps of Site1 on Site2.
After this just add Static Routes in Main-Router for each subnets and Viola !!
That's it I was able to ping between Main-Site IP:10.20.20.1 and Site-1 10.20.20.2, similarly site-2 10.20.20.6 was able to ping Main-Site tunnel interface 10.20.20.5 :)
I've couple more ideas in mind to play with VPNs on Vyatta and then I'll revert back to VoIP Stuff.
Here's the network topology I worked on.
Server-Client 3 Site OpenVPN network diagram |
Now Starting from Main-Site Vyatta, create the required certificates and keys files for Server as well as the clients.
vyatta@Main-Vyatta:~$ sudo su - root@Main-Vyatta:~# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0 root@Main-Vyatta:# cp * /etc/openvpn/ root@Main-Vyatta:# cd /etc/openvpn/ root@Main-Vyatta:# nano vars
Edit the parameter
export KEY_DIR="/config/auth"
These parameters should be modified too.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
Save and Exit
Now execute
root@Main-Vyatta:# source ./vars
root@Main-Vyatta:# ./build-ca
Enter Data as inquired.
After this completes you should be able to have an output like this
root@Main-Vyatta:# ls /config/auth/ ca.crt ca.keyNow time to Build Server side CA
root@Main-Vyatta:# touch /config/auth/index.txt root@Main-Vyatta:# echo 01 > /config/auth/serial root@Main-Vyatta:# ./build-key-server Main-Vyatta
This will ask at the end
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Next generate DH parameters file
root@Main-Vyatta:# ./build-dh
Now all set. Time to generate files for the Remote end points/Clients.
I've genrates Client files in password protected mode. This password will be asked whenever any client tries to use these files. If this matches then the setup will proceed on remote end.
root@Main-Vyatta:# ./build-key-pass site1
Again questions will be asked, type as you like.
Buliding another set of files for the second remote-site;
root@Main-Vyatta:# ./build-key-pass site2
At this point these are the contents of my /config/auth directory
root@Main-Vyatta:# ls /config/auth/ 01.pem 03.pem Main-Vyatta.csr ca.crt dh1024.pem index.txt.attr index.txt.old serial.old site1.csr site2.crt site2.key 02.pem Main-Vyatta.crt Main-Vyatta.key ca.key index.txt index.txt.attr.old serial site1.crt site1.key site2.csr root@Main-Vyatta:# exit
Do the last step of generating site certificates and keys for as many sites as could be in the network i.e "./build-key-pass siteN".I only had access to two distinct locations.
Now time to get back to Main-Router's Vyatta Console.
Explaining the lines below before it gets too complicated. I declared a server mode OpenVPN interface vtun0 on Main Vyatta. Set static IPs of each site into the node so they don't change their IPs on reboots and mess up with my static routes(see at the end). Also I declared the subnets on each site so vtun0 knows which subnet is located on which site.
Then I configured vtun0 to use the TLS keys and certificates for Main-Vyatta. Thats it. Server is done.
vyatta@Main-Vyatta:~$ configure vyatta@Main-Vyatta# set interfaces openvpn vtun0 mode server vyatta@Main-Vyatta# set interfaces openvpn vtun0 server subnet 172.16.15.0/24 vyatta@Main-Vyatta# set interfaces openvpn vtun0 server topology point-to-point vyatta@Main-Vyatta# set interfaces openvpn vtun0 server client site1 ip 172.16.15.2 vyatta@Main-Vyatta# set interfaces openvpn vtun0 server client site1 subnet 192.168.114.0/24 vyatta@Main-Vyatta# set interfaces openvpn vtun0 server client site2 ip 172.16.15.3 vyatta@Main-Vyatta# set interfaces openvpn vtun0 server client site2 subnet 10.10.1.0/24 vyatta@Main-Vyatta# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt vyatta@Main-Vyatta# set interfaces openvpn vtun0 tls cert-file /config/auth/Main-Vyatta.crt vyatta@Main-Vyatta# set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem vyatta@Main-Vyatta# set interfaces openvpn vtun0 tls key-file /config/auth/Main-Vyatta.key vyatta@Main-Vyatta# commit
Now time to export the files to the Site-1 and Site-2 so they use their files accordingly.
