EdgeRouter - OpenVPN Site-to-Site


Overview


Readers will learn how to configure a Site-to-Site VPN between two EdgeRouters using OpenVPN.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. OpenVPN Site-to-Site
  3. Testing & Verification
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouters:

ER-L

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vtun0 - 10.255.12.1/32

ER-R

  • eth0 (WAN) - 192.0.2.1
  • eth1 (LAN) - 172.16.1.1/24
  • vtun0 - 10.255.12.2/32

topology.png


OpenVPN Site-to-Site


Back to Top

CLI: Access the command line interface on ER-L. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Generate the 2048 bit shared secret.

generate vpn openvpn-key /config/auth/secret

2. Display the shared secret and copy the output to a text file.

sudo cat /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----

3. Enter configuration mode.

configure

4. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

5. Create the OpenVPN virtual tunnel interface and link the shared secret.

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

6. Define the tunnel mode and local and remote ports.

set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194

7. Define the local and remote endpoints of the tunnel.

set interfaces openvpn vtun0 remote-host 192.0.2.1
set interfaces openvpn vtun0 local-host 203.0.113.1

8. Define the local and remote tunnel IP addresses.

set interfaces openvpn vtun0 local-address 10.255.12.1
set interfaces openvpn vtun0 remote-address 10.255.12.2  

9. Create a routing entry for the remote subnet.

set protocols static interface-route 172.16.1.0/24 next-hop-interface vtun0

10. Tweak the OpenVPN options (see the OpenVPN manual for more information).

11. Commit the changes and save the configuration.

commit ; save

CLI: Access the command line interface on ER-R. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Copy the contents of the shared secret generated earlier to a new file in the /config/auth directory.

sudo cat > /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----

2. Use CTRL-D to save the file.

3. Change the file permissions and set the owner to the root user.

sudo chmod 600 /config/auth/secret
sudo chown root /config/auth/secret

4. Verify that the file is in the correct location and that it has the correct permissions.

ls -l /config/auth/
-rw------- 1 root vyattacf 636 Jan 1 13:00 secret

5. Enter configuration mode.

configure

6. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

7. Create the OpenVPN virtual tunnel interface and link the shared secret.

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

8.  Define the tunnel mode and local and remote ports.

set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194

9. Define the local and remote endpoints of the tunnel.

set interfaces openvpn vtun0 remote-host 203.0.113.1
set interfaces openvpn vtun0 local-host 192.0.2.1

10. Define the local and remote tunnel IP addresses.

set interfaces openvpn vtun0 local-address 10.255.12.2
set interfaces openvpn vtun0 remote-address 10.255.12.1  

11. Create a routing entry for the remote subnet.

set protocols static interface-route 192.168.1.0/24 next-hop-interface vtun0

12. Tweak the OpenVPN options (see the OpenVPN manual for more information).

13. Commit the changes and save the configuration.

commit ; save  

Testing & Verification


Back to Top

You can verify the VPN settings using the following commands from operational mode:

show firewall name WAN_LOCAL statistics 
show interfaces
show interfaces openvpn detail       
show openvpn status site-to-site

Related Articles


Back to Top

EdgeRouter - OpenVPN Layer 2 Tunnel

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!