EdgeRouter - OpenVPN Site-to-Site


Overview


Readers will learn how to configure a Site-to-Site VPN between two EdgeRouters using OpenVPN.

OpenVPN is characterized by the usage of virtual tunnel interfaces (vtun) and routing entries. In this article, the peers are authenticated using randomly generated 2048 bit shared secrets, but it is also possible to use certificates. 

ATTENTION:
Packets passed through OpenVPN tunnel interfaces are not eligible for offloading. This means that the traffic is routed using the CPU and that the performance is limited. Please see the EdgeRouter - Hardware Offloading Explained article for more information.

 

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. Steps: OpenVPN Site-to-Site
  3. Steps: Testing & Verification
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below.

ER-R

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vtun0 - 10.255.12.1/32

ER-L

  • eth0 (WAN) - 192.0.2.1
  • eth1 (LAN) - 172.16.1.1/24
  • vtun0 - 10.255.12.2/32


Steps: OpenVPN Site-to-Site


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Generate the 2048 bit shared secret on ER-R.

generate vpn openvpn-key /config/auth/secret

2. Display the shared secret and copy the output to a text file.

sudo cat /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----

3. Log in to ER-L and copy the contents of the shared secret to a new file in the /config/auth directory.

sudo cat > /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----
NOTE: Make sure the add an empty newline (enter) space at the end of the output.

4. Use CTRL-D to save the file.

5. Change the file permissions and set the owner to the root user.

sudo chmod 600 /config/auth/secret
sudo chown root /config/auth/secret

5. Verify that the file is in the correct location and that it has the correct permissions.

ls -l /config/auth/
-rw------- 1 root vyattacf 636 Jan 1 13:00 secret

6. Log back into ER-R to continue the OpenVPN configuration.

7. Enter configuration mode.

configure

8. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
NOTE: Make sure that this rule does not override any existing firewall policies!

9. Create the OpenVPN virtual tunnel interface and define the local and remote ports.

set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194

10. Define the local and remote endpoints of the tunnel.

set interfaces openvpn vtun0 remote-host 192.0.2.1
set interfaces openvpn vtun0 local-host 203.0.113.1

11. Define the local and remote tunnel IP addresses.

set interfaces openvpn vtun0 local-address 10.255.12.1
set interfaces openvpn vtun0 remote-address 10.255.12.2  
NOTE: If you do not add a subnet mask to these addresses the prefix length will be /32.

12. Link the shared secret to the virtual tunnel interface.

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

14. Create either static or dynamic routing entries for the remote subnet.

(A) Static Routing

set protocols static interface-route 172.16.1.0/24 next-hop-interface vtun0
set protocols static interface-route 10.0.1.0/24 next-hop-interface vtun1

(B) Dynamic routig using OSPF

set interfaces openvpn vtun0 ip ospf network point-to-point

set protocols ospf passive-interface default
set protocols ospf passive-interface-exclude vtun0
set protocols ospf parameters router-id 0.0.0.1
set protocols ospf area 0 network 10.255.12.1/32
set protocols ospf area 0 network 192.168.1.0/24

15. (Optional) Tweak the OpenVPN options (see the OpenVPN manual for more information).

16. Commit the changes and save the configuration.

commit ; save 

Steps: Testing & Verification


Back to Top

1. Verify that the traffic is increasing the counters on the OpenVPN firewall rule.

show firewall name WAN_LOCAL statistics 
--------------------------------------------------------------------------------

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    1549        142354      ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    6           312         ACCEPT  openvpn
10000 9           702         DROP    DEFAULT ACTION

2. Verify the state of the OpenVPN interface.

show interfaces
Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                
vtun0        10.255.12.1                       u/u                                            

show interfaces openvpn detail
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.255.12.1 peer 10.255.12.2/32 scope global vtun0
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
         10340        142          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
         11520        152          0          0          0          0

3. Verify the state of the OpenVPN site-to-site tunnel.

show openvpn status site-to-site 
OpenVPN client status on vtun0 []

Remote CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK)      192.0.2.1    10.255.12.2       31.4K   31.1K N/A

4. Capture the OpenVPN traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 1194
IP 203.0.113.1.1194 > 192.0.2.1.1194: UDP, length 60
IP 192.0.2.1.1194 > 203.0.113.1.1194: UDP, length 60
IP 203.0.113.1.1194 > 192.0.2.1.1194: UDP, length 188
IP 203.0.113.1.1194 > 192.0.2.1.1194: UDP, length 60
IP 192.0.2.1.1194 > 203.0.113.1.1194: UDP, length 188
NOTE: This is a live capture. If there is no output the traffic is either not being generated or there is something blocking the traffic upstream.

5. Display and analyze the OpenVPN log messages.

show log | match openvpn
ubnt openvpn[2451]: TUN/TAP device vtun0 opened
ubnt openvpn[2451]: TUN/TAP TX queue length set to 100
ubnt openvpn[2451]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
ubnt openvpn[2451]: /sbin/ip link set dev vtun0 up mtu 1500
ubnt openvpn[2451]: /sbin/ip addr add dev vtun0 local 10.255.12.1 peer 10.255.12.2
ubnt openvpn[2461]: UDPv4 link local (bound): [AF_INET]203.0.113.1:1194
ubnt openvpn[2461]: UDPv4 link remote: [AF_INET]192.0.2.1:1194
ubnt openvpn[2461]: Peer Connection Initiated with [AF_INET]192.0.2.1:1194
ubnt openvpn[2461]: Initialization Sequence Completed
NOTE: This is also live capture. If there is no output that means that the tunnel is not established.

6. Verify the static or dynamic routing entries.

show ip route
O    *> 172.16.1.0/24 [110/20] via 10.255.12.2, vtun0, 00:11:39
C    *> 10.255.12.1/32 is directly connected, vtun0
C    *> 10.255.12.2/32 is directly connected, vtun0

7. (Optional) Verify the OSFP interfaces and neighborships:

show ip ospf interface 
vtun0 is up, line protocol is up
  Internet Address 10.255.12.1/32, Area 0.0.0.0, MTU 1500
  Process ID 0, VRF (default), Router ID 0.0.0.1, Network Type POINTTOPOINT, Cost: 10
  Transmit Delay is 1 sec,  State Point-To-Point, TE Metric 10
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

eth1 is up, line protocol is up
  Internet Address 192.168.1.1/24, Area 0.0.0.0, MTU 1500
  Process ID 0, VRF (default), Router ID 0.0.0.1, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec,  State DR, Priority 1, TE Metric 10
  Designated Router (ID) 0.0.0.1, Interface Address 192.168.1.1
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

show ip ospf neighbor
Total number of full neighbors: 2
OSPF process 0 VRF(default):
Neighbor ID     Pri   State            Dead Time   Address         Interface           Instance ID
0.0.0.2           1   Full/ -          00:00:33    10.255.12.2     vtun0                   0

Related Articles


Back to Top