This should be done in a more secure way, make sure we don't atleast loose the ca.crt file to any hacker.
vyatta@Main-Vyatta# sudo cp /config/auth/site* /tmp/ vyatta@Main-Vyatta# sudo chown vyatta /tmp/site* vyatta@Main-Vyatta# sudo cp /config/auth/ca.crt /tmp/ vyatta@Main-Vyatta# sudo chown vyatta /tmp/ca.crt
Copy-pasted the files in /tmp directory and changed the ownership of files so that they can be fetched by remote ends via SCP.
Site-1
Goto Site1 Router and fetch the files from the Main-Site:
Goto Linux root console
root@Site1-Vyatta~:# scp vyatta@172.16.31.101:/tmp/site1.* /tmp/ root@Site1-Vyatta~:# scp vyatta@172.16.31.101:/tmp/ca.crt /tmp/ root@Site1-Vyatta~:# mv /tmp/* /config/auth/ root@Site1-Vyatta~:# exit
Back to Vyatta console
vyatta@Site1-Vyatta:#set interface openvpn vtun0 mode client vyatta@Site1-Vyatta:#set interface openvpn vtun0 remote-host 123.111.222.2 vyatta@Site1-Vyatta:#set interface openvpn vtun0 tls ca-cert-file /config/auth/ca.crt vyatta@Site1-Vyatta:#set interface openvpn vtun0 tls cert-file /config/auth/site1.crt vyatta@Site1-Vyatta:#set interface openvpn vtun0 tls key-file /config/auth/site1.key vyatta@Site1-Vyatta:#commit
In above steps I've only defined that the remote server is on IP 123.111.222.2 and the mode of this OpenVPN interface vtun0 is client then certificates and keys are configured.
Once you commit it , it'll ask about the passphrase that we entered on server while creating it.
vyatta@Site1-Vyatta:#save vyatta@Site1-Vyatta:#exit vyatta@Site1-Vyatta:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 192.168.137.2/24 u/u eth1 192.168.114.2/24 u/u lo 127.0.0.1/8 u/u ::1/128 vtun0 172.16.15.3/24 u/u vyatta@vyatta:~$
Repeat the same steps of Site1 on Site2.
After this just add Static Routes in Main-Router for each subnets and Viola !!
vyatta@Main-Vyatta# set protocols static route 10.10.1.0/24 next-hop 172.16.15.3 vyatta@Main-Vyatta# set protocols static route 192.168.114.0/24 next-hop 172.16.15.2
vyatta@Main-Vyatta# run show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 172.16.2.50, eth0 S>* 10.10.1.0/24 [1/0] via 172.16.15.3 , vtun0 C>* 127.0.0.0/8 is directly connected, lo C>* 172.16.0.0/16 is directly connected, eth0 K>* 172.16.15.0/24 via 172.16.15.2, vtun0 C>* 172.16.15.2/32 is directly connected, vtun0 C>* 192.168.30.0/24 is directly connected, eth1 S>* 192.168.114.0/24 [1/0] via 172.16.15.2, vtun0 [edit] vyatta@Main-Vyatta# ping 192.168.114.2 PING 192.168.114.2 (192.168.114.2) 56(84) bytes of data. 64 bytes from 192.168.114.2: icmp_req=1 ttl=64 time=2.25 ms ^C --- 192.168.114.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.250/2.250/2.250/0.000 ms [edit] vyatta@Main-Vyatta# ping 10.10.1.1 PING 10.10.1.1 (10.10.1.1) 56(84) bytes of data. 64 bytes from 10.10.1.1: icmp_req=1 ttl=64 time=21.9 ms 64 bytes from 10.10.1.1: icmp_req=2 ttl=64 time=3.29 ms ^C --- 10.10.1.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 3.297/12.603/21.909/9.306 ms [edit] vyatta@Main-Vyatta#
Thats it, we are done here. I did something interesting while doing it as well. Like Creating a GRE tunnel over OpenVPN.
GRE over OpenVPN
This has nothing to do with the static Routes. Once the OpenVPN is set and I was able to ping between the 172.16.15.0/24 subnet I went to Main-Vyatta created a tun0 GRE interface and set the remote and local IPs to use for this tunnel.
