EdgeRouter - OpenVPN Site-to-Site

Overview


Readers will learn how to configure a Site-to-Site VPN between two EdgeRouters using OpenVPN.

OpenVPN is characterized by the usage of virtual tunnel interfaces (vtun) and routing entries. In this article, the peers are authenticated using randomly generated 2048 bit shared secrets, but it is also possible to use certificates. 

warning_25x25white.png ATTENTION: Packets passed through OpenVPN tunnel interfaces are not eligible for offloading. This means that the traffic is routed using the CPU and that the performance is limited. Please see the EdgeRouter - Hardware Offloading Explained article for more information.

 

book_25x25white.png

NOTES & REQUIREMENTS:

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.

 

Equipment used in this article:

EdgeRouter-4 (ER-4)

- Test clients behind the peers


Table of Contents


  1. Network Diagram
  2. Steps: OpenVPN Site-to-Site
  3. Steps: Testing & Verification
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below. The following interfaces are in use on the EdgeRouters:

ER-1

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vtun0 - 10.255.12.1/32
  • vtun1 - 10.255.13.1/32

ER-2

  • eth0 (WAN) - 192.0.2.1
  • eth1 (LAN) - 172.16.1.1/24
  • vtun0 - 10.255.12.2/32

ER-3

  • eth0 (WAN) - 198.51.100.1
  • eth1 (LAN) - 10.0.1.1/24
  • vtun1 - 10.255.13.3/32

ER-1 will act as a hub, routing traffic between the two spokes (ER-2 and ER-3). 


Steps: OpenVPN Site-to-Site


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The configuration will mainly focus on ER-1. The configuration of ER-2 and ER-3 will be nearly identical with the exception of the defined subnets. Only the places where the configuration differs will be included in the output below. Please see the attachments below for the full configuration of all routers.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Generate the 2048 bit shared secret for the ER-1/ER-2 and the ER-1/ER-3 peering.

generate vpn openvpn-key /config/auth/secret-er1-er2
generate vpn openvpn-key /config/auth/secret-er1-er3

2. Display the ER-1/ER-2 shared secret and copy the output to a text file.

sudo cat /config/auth/secret-er1-er2
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----

3. Log in to ER-2 and copy the contents of the ER-1/ER-2 shared secret to a new file in the /config/auth directory.

sudo cat > /config/auth/secret-er1-er2
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----
info_i_25x25white.png

NOTE: Make sure the add an empty newline space at the end of the output.

4. Use CTRL-D to save the file.

5. Change the file permissions.

sudo chmod 600 /config/auth/secret-er1-er2

5. Verify that the file is in the correct location and that it has the correct permissions.

ls -l /config/auth/
-rw------- 1 root vyattacf 636 Jan 1 13:00 secret-er1-er2

6. Log back into ER-1 to continue the OpenVPN configuration.

7. Enter configuration mode.

configure

8. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description OpenVPN
set firewall name WAN_LOCAL rule 30 destination port 1194,11194
set firewall name WAN_LOCAL rule 30 protocol udp
info_i_25x25white.png

NOTE: The default port OpenVPN uses is UDP 1194. Because we are peering with multiple neighbors, ER-1 will connect to ER-2 using UDP 1194 and ER-3 using UDP 11194. It is possible to change these ports to other values, as long as they don't conflict with other well-known ports and services.

 

The name of the local firewall policy applied to the WAN interface might be different in your environment. Whatever the naming scheme, make sure that the correct firewall rule is applied under the WAN interface.

9. Create the OpenVPN virtual tunnel interface and define the local and remote ports for the ER-1/ER-2 peering. 

set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194

10. Define the local and remote endpoints of the tunnel for the ER-1/ER-2 peering.

set interfaces openvpn vtun0 remote-host 192.0.2.1
set interfaces openvpn vtun0 local-host 203.0.113.1

11. Define the tunnel IP addresses for the ER-1/ER-2 peering.

set interfaces openvpn vtun0 local-address 10.255.12.1
set interfaces openvpn vtun0 remote-address 10.255.12.2  
info_i_25x25white.png

NOTE: If you do not add a subnet mask to these addresses the prefix length will be /32.

