Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Access Server: How can I set up a site-to-site VPN

  • Updated

Introduction

A site-to-site VPN configuration consists of two or more different networks connected together using one OpenVPN tunnel. In this connection model, devices in one network can reach devices in the other network, and vice versa. All networks should ideally have a device that is capable of routing traffic through the endpoint devices (VPN server and VPN client) for the entire network. For more documentation refer to  Site-to-Site Routing Explained in Detail.

Overview

mceclip0.png

Step by step Configuration guide

Go to the Admin UI and go to VPN Settings. In the item titled Should VPN clients have access to private subnets set the selection to Yes, using Routing and in the item titled Specify the private subnets to which all clients should be given access specify the subnet of the network where your OpenVPN Access Server is located. To compare it to the example site-to-site setup described in the picture series above, this would be 192.168.70.0/24. Make sure the item titled Allow access from these private subnets to all VPN client IP addresses and subnets is set to Yes. Now save settings and update running servers.

mceclip4.png

Note: When your Access Server is deployed in AWS and selected Yes, using Routing option, you need to do the following:

  • Disable the source/destination check on the OpenVPN Access Server instance to let the appliance forward traffic from and to clients
  • Set the OpenVPN Access Server security group accordingly to allow traffic from other IPs in the VPC to reach the clients and subsidiary office
  • Update your private subnets’ routing tables to let the internal VPC router know which subnets are reachable via the Access Server (i.e., VPN client and subsidiary office subnets)

 

Next, go to USER MANAGEMENT>User Permissions and create a new user and password. If you use an external authentication system like RADIUS, LDAP, or SAML, make sure the account exists there. You will need to be able to actually log in and use this account, of course. On the new user account check the box for Allow Auto-login privileges.

mceclip5.png

Then click the Pencil icon to reveal More Settings. Set the Configure VPN gateway option to Yes and in the large text field that then appears below it, enter the subnet of the remote network where the OpenVPN client gateway system is going to be installed. In the example site-to-site setup described in the picture series above, this would be 10.0.60.0/24.

mceclip6.png

Now save settings and update running servers.

Then add the below static routes in the HQ router device:

  • Network 172.16.0.0 with subnet mask 255.255.240.0 through gateway 192.168.70.222
  • Network 10.0.60.0 with subnet mask 255.255.255.0 through gateway 192.168.70.222

With the new static routes in place, whenever traffic now arrives at the router that has as a destination an IP address somewhere in 172.16.0.0/20 or 10.0.60.0/24, it will know that it should forward this to the OpenVPN Access Server at the IP address 192.168.70.222. It will then forward it to where it needs to go, as it knows how to contact those two subnets.

How to set up the OpenVPN Linux Gateway client

In this example, we are using a Linux operating system to handle the role of a VPN client that also serves as a gateway. What you do need is the OpenVPN open-source client program for Linux and the connection profile. For more details, please refer to How to set up the OpenVPN Linux Gateway client.

As far as the OpenVPN Linux Client gateway system is concerned, this is what completes a site-to-site setup configuration on this end. These are the static routes that need to be added to the subsidiary router device:

  • Network 172.16.0.0 with subnet mask 255.255.240.0 through gateway 10.0.60.55
  • Network 192.168.70.0 with subnet mask 255.255.255.0 through gateway 10.0.60.55

With the new static routes in place, whenever traffic now arrives at the router that has as a destination an IP address somewhere in 172.16.0.0/20 or 192.168.70.0/24, it will know that it should forward this to the OpenVPN Linux Gateway client at IP address 10.0.60.55. It will then forward it to where it needs to go, as it knows how to contact those two subnets.

With the above setup steps followed, both the OpenVPN Access Server and the OpenVPN Linux Gateway client should be operating perfectly.

 

 

 

 

 

 

 

 

Access Server Resources:
OpenVPN Access Server Documentation
OpenVPN Access Server Resource Center
OpenVPN Access Server Admin Manual

Comments

0 comments

Please sign in to leave a comment.