vyatta@Main-Vyatta# set interfaces tunnel tun0 encapsulation gre vyatta@Main-Vyatta# set interfaces tunnel tun0 remote-ip 172.16.15.2 vyatta@Main-Vyatta# set interfaces tunnel tun0 local-ip 172.16.15.1 vyatta@Main-Vyatta# set interfaces tunnel tun0 address 10.20.20.1/30 vyatta@Main-Vyatta# set interfaces tunnel tun1 address 10.20.20.5/30 vyatta@Main-Vyatta# set interfaces tunnel tun1 remote-ip 172.16.15.3 vyatta@Main-Vyatta# set interfaces tunnel tun1 local-ip 172.16.15.1 vyatta@Main-Vyatta# set interfaces tunnel tun1 encapsulation gre vyatta@Main-Vyatta# commit
Then on the 172.16.15.2/Site1 I ran the following commands
vyatta@Site1-Vyatta:~$ configure vyatta@Site1-Vyatta#set interfaces tunnel tun0 address 10.20.20.2/30 vyatta@Site1-Vyatta#set interfaces tunnel tun0 local-ip 172.16.15.2 vyatta@Site1-Vyatta#set interfaces tunnel tun0 remote-ip 172.16.15.1 vyatta@Site1-Vyatta#set interfaces tunnel tun0 encapsulation gre vyatta@Site1-Vyatta#commit
Then on the 172.16.15.3/Site2 I ran the following commands
vyatta@Site2-Vyatta:~$ configure vyatta@Site2-Vyatta#set interfaces tunnel tun0 address 10.20.20.6/30 vyatta@Site2-Vyatta#set interfaces tunnel tun0 local-ip 172.16.15.3 vyatta@Site2-Vyatta#set interfaces tunnel tun0 remote-ip 172.16.15.1 vyatta@Site2-Vyatta#set interfaces tunnel tun0 encapsulation gre vyatta@Site2-Vyatta#commit
That's it I was able to ping between Main-Site IP:10.20.20.1 and Site-1 10.20.20.2, similarly site-2 10.20.20.6 was able to ping Main-Site tunnel interface 10.20.20.5 :)
I've couple more ideas in mind to play with VPNs on Vyatta and then I'll revert back to VoIP Stuff.
I have question, about this readme. I setup 2 vyatta routers 6.2 and 6.5 using openvpn site to site. Connection is established successfully. I can ping both site over local-ip. After create gre tunnel using local-ip of openvpn tunnel, but gre0 interface is down. I can ping using ip of gre tunnel.
ReplyDeleteThis is my config:
R1
openvpn vtun10 {
local-address 10.20.1.2 {
}
local-port 5599
mode site-to-site
protocol udp
remote-address 10.20.1.1
remote-host
remote-port 5599
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/vpn.crt
key-file /config/auth/vpn.key
role active
}
}
tunnel tun10 {
address 10.20.2.2/30
encapsulation gre
local-ip 10.20.1.2
remote-ip 10.20.1.1
}
R2
openvpn vtun10 {
local-address 10.20.1.1
local-port 5599
mode site-to-site
protocol udp
remote-address 10.20.1.2
remote-host
remote-port 5599
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/OpenVPN.crt
dh-file /config/auth/dh1024.pem
key-file /config/auth/OpenVPN.key
role passive
}
}
tunnel tun10 {
address 10.20.2.1/30
encapsulation gre
local-ip 10.20.1.1
remote-ip 10.20.1.2
}
Hi,
DeleteI hope its already taken care of and is done. Its nothing to worry about state. If you can Ping the GRE interfaces then that means the routing and everything is done perfect.
Vyatta takes some time to show it up, possibly a bug, m not sure why...but I've seen Vyatta saying "down" to interfaces in OpenVPN too which were pinging.
Is there a reason you switch from site to site configuration in your previous post to point to point?
ReplyDeleteIm not sure I understood this correctly...kindly explain..Also do forgive my memory it has been some years since I wrote that and Vyatta is now VyOS so this may not be accurate anymore.
Deleteset interfaces openvpn vtun0 server topology point-to-point
Deletevs
set interfaces openvpn vtun0 server topology site-to-site
Main-Vyatta#set interfaces openvpn vtun0 mode site-to-site
DeleteVs.
vyatta@Main-Vyatta# set interfaces openvpn vtun0 mode server
vyatta@Main-Vyatta# set interfaces openvpn vtun0 server topology point-to-point
I think it has something to do with the vpn architecture, how many sites to be connected and what I wanted to achieve. Honestly at that point of publishing I tried two different ways and both of them worked.
Now going through the OpenVPN book and all those articles which I consulted again I realize that these two differ in a way that one of them is useful for hub-and-spoke and the other one is useful for direct one-to-one link.
There are other things coming to my mind on finding the facts behind these two, I must thank you for asking such an intriguing question.