EdgeRouter: OpenVPN site-to-site VPN

I have two sites hosting my home servers so I wanted a solution to have a permanent link between the sites.

On site one I have an EdgeRouter POE and on the other site an EdgeRouter Lite and the obvious solution is to have a site to site VPN on a permanent basis.

There is a great tutorial that I followed on the UBNT forum site see here

Here is my setup derived from the tutorial with some extra steps.

Router 1:
External IP/Name: site1.mooo.com (can also use an external IP address)
Internal IP: 192.168.2.1

Router 2:
External IP/Name: site2.mooo.com (can also use an external IP address)
Internal IP: 192.168.9.1

Steps

---

Step 1: On Router 1, access the command line and create a pre-shared key (NOT in Configure mode, but in Operational Mode).

generate vpn openvpn-key /config/auth/secret

Step 2: Transfer the pre-shared key to the other machine

View the pre-shared key on Router 1:

sudo cat /config/auth/secret

Copy the contents onto your clipboard.

Login to Router 2 using ssh. Create the file:

cat > /config/auth/secret

Paste the text from your clipboard.

Hit CTRL-D to save the file.

Change permissions on the file you just created:

chmod 600 /config/auth/secret

Step 3: Configure Router 1

# Enter configuration mode

configure

# Configure the OpenVPN to use vtun0

set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode site-to-site

# Assign ports for use by OpenVPN

set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194

# Assign a local address for use by OpenVPN

set interfaces openvpn vtun0 local-address 10.99.99.1

# Assign a remote address for use by OpenVPN

set interfaces openvpn vtun0 remote-address 10.99.99.2

# Tell OpenVPN the public address of the remote system

set interfaces openvpn vtun0 remote-host site2.mooo.com

# Tell OpenVPN where to find the secret file

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

# Enable Compression (optional:  Must do on both sides or neither)

set interfaces openvpn vtun0 openvpn-option "--comp-lzo"

# Enable Float, Ping, and Other Security Options (optional:  See OpenVPN Man Page for details)

set interfaces openvpn vtun0 openvpn-option "--float"
set interfaces openvpn vtun0 openvpn-option "--ping 10"
set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"
set interfaces openvpn vtun0 openvpn-option "--ping-timer-rem"
set interfaces openvpn vtun0 openvpn-option "--persist-tun"
set interfaces openvpn vtun0 openvpn-option "--persist-key"
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"

# Tell EdgeRouter the remote subnet

set protocols static interface-route 192.168.9.0/24 next-hop-interface vtun0

# Commit, Save, and Exit Configuration Mode

commit
save
exit

Step 4: Configure Router 2

# Enter configuration mode

configure

# Configure the OpenVPN

set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode site-to-site

# Assign ports for use by OpenVPN

set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194

# Assign a local address for use by OpenVPN

set interfaces openvpn vtun0 local-address 10.99.99.2

# Assign a remote address for use by OpenVPN

set interfaces openvpn vtun0 remote-address 10.99.99.1

# Tell OpenVPN the public address of the remote system

set interfaces openvpn vtun0 remote-host site1.mooo.com

# Tell OpenVPN where to find the secret file

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

# Enable Compression (optional:  Must do on both sides or neither)

set interfaces openvpn vtun0 openvpn-option "--comp-lzo"

# Enable Float, Ping, and Other Security Options (optional:  See OpenVPN Man Page for details)

set interfaces openvpn vtun0 openvpn-option "--float"
set interfaces openvpn vtun0 openvpn-option "--ping 10"
set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"
set interfaces openvpn vtun0 openvpn-option "--ping-timer-rem"
set interfaces openvpn vtun0 openvpn-option "--persist-tun"
set interfaces openvpn vtun0 openvpn-option "--persist-key"
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"

# Tell Edgerouter the remote subnet

set protocols static interface-route 192.168.2.0/24 next-hop-interface vtun0

# Commit, Save, and Exit Configuration Mode

commit
save
exit

 

At this point I am able to ping from one router to the other but still the servers from diferent sides do not see each other directly

Check on the status of the tunnel on Router 2

 show interfaces openvpn 

ubnt@ubnt:~$ show interfaces openvpn       
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
vtun0        10.99.99.2                        u/u 

show interfaces openvpn detail

ubnt@ubnt:~$ show interfaces openvpn detail
vtun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none 
    inet 10.99.99.2 peer 10.99.99.1/32 scope global vtun0
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
       7511101      65574          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
       4571166      58874          0        405          0          0

show openvpn status site-to-site

ubnt@ubnt:~$ show openvpn status site-to-site
OpenVPN client status on vtun0 [] 

Remote CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK)      site1.mooo.com 10.99.99.1        13.9M   14.3M N/A

If you need to restart the tunnel because of changes to the configuration. Do the following on both routers

reset openvpn interface vtun0

In the end list the final configuration of Router1:

configure
show interfaces openvpn

ubnt@ubnt# show interfaces openvpn
 openvpn vtun0 {
     local-address 10.99.99.1 {
     }
     local-port 1194
     mode site-to-site
     openvpn-option --comp-lzo
     openvpn-option --float
     openvpn-option "--ping 10"
     openvpn-option "--ping-restart 20"
     openvpn-option --ping-timer-rem
     openvpn-option --persist-tun
     openvpn-option --persist-key
     openvpn-option "--user nobody"
     openvpn-option "--group nogroup"
     remote-address 10.99.99.2
     remote-host site2.mooo.com
     remote-port 1194
     shared-secret-key-file /config/auth/secret
 }

In the end list the final configuration of Router2:

configure
show interfaces openvpn

ubnt@ubnt# show interfaces openvpn
 openvpn vtun0 {
     local-address 10.99.99.2 {
     }
     local-port 1194
     mode site-to-site
     openvpn-option --comp-lzo
     openvpn-option --float
     openvpn-option "--ping 10"
     openvpn-option "--ping-restart 20"
     openvpn-option --ping-timer-rem
     openvpn-option --persist-tun
     openvpn-option --persist-key
     openvpn-option "--user nobody"
     openvpn-option "--group nogroup"
     remote-address 10.99.99.1
     remote-host site1.mooo.com
     remote-port 1194
     shared-secret-key-file /config/auth/secret
 }

Step 5: Configure Routers Hair-Pin
At this point:

1. I am able to ping from Router1
– the internal IP of Router2 192.168.9.1

2. I am able to ping from Router2
– the internal IP of Router1 192.168.2.1

Note that I am still not able to ping anything also from one site to another. This is the same old story of the router trying to send everything through the WAN.
To solve this issue one last configuration must be done, enable Hair-Pin on both sites.

From the Router1 GUI go to Firewall/NAT -> Port Forwarding:
– Check “Hairpin NAT” check-box
– add “LAN interface” switch0 (all my servers I want to be visible on the other site are on this interface)
– Apply to save the new config

From the Router2 GUI go to Firewall/NAT -> Port Forwarding:
– Check “Hairpin NAT” check-box
– add “LAN interface” eth1 (all my servers I want to be visible on the other site are on this interface)
– Apply to save the new config.

After this step I can view all my servers from my desktop as they are on the same site. Also all the servers see each other does not matter on what site they actually reside.

Update: I was asked about the speed of the connection between sites. It is not the best connection but is OK for management. There is no limitation due to upload/download speeds of the two sites.

[paypal_donation_button]