We continue previous post about creation of site to site vpn between multiple branch offices and central office of company. How to create site to site VPN for SMB with low IT budget. part1 How to setup OpenVPN server on debian? part2 How to create site to site vpn from pfsense to openvpn server.part3 Install latest Debian Linux (better from network installer). During the installation choose: ssh server std system utilities Configure IP address for the server. For example nano /etc/network/interfaces: iface eth0 inet static Continue reading →{"id":834,"date":"2017-07-22T18:05:06","date_gmt":"2017-07-22T10:05:06","guid":{"rendered":"https:\/\/www.itforce.mn\/?p=834"},"modified":"2017-07-23T14:08:10","modified_gmt":"2017-07-23T06:08:10","slug":"how-to-setup-openvpn-server-on-debian","status":"publish","type":"post","link":"https:\/\/www.itforce.mn\/index.php\/2017\/07\/22\/how-to-setup-openvpn-server-on-debian\/","title":{"rendered":"How to setup OpenVPN server on debian? part2"},"content":{"rendered":"

$\"\"$ <\/p>\n

We continue previous post about creation of site to site vpn between multiple branch offices and central office of company<\/a>.<\/p>\n

How to create site to site VPN for SMB with low IT budget. part1<\/a><\/li>\n
How to setup OpenVPN server on debian? part2<\/a><\/li>\n
How to create site to site vpn from pfsense to openvpn server.part3<\/a><\/li>\n<\/ul>\n
1. Install latest Debian Linux (better from network installer). During the installation choose:\n
  - Configure IP address for the server. For example nano \/etc\/network\/interfaces:<\/li>\n<\/ol>\n
```
iface eth0 inet static\r\naddress 192.168.0.2 # it is considered that 192.168.0.1 is used as dgw in central office\r\ngateway 192.168.0.1\r\nnetmask 255.255.255.0\r\nnetwork 192.168.0.0\r\nbroadcast 192.168.0.255\r\n<\/pre>\n\nLet’s putty\/ssh to 192.168.0.2, run under root:<\/li>\n
apt-get update<\/strong><\/em><\/li>\n
apt-get install openvpn (<\/em><\/strong>if easy-rsa has not installed by openvpn as a dependence apt-get install easy-rsa)<\/em><\/strong><\/li>\n
cd \/etc\/openvpn\/easy-rsa\/<\/strong><\/em><\/li>\nnano vars<\/strong><\/em>, modify for example to:<\/li>\n<\/ol>\nexport KEY_COUNTRY=\"MN\"\r\nexport KEY_PROVINCE=\"TUV\"\r\nexport KEY_CITY=\"UB\"\r\nexport KEY_ORG=\"ITFORCE LLC\"\r\nexport KEY_EMAIL=\"it@itforce.mn\"\r\nexport KEY_OU=\"IT\"\r\n# X509 Subject Field\r\nexport KEY_NAME=\"EasyRSA\"\r\n<\/pre>\n\nsource .\/vars<\/strong><\/em><\/li>\n
chmod +x vars<\/strong><\/em><\/li>\n
.\/vars<\/strong><\/em><\/li>\n
.\/clean-all<\/strong><\/em><\/li>\n
.\/build-ca<\/strong><\/em>\u00a0 (it will read data from vars – just confirm above info, only for “common name” enter ITFORCE-CA; as a result inside \/etc\/openvpn\/easy-rsa\/keys you will get ca.key and ca.crt files – private key and certificate of your PKI CA)<\/li>\n
.\/build-key-server server<\/strong><\/em> (the same, common name is “server”; get two new files in keys folder\u00a0 – server.key and server.crt) No need to enter password (optional)<\/li>\n
.\/build-dh<\/strong><\/em><\/li>\n
.\/build-key client01<\/strong><\/em> (one pair of certificate + key can be used for all branches, but better to generate for each branch own certificate+key – in case of compromise easier to change\/fix\/revoke) For common name – client01. As result — client01.key and client01.crt in keys folder<\/li>\n
Let’s consider that we have following subnets:<\/li>\n<\/ol>\ncentral office and all branch offices have the same 192.168.0.0\/24<\/p>\n
We will later change thru pfsense all branch office subnets to:<\/p>\n
\nbranch office 01 – 172.16.101.0\/24<\/li>\n
branch office 02 – 172.16.102.0\/24<\/li>\n
and so on<\/li>\n<\/ul>\nFor each branch we will create own tunnel, so port forward on your central office router:<\/p>\n
\nUDP 51191 to 192.168.0.2:51191<\/li>\n
UDP 51192 to 192.168.0.2:51192<\/li>\n
and so on<\/li>\n<\/ul>\n\nNow we create for each branch own tun0x.conf:<\/li>\n<\/ol>\ntun01.conf:<\/p>\n
