[tip] How to Setup OpenVPN to connect 2 internetworks seamlessly.

Author: timchen119 (timchen119.blogspot.com)

openvpn有非常多種設定方法, 依個人遇到的需求不同有所變化.

我這邊整理的是使用一台server跟一台client共安裝兩台openvpn機器(linux gateway),
讓兩個可能地理位置不同的區域網路連接起來的方法.

Network 10.1.0.x                                       Network 10.2.0.x

10.1.0.2 <---> 10.1.0.1 ============================= 10.2.0.1 <---> 10.2.0.2
                  GW                 VPN                  GW
               (10.8.0.0)
              OpenVPN Client                        OpenVPN Server
              192.168.23.39                         192.168.23.38

After setup OpenVPN, you should possible connect to 10.2.0.2 from 10.1.0.2 without any special settings.

Steps on debian linux:

1. apt-get install openvpn (on both client/server)
2. cd /usr/share/doc/openvpn/examples/easy-rsa/
3. edit vars / source vars (if you need key more than 1024bit, 2048bit+ recommended.)
4. ./build-dh
5. ./build-ca
6. ./build-key-server server
7. ./build-key client
(Note: you have to set different common name from server's,
we'll need this later, I'll use CVKK2 for example)

8. on client side:

a. put ca.crt client.crt client.csr client.key to /etc/openvpn
b. create /etc/openvpn/client.conf
client
ns-cert-type server
remote 192.168.23.38 #server ip
dev tun
tls-client

comp-lzo

dh dh1024.pem
ca ca.crt
cert client.crt
key client.key

log openvpn.log
log-append openvpn.log

c. check you gateway/ip forward settings:
if you didn't setup yet you'll need this in your /etc/init.d and a link in /etc/rc2.d:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/24 -j MASQUERADE

9. on server side:

a. put ca.key ca.crt server.crt server.csr server.key dh1024.pem to /etc/openvpn

b. create /etc/openvpn/server.conf

dev tun
server 10.8.0.0 255.255.255.0
push "route 10.2.0.0 255.255.255.0"

comp-lzo
ifconfig-pool-persist ipp.txt

persist-key
persist-tun

tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key # This file should be kept secret

client-config-dir ccd
route 10.1.0.0 255.255.255.0
client-to-client
push "route 10.1.0.0 255.255.255.0"

c. mkdir /etc/openvpn/ccd

d. create file CVKK2 in ccd directory.
(the filename should match client's commonname in client.crt)

put this following line in this file:
iroute 10.1.0.0 255.255.255.0

e. check you gateway/ip forward settings:
if you didn't setup yet you'll need this in your /etc/init.d and a link in /etc/rc2.d:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/24 -j MASQUERADE