logo一言堂

Site to Site VPN Using OpenVPN

You have 2 offices, it make sense to have a VPN to connect both sites together. OpenVPN is both easy to install and reasonably performant. It use a IP layer tunnel with UDP transport, with all traffic encrypted, so it is both transparent and secure. Howeever like any real world networking problem, there are traps.

Setup

Main office: public IP: 124.74.106.46 lan: 192.168.0.0/24 WAN gateway: 192.168.0.2 VPN gateway: 192.168.15

Branch office: No static public IP lan: 192.168.2.0/24 WAN gateway: 192.168.2.1 VPN gateway: 192.168.2.2

VPN network: 10.8.0.8/24

The procedure in http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn is easy enough to follow and clear, so I will not repeat here. the WAN gateways on both side are conmercial wireless routers and the VPN gateways are custom built PCs.

Problem 1

After setup the VPN gateway can ping each other, but other machines in the 2 LAN cannot. This is because the PC used as VPN gateways did not turn on packet forwarding among networking interfaces (a security measure, only routers need to forward packet). this is simple enough:

net.ipv4.ip_forward=1

in /etc/sysctl.conf will do. sysctl -p to make effective.

Problem 2

Now other machines can ping VPN gateways on the other side, but the VPN gateways cannot ping other machines on the other side. It turns out the VPN gateway will use the 10.8.0.* ip as source IP, so the return packet goes to the WAN gateway and it either drop them or throw it over to the WAN side. So you need to add route 10.8.0.0/24 to the VPN gateway on both side to the WAN gateway.

Problem 3

Now one side can connet to the other side with no problem, but not the other way! And things got even wierder, I can traceroute but not ping! It looks like the main office WAN gateway, a TP-link router, does something funny. Although I specifically added the static route to the VPN gateway, but:

  • regular packet got routed correctly
  • ICMP echo return and TCP return handshake got dropped
  • it does ICMP redirect for ping from the own side, but many OSs ignore ICMP redirect (for security)

It looks like some kind of firewall I cannot disable. The only way I can think of is to setup custom route rules for every machine, so the WAN router is not getting in the way.

  • for DHCP clients I can do that automatically since I already control the DHCP server
  • for manual setup machines you will have to do it manually.

Like:

ip route add 192.168.2.0/24 via 192.168.0.15
ip route add 10.8.0.0/24 via 192.168.0.15

Future work

Conmercial routers are good only when you stay with in the intended usage model. If I can do it all over again, I will ditch the router, and combine WAN and VPN gateway in one custom built pc; this way I have full flexibility. The router will be used as just a wifi AP on the side. For all the networking functionality the router provide:

  • DHCP. I already disable it from the router and use my own because I want to do PXE boot.
  • DNS. I already disable it from the router and use my own because I have many internal DNS need.
  • SNAT and DNAT. It can be done with free software; if you don't miss the web interface.
  • firewall. It is very limited anyway.
  • UPnP. it is better to disable them anyway.
  • traffic shaping. I've never made it work the way I want it to be.