12. Link the shared secret to the virtual tunnel interface.

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret-er1-er2

13. Repeat the configuration for the ER-1/ER-3 peering.

set interfaces openvpn vtun1
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 local-port 11194
set interfaces openvpn vtun1 remote-port 11194
set interfaces openvpn vtun1 local-address 10.255.13.1
set interfaces openvpn vtun1 remote-address 10.255.13.3
set interfaces openvpn vtun1 remote-host 198.51.100.1
set interfaces openvpn vtun1 local-host 203.0.113.1
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/secret-er1-er3
info_i_25x25white.png

NOTE: You need to use a different tunnel interface ID and different ports.

14. Create either static or dynamic routing entries for the remote subnets.

(A) Static routes for the 172.16.1.0/24 and 10.0.1.0/24 subnets.

set protocols static interface-route 172.16.1.0/24 next-hop-interface vtun0
set protocols static interface-route 10.0.1.0/24 next-hop-interface vtun1

(B) Dynamic routes for the 172.16.1.0/24 and 10.0.1.0/24 subnets using OSPF.

set interfaces openvpn vtun0 ip ospf network point-to-point
set interfaces openvpn vtun1 ip ospf network point-to-point

set protocols ospf passive-interface default
set protocols ospf passive-interface-exclude vtun0
set protocols ospf passive-interface-exclude vtun1
set protocols ospf parameters router-id 0.0.0.1
set protocols ospf area 0 network 10.255.12.1/32
set protocols ospf area 0 network 10.255.13.1/32
set protocols ospf area 0 network 192.168.1.0/24

15. (Optional) Tweak the OpenVPN options (see the OpenVPN manual for more information).

16. Commit the changes and save the configuration.

commit ; save 

Steps: Testing & Verification


Back to Top

1. Verify that the traffic is increasing the counters on the OpenVPN firewall rule.

show firewall name WAN_LOCAL statistics 
--------------------------------------------------------------------------------

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    1549        142354      ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    6           312         ACCEPT  OpenVPN
10000 9           702         DROP    DEFAULT ACTION

2. Verify the state of the OpenVPN interfaces.

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                
vtun0        10.255.12.1                       u/u                             
vtun1        10.255.13.1                       u/u                  

show interfaces openvpn detail
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.255.12.1 peer 10.255.12.2/32 scope global vtun0
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
         10340        142          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
         11520        152          0          0          0          0

vtun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.255.13.1 peer 10.255.13.3/32 scope global vtun1
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
         22216        222          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
         64041        258          0          0          0          0

3. Verify the state of the OpenVPN site-to-site tunnels.

show openvpn status site-to-site 
OpenVPN client status on vtun1 []

Remote CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK)      198.51.100.1    10.255.13.3       84.4K   83.3K N/A

OpenVPN client status on vtun0 []

Remote CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK)      192.0.2.1       10.255.12.2       31.4K   31.1K N/A

4. Capture the OpenVPN traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 1194 or port 11194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 203.0.113.1.1194 > 192.0.2.1.1194: UDP, length 60
IP 192.0.2.1.1194 > 203.0.113.1.1194: UDP, length 60
IP 203.0.113.1.1194 > 192.0.2.1.1194: UDP, length 188
IP 203.0.113.1.1194 > 192.0.2.1.1194: UDP, length 60
IP 192.0.2.1.1194 > 203.0.113.1.1194: UDP, length 188
IP 203.0.113.1.11194 > 198.51.100.1.11194: UDP, length 108
IP 198.51.100.1.11194 > 203.0.113.1.11194: UDP, length 60
IP 203.0.113.1.11194 > 198.51.100.1.11194: UDP, length 60
IP 198.51.100.1.11194 > 203.0.113.1.11194: UDP, length 188
IP 203.0.113.1.11194 > 198.51.100.1.11194: UDP, length 108 
info_i_25x25white.png

NOTE: This is a live capture. If there is no output that means that the traffic is either not being generated by the client, or there is something blocking the traffic upstream. If there is output here and the connection is not establishing, verify the firewall rules above.

