OpenVPN Site to Site Connection

Hello Experts,

We have 3 LANs in different locations wanting to be connected into a WAN via OpenVPN. Connecting them through Cisco routers isn't an option because on 2 of the LANs we have NO control over the networking equipment(Let's call that site the Site B & C), i.e. we can't open ports on them or configure any routings.
This leave our only choice on OpenVPN. We would like to host our OpenVPN server(windows based) in Site A and have the site B & C to connect to A as clients. All the hosts in Site A, B & C can ping each other without having openVPN client installed individually except the 3 computers that act as Server and Clients at Site A, B & C respectively.

My question is, is it even technically possible to implement such thing under the above-mentioned constraints? If so then what would the configurations be like?

As of this point, I am able to configure a host-to-site a.k.a. RoadWarrior configuration that allows clients(but not hosts that doesnt have openVPN clients configured) on B & C to ping all the hosts on A, but not vice versa. Thank you in advance to all the experts for any input.

Who is Participating?
While this issue is old, it still remains open. I hope the info below is helpful.

I have configured a few networks using OpenVPN in both bridging and routing scenarios using permanent connections and user-initiated connections (RoadWarrior?). What I understand you're trying to do is connect sites A, B, & C as B-to-A and C-to-A connections so computers on either end of the connection may ping each other.

In my experiences, a properly configured OpenVPN server config file and firewall should accomplish this. I think your key solution will be found on whatever device is acting as OpenVPN server at site A. First, ensure that in the OpenVPN Server Config, client-to-client is enabled; this enables different  VPN clients to see each other when connected. Also make sure you have a PUSH "route lan.ip.address.pool" command. If you are able to ping all Site A computers from a connected computer at Site B or C, then the above steps are likely already in place.

The tricky part is in setting firewall commands on the server device. My experience is with Linux embedded routers (aka BusyBox) using the IPTABLES command. One key settings in the firewall is:
iptables -I FORWARD -i tun+ -j ACCEPT
This line instructs the router to pass along any outgoing traffic destined for VPN clients.

I also have the following line, but I don't think you'll need it:
iptables -t nat -A PREROUTING -i vlan1 -p udp --dport 1194 -j DNAT --to-destination $4:1194

You do not need control of the networking devices at sites B & C to be successful. If you have more than one computer at sites B & C, then you may want to consider establishing the connection to Site A using 1 computer and then share that connection with other computers at that site.

Good luck.
Rob WilliamsCommented:
If you have "NO control over the networking equipment" you cannot configure a site to site VPN. I haven't used OpenVPN but most VPN solutions require the VPN server to have a public IP. Therefore you need to have the VPN server; as the perimeter device, configure 1-to-1 NAT on the existing router, or at a minimum assuming the VPN solution supports NAT-T configure port forwarding on the routers at each site. It sounds as if none of these is possible.
jayglassAuthor Commented:
We only have control over the network equipment at the site that we host the OpenVPN server. I am thinking if I could configure 2 clients on each site that we have no control over the equipment to bridge all 3 LANs together.

I always think that In OpenVPN(or any other VPN Software), each server/client is acting as a router at each end of the bridge to route packets to hosts. All the packets are encapsulated with the VPN headers with routing information that routes themselves to the OpenVPN server/client through each default gateway, and the openVPN server/client would route them to the intended host after decapsulating the VPN headers, so as long as the client/server has the right OpenVPN configuration and routing table, packets will go to any host on the each LAN as long as the physical routers allows traffic of IPSec, L2TP, PPTP. Please correct me if I am wrong though.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

jayglassAuthor Commented:
We do have a public IP for the OpenVPN server, just that not on the cleints that are intended to bridge the LANs with the OpenVPN server.
Rob WilliamsCommented:
Are you using a VPN client at the remote site? That may work, but highly doubtful you can configure site-to-site. The VPN configuration uses the public IP to verify the connection.
jayglassAuthor Commented:
We are using a VPN client on the site that we have no control over the router.  The OpenVPN server is at the site that we have control over the router, and we can connect to all the hosts in that LAN from whatever computer that has the client installed from whatever network.

I've been messing with the configuration until I finally wonder if that's even possible with using Windows based computer as server/clients under the constraints of not having control over clients' side network equipment.
Rob WilliamsCommented:
If the VPN client can connect you should be able to access other devices on wither network but you will need to add static routes.
Can the VPN clients connect? They will only be able to do so if the OpenVPN server supports NAT-T (Network Address Translation - Traversal)
jayglassAuthor Commented:
So let's say that I am on a Windows Server environment... and it goes back to the infrastructure aspect.
What I need to do is to establish the Server in LAN B or C to be a DHCP server that all workstations connect to via a switch, and have the switch connect only to that Windows Server on NIC1 , and then connect the server's NIC2 to the router.
So now all the traffic of workstations @ LAN B would be routed to the Windows Server @ LAN B first, and those meant for the other side's  (LAN A) would be encapsulated in an openVPN packet and decapsulated by the openVPN server on the other side and get routed back to the LAN A.
Is my concept correct?
Rob WilliamsCommented:
The server at site B would need to be configured to also be a VPN server (rather than a client) and you then create a site to site VPN between the two servers. This would be more easily achieved if the servers at each site were running OpenVPN, or Windows and not mixing the two.

