Yesterday I was at my cousin's place and suddenly I remembered that I forgot to bring some documents from my desktop at home, going back home wasn't an option. I knew I've Static IP provisioned at home and at cousin's place its Dynamic IP modem.
It was a good thing that Vyatta controls my home internet traffic so I quickly accessed my vyata-router and from there fetching documents was a piece of cake.
Later I decided to create a VPN between me and my cousin's home so we could always access our "Shared Documents" without involving any hi-fi router/linux commands.
So here is the scenario:
Main Site/My Home: It listen for incoming OpenVPN requests and then listen for RIP messages.
Site-B/Cousin's Home: This initiates a VPN to main-site and shares the network routing table via RIP protocol.
Note that only Main Site haS static IP and other site has dynamic IP which changes on every reset maybe. So after this setup I will be able to access their home network without caring for their Public IPs.
Here is a network diagram for better understanding.
Main-Site Router:
Here's the break down of the commands you're about to see. Assign the Public IP, set the gateway address, set the public DNS server, start the SSH service (This is optional - don't do this to risk your router by making it's SSH accessible over the internet)
Then the LAN interface was configured, I verified that router's internet connectivity is good by resolving www.msn.com and then later I pinged it as well. All perfect at this point.
Uptil here, my Home network is all set. Now Starting the OpenVPN Setup.
Create openvpn key , copy it it temporary directory, change its user ownership.
In last five lines above I've created a "vtun0" interface of type openvpn. Its mode is set to site-to-site. Main site is addressed as 172.16.1.1, other site have this as its remote site address, and very important step to use the key file.It was a good thing that Vyatta controls my home internet traffic so I quickly accessed my vyata-router and from there fetching documents was a piece of cake.
Later I decided to create a VPN between me and my cousin's home so we could always access our "Shared Documents" without involving any hi-fi router/linux commands.
So here is the scenario:
Main Site/My Home: It listen for incoming OpenVPN requests and then listen for RIP messages.
Site-B/Cousin's Home: This initiates a VPN to main-site and shares the network routing table via RIP protocol.
Note that only Main Site haS static IP and other site has dynamic IP which changes on every reset maybe. So after this setup I will be able to access their home network without caring for their Public IPs.
Here is a network diagram for better understanding.
 |
| Site-to-Site OpenVPN tunnel topology |
Here's the break down of the commands you're about to see. Assign the Public IP, set the gateway address, set the public DNS server, start the SSH service (This is optional - don't do this to risk your router by making it's SSH accessible over the internet)
Then the LAN interface was configured, I verified that router's internet connectivity is good by resolving www.msn.com and then later I pinged it as well. All perfect at this point.
Main-Vyatta:~$configure Main-Vyatta#set interfaces ethernet eth0 address 123.111.222.2/30 Main-Vyatta#set system gateway-address 123.111.222.1 Main-Vyatta#set system name-server 8.8.8.8 Main-Vyatta#set service ssh Main-Vyatta#set interfaces ethernet eth1 address 10.10.1.1/24 Main-Vyatta#commit Main-Vyatta#sudo nslookup www.msn.comThen I created NAT rules for my LAN stations to reach out internet by NAT'd to Public IP. Main-Vyatta#set nat source rule 5 outbound-interface eth0 Main-Vyatta#set nat source rule 5 source address 10.10.1.1/24 Main-Vyatta#set nat source rule 5 translation address masquerade Main-Vyatta#commit Main-Vyatta#exit
Create openvpn key , copy it it temporary directory, change its user ownership.
Main-Vyatta:~$generate openvpn key /etc/openvpn/key.psk Main-Vyatta:~$sudo cp /etc/openvpn/key.psk /tmp/ Main-Vyatta:~$sudo chown vyatta /tmp/key.psk Main-Vyatta:~$ls -l /etc/openvpn/key.psk Main-Vyatta:~$configure
Create openVPN interface vtun0 with a Local-IP to assign and a remote IP.Main-Vyatta#set interfaces openvpn vtun0 mode site-to-site Main-Vyatta#set interfaces openvpn vtun0 local-address 172.16.1.1 Main-Vyatta#set interfaces openvpn vtun0 remote-address 172.16.1.2 Main-Vyatta#set interfaces openvpn vtun0 shared-secret-key-file /etc/openvpn/key.psk Main-Vyatta#commit
Start RIP interface on Main router's vtun0 interface to accept other side routes.
Main-Vyatta#set protocols rip interface vtun0 Main-Vyatta#set protocols rip neighbor 172.16.1.2
Now, Site-B Router.
Site1-Vyatta$configure Site1-Vyatta#set interfaces ethernet eth0 address 192.168.1.2/24 Site1-Vyatta#set interfaces ethernet eth1 10.1.3.1/24 Site1-Vyatta#set system gateway-address 192.168.1.1 Site1-Vyatta#set service ssh Site1-Vyatta#commit
Configure the Site1 router's IP address, gateway is the DSL modem 192.168.2.1, name server, and NAT rules and interface for this LAN should be set as well, Im skipping those.
Fetch the OpenVPN Key for this site to use.
Site1-Vyatta#sudo scp vyatta@123.111.222.2:/tmp/key.psk /etc/openvpn/key.psk Site1-Vyatta#sudo chown root:root /etc/openvpn/key.pskNow, time to configure the "vtun0" interface. Once we commit this this router will try connecting to the Main-Site router.
Site1-Vyatta#set interfaces openvpn vtun0 mode site-to-site Site1-Vyatta#set interfaces openvpn vtun0 local-address 172.16.1.2 Site1-Vyatta#set interfaces openvpn vtun0 remote-address 172.16.1.1 Site1-Vyatta#set interfaces openvpn vtun0 remote-host 123.111.222.2 Site1-Vyatta#set interfaces openvpn vtun0 shared-secret-key-file /etc/openvpn/key.psk Site1-Vyatta#commit Site1-Vyatta#save Site1-Vyatta#exit Site1-Vyatta$show interfaces
Executing the show interfaces will show the new interface.
Now, Time to advertise my local network to the Main-Site, this way the Main-Site router will get to know which next-hop to take for reaching to 10.1.3.0/24 network.
Now, Time to advertise my local network to the Main-Site, this way the Main-Site router will get to know which next-hop to take for reaching to 10.1.3.0/24 network.
Site1-Vyatta$configure Site1-Vyatta#set protocols rip interface eth0 Site1-Vyatta#set protocols rip network 10.1.3.0/24 Site1-Vyatta#set protocols rip neighbor 172.16.1.1 Site1-Vyatta#set protocols rip interface vtun0 Site1-Vyatta#commit Site1-Vyatta#save Site1-Vyatta#exit
Thats all, everything is set and should be working fine. Ping from Main-Site to Site-B is flowing smoothly.
I'm thinking of exploring different ways and types of creating VPN between two or more Vyatta routers. Hope to publish those soon too.
Hello... Sir Gohar i interested with you project for refence for my final project but i need to know are the OPENVPN is Pc? and the Server is desktop Pc or real server? sorry my english is bad
ReplyDeleteHey,
DeleteThough I couldn't understand your message but I'll answer as far as I understand. In this post the two vyatta routers are servers and hence no desktop-pc client has to do anything for the OpenVPN.
The vyatta routers can be anything from a decent desktop system to laptop to a very costly server depending upon how heavy is your usage.
Hi, just wanted to say thanks for this. Also, if Vyatta is behind another firewall, OVPN uses UDP port 1194 to make connections by default. Took me forever to figure out why I couldn't get a tunnel up until I realized it was UDP not TCP :-)
ReplyDelete