5. Display and analyze the OpenVPN log messages.

show log | match openvpn
ubnt openvpn[2451]: TUN/TAP device vtun0 opened
ubnt openvpn[2451]: TUN/TAP TX queue length set to 100
ubnt openvpn[2451]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
ubnt openvpn[2451]: /sbin/ip link set dev vtun0 up mtu 1500
ubnt openvpn[2451]: /sbin/ip addr add dev vtun0 local 10.255.12.1 peer 10.255.12.2
ubnt openvpn[2461]: UDPv4 link local (bound): [AF_INET]203.0.113.1:1194
ubnt openvpn[2461]: UDPv4 link remote: [AF_INET]192.0.2.1:1194
ubnt openvpn[2461]: Peer Connection Initiated with [AF_INET]192.0.2.1:1194
ubnt openvpn[2461]: Initialization Sequence Completed
info_i_25x25white.png

NOTE: This is also live capture. If there is no output that means that the tunnel is not established.

6. Verify the static or dynamic routing entries.

show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       > - selected route, * - FIB route, p - stale info

IP Route Table for VRF "default"
O    *> 10.0.1.0/24 [110/20] via 10.255.13.3, vtun1, 00:00:37
O    *> 172.16.1.0/24 [110/20] via 10.255.12.2, vtun0, 00:11:39
C    *> 10.255.12.1/32 is directly connected, vtun0
C    *> 10.255.12.2/32 is directly connected, vtun0
C    *> 10.255.13.1/32 is directly connected, vtun1
C    *> 10.255.13.3/32 is directly connected, vtun1

7. (Optional) Verify the OSFP interfaces and neighborships:

show ip ospf interface 
vtun1 is up, line protocol is up
  Internet Address 10.255.13.1/32, Area 0.0.0.0, MTU 1500
  Process ID 0, VRF (default), Router ID 0.0.0.1, Network Type POINTTOPOINT, Cost: 10
  Transmit Delay is 1 sec,  State Point-To-Point, TE Metric 10
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:01
  Neighbor Count is 1, Adjacent neighbor count is 1
  Hello received 9 sent 31, DD received 3 sent 4
  LS-Req received 1 sent 1, LS-Upd received 4 sent 4
  LS-Ack received 3 sent 4, Discarded 0
  No authentication
vtun0 is up, line protocol is up
  Internet Address 10.255.12.1/32, Area 0.0.0.0, MTU 1500
  Process ID 0, VRF (default), Router ID 0.0.0.1, Network Type POINTTOPOINT, Cost: 10
  Transmit Delay is 1 sec,  State Point-To-Point, TE Metric 10
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:01
  Neighbor Count is 1, Adjacent neighbor count is 1
  Hello received 76 sent 81, DD received 6 sent 8
  LS-Req received 2 sent 2, LS-Upd received 7 sent 18
  LS-Ack received 14 sent 6, Discarded 0
  No authentication
eth1 is up, line protocol is up
  Internet Address 192.168.1.1/24, Area 0.0.0.0, MTU 1500
  Process ID 0, VRF (default), Router ID 0.0.0.1, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec,  State DR, Priority 1, TE Metric 10
  Designated Router (ID) 0.0.0.1, Interface Address 192.168.1.1
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:03
  Neighbor Count is 0, Adjacent neighbor count is 0
  Hello received 0 sent 80, DD received 0 sent 0
  LS-Req received 0 sent 0, LS-Upd received 0 sent 0
  LS-Ack received 0 sent 0, Discarded 0
  No authentication

show ip ospf neighbor
Total number of full neighbors: 2
OSPF process 0 VRF(default):
Neighbor ID     Pri   State            Dead Time   Address         Interface           Instance ID
0.0.0.2           1   Full/ -          00:00:33    10.255.12.2     vtun0                   0
0.0.0.3           1   Full/ -          00:00:36    10.255.13.3     vtun1                   0

8. Send traffic over the tunnel between the hosts:

tracert -d 172.16.1.10
Tracing route to 172.16.1.10 over a maximum of 30 hops


  1     1 ms    <1 ms    <1 ms  10.0.1.1
  2     3 ms     2 ms     2 ms  10.255.13.1
  3     4 ms     4 ms     3 ms  10.255.12.2
  4     4 ms     4 ms     4 ms  172.16.1.10

Trace complete.

tracert -d 10.0.1.10
Tracing route to 172.16.1.10 over a maximum of 30 hops


  1    <1 ms     1 ms    <1 ms  172.16.1.1
  2     2 ms     2 ms     1 ms  10.255.12.1
  3     4 ms     3 ms     3 ms  10.255.13.3
  4    14 ms     7 ms     4 ms  10.0.1.10

Trace complete.

Related Articles


Back to Top