The other option as m_adamczyk is to use a workstation or server running the VPN client and then share that connection using ICS (Internet Connection Sharing), though it would not be my preferred method.
jayglass, I want to say your concept is 90% correct. I DON'T think you MUST connect all LAN B PCs to Server B NIC 1 via a switch and then bridge via NIC 2. Infrastructure-wise, if you configure Windows Server B as the local DHCP server, you can designate it is as something of a proxy server (I don't think that's the right term in this case) for connections to the other LANs.

So rather than route all traffic through Server B, just disseminate routing information to all client PCs that traffic for the internet can go through your regular router, while traffic to one of the other LANs must go through Server B (which will in turn encrypt said comm, send it back on NIC1 through the router to LAN A). I'm not sure if it's Active Directory or DHCP that will accomplish this for you. This doc talks about routing tables but not specifically about disseminating them to client machines:

While a workstation running ICS is not necessarily preferred, I disagree about not mixing Windows and OpenVPN. I consider OpenVPN a legitimate add-on like one would run Apache or SSH, and one cannot run ONLY OpenVPN as it isn't an operating system. HOWEVER, loading your server to run email, file/print sharing, VPN connections, and let's say a Database, would be one heck of a busy, overloaded server. As for not wanting to use ICS, ICS is reserved more for workstations (think peer-to-peer networks) where a server is intended to handle more robust network communications.
Either way, first determine if you want the VPN to bridge or route the connections. Find out the differences here:

Next, whatever you decide, OpenVPN uses distinct Server or Client config files to do what's intended. The service either listens for (acts as Server) or initiates (acts as Client) connections. You can run multiple instances of OpenVPN on a single machine thereby doing both (listening and initiating connections). Also, OpenVPN in server mode may listen for several connections on multiple inbound ports.

But back to your specific situation, assume the following:
Site A IP: 172.16.1.x/24
Site B IP: 172.16.2.x/24
Site C IP: 172.16.3.x/24

If your router at each end is x.x.x.1, and your server at each is x.x.x.10 then you'd have Site B's Server run OpenVPN in client mode to connect to the PUBLIC IP address of Site A, and the router there will route the connection to the Server running OpenVPN in server mode. Site C will be configured ALMOST exactly as Site B's server EXCEPT you'll have to use a different key (same Cert Authority) and a different port number. Site A's Server will likely be the trickiest regarding proper routing tables configuration.

I suggest going through the basic step-by-step tutorials provided by OpenVPN and FIRST establishing a routed VPN connection from Site B to Site A. Then configure a second and simultaneous routed VPN connection from Site C to Site A. If configured properly, you should be able to ping reciprocally from A to B, B to A, A to C, C to A... at this point try to work out pinging B to C and C to B via A. It will all be in the firewall & routing tables, assuming the client-to-client option is enabled in OpenVPN.

For best troubleshooting, DO NOT run OpenVPN as a Daemon/Service at first. Run it from the command line so you see any messages/errors in realtime rather than digging through logs. Once it's running correctly, then switch to Daemon/Service.

I hope this gets you closer to your final goal. Please write if more questions come up. Just try to go through the tutorials (in complete detail) before improvising your own configs.

jayglassAuthor Commented:
Thanks m_adamczyk!  I currently have all 3 sites (a server & 2Xclients) configured as routing and I am using Windows server's Routing and Remote Access to route the connections. I am running VPN Server/Client on top of DHCP and NAT on each server and have all the clients connected to a 2nd NIC. Now all of them from each LAN can PING each other across the LAN just fine. The problem with it is there's a big single point of failure.

The immediate problem is DNS don't seem to be working well. Our clients are running Windows XP and each client is only resolving the DNS name that are belonged to the same domain with the client itself. We are running Windows server 2003's DNS server across the board and we have the other each DNS servers added to the forwarders in the DNS configurations.
First, confirm that you can ping across the domains in all directions using IP address; if so, you're on the right track. If not, something needs to be changed in the routing tables.

Secondly, I'm pulling here from an example I found elsewhere:
As an example you have company1.local and company2.local

1) On the company1.local windows server setup DNS to pull down the company2.local zone file.
2) On the company2.local windows server setup DNS to pull down the company1.local zone file.
3) Using DHCP set the dns search domain on all the pcs to have both company1.local and company2.local

So if you were to enter \\company1pc\share the pc would look up company1pc.company1.local and get the correct IP address.
Credit for the example goes to: (

Hope this helps.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.