port 51191\r\nproto udp\r\ndev tun01\r\ntls-server\r\n\r\nifconfig 10.0.51.1 10.0.51.2\r\nroute 172.16.101.0 255.255.255.0\r\n\r\ndh \/etc\/openvpn\/easy-rsa\/keys\/dh2048.pem\r\nca \/etc\/openvpn\/easy-rsa\/keys\/ca.crt\r\ncert \/etc\/openvpn\/easy-rsa\/keys\/server.crt\r\nkey \/etc\/openvpn\/easy-rsa\/keys\/server.key\r\nreneg-sec 60\r\n\r\nkeepalive 10 120\r\ncomp-lzo\r\ncipher AES-256-CBC\r\npersist-key\r\npersist-tun\r\n\r\nverb 5\r\nstatus \/var\/log\/openvpn.log\r\n#log-append \/var\/log\/openvpn01 - enable it just for initial setup debugging\r\nuser nobody\r\ngroup nogroup\r\n<\/pre>\ntun02.conf:<\/p>\n
port 51192\r\nproto udp\r\ndev tun02\r\ntls-server\r\n\r\nifconfig 10.0.52.1 10.0.52.2\r\nroute 172.16.102.0 255.255.255.0\r\n\r\ndh \/etc\/openvpn\/easy-rsa\/keys\/dh2048.pem\r\nca \/etc\/openvpn\/easy-rsa\/keys\/ca.crt\r\ncert \/etc\/openvpn\/easy-rsa\/keys\/server.crt\r\nkey \/etc\/openvpn\/easy-rsa\/keys\/server.key\r\nreneg-sec 60\r\n\r\nkeepalive 10 120\r\ncomp-lzo\r\ncipher AES-256-CBC\r\npersist-key\r\npersist-tun\r\n\r\nverb 5\r\nstatus \/var\/log\/openvpn.log\r\n#log-append \/var\/log\/openvpn02 - enable it just for initial setup debugging\r\nuser nobody\r\ngroup nogroup\r\n<\/pre>\nand so on<\/p>\n
10.0.5x.yy addresses are used only to create tunnels and never used directly.<\/p>\n
\nPlace all tun0x.conf files into \/etc\/openvpn\/ folder. During start of openvpn service all these files will be read one by one. As result we will get new network interfaces – ifconfig will show not only lo and eth0, but also tun01, tun02 and so on.<\/li>\n
Very useful to\u00a0 uncomment #log-append \/var\/log\/openvpnxx for initial debugging how connections are established. But later better to disable logging – it consumes a lot of disk space.<\/li>\n
Enable Packet Forwarding\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/strong><\/em>\r\nto make this permanent :\r\nnano \/etc\/sysctl.conf<\/strong><\/em>\r\n# Uncomment the next line to enable packet forwarding for IPv4\r\n#net.ipv4.ip_forward=1<\/pre>\n<\/li>\nrestart server<\/li>\n
two options:\n\nall network traffic will go thru new openvpn router – for this configure all central office network devices default gw as a 192.168.0.2 thru DHCP or manually. (in turn openvpn server[192.168.0.2] default gw is 192.168.0.1 to access Internet, so tracert to internet will show at first 192.168.0.2, then 192.168.0.1, then isp server ip and so on; tracert to branch01 computer – at first 192.168.0.2, 10.0.101.2, 172.16.101.xx)<\/li>\n
run on each central office server\/workstation which is needed to be connected from\/to branch offices\n\n“route add -p 172.16.101.0 mask 255.255.255.0 192.168.0.2”<\/li>\n
“route add -p 172.16.102.0 mask 255.255.255.0 192.168.0.2”<\/li>\n
and so on — to simplify and automate – you can create batch file and add it into central office AD site group policy as a computer startup script (site group policy, not default domain group policy – we don’t need to change routing tables in other sites)<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n <\/p>\n
How to configure branch office pfsense<\/a><\/p>\n","protected":false},"excerpt":{"rendered":null,"protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,6,7],"tags":[],"class_list":["post-834","post","type-post","status-publish","format-standard","hentry","category-it-governance","category-smb","category-sysadmin-thoughts"],"_links":{"self":[{"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/posts\/834","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/comments?post=834"}],"version-history":[{"count":45,"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/posts\/834\/revisions"}],"predecessor-version":[{"id":919,"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/posts\/834\/revisions\/919"}],"wp:attachment":[{"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/media?parent=834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/categories?post=834"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itforce.mn\/index.php\/wp-json\/wp\/v2\/tags?post=834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
```