Solved

Openvpn Configuration For Static IP Addresses

Posted on 2008-10-07
11
3,346 Views
Last Modified: 2011-10-19
Dear Experts,

I have two offices in two different buildings. I want create VPN link for this. I read this link http://openvpn.net/index.php/documentation/howto.html#config

But i do not understand the configuration file.
I read some case here: http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23711190.html?sfQueryTermInfo=1+openvpn+server.conf+set

but my case liitle bit diiferent:

I am sitting on Head office where i want to creat the VPN server

Head office(Server1)

Linux Box (ubuntu 8.04) with two NICs
eth1: 10.0.0.5  
eth0: 192.168.3.1

Sub-Office (Server2)
Linux Box with two NICs
eth1: 10.0.0.6
eth0: 192.168.3.2
In both offices I have static IP , I create the (PKI) Succesfully on the Head Office (Server1)
Please Look at the figure that attached with this question and please note That on each eth1 on both Servers The following IPS (10.0.0.5) + (10.0.0.6) will be used as Gateway , My questions Based on the requirement above :
Q.1 Which Method Shall I Use (ethernet bridging) or (routed Ip Tunnel) or (eathernet tunnel)?
Q.2 Shall I Repeat the (PKI) Installation On Server2(Client of Server1)?
Q.3 How Server2 (Client) will understand that (Client1.*) files is belongs to them based on the installation of the (PKI)?
 Q.4 I need some one help me on how i set up my configuration file for open VPN On (Serve,Client).Conf ?

Note Please Provide Your Question with detailed about some fields like:
client-config-dir, diff hellman parameters , which parameters shall I leave and modify ,..etc.

Network1.jpg
0
Comment
Question by:mubama0n
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
in general it's a bad idea to use IP from the same logical subnet on both ends of the tunnel, except you're 101% used to setup correct routing on both ends after establishing the tunnel.
It's geting much simpler if you use different networks.
0
 

Author Comment

by:mubama0n
Comment Utility
Thanks  for your notes
Ok , No Problem Keep Now this setting and show me how to setup (Server & Client).conf .
0
 

Author Comment

by:mubama0n
Comment Utility
Dear ahoffmann:

Server2 Is Another Network.
0
 

Author Comment

by:mubama0n
Comment Utility
On the Client Site (Server2) , shall we install openvpn & do the same steps?
On which file shall we make the sitting?
0
 

Author Comment

by:mubama0n
Comment Utility
Dear ahoffmann

 I want Ask you some question , If I cahnge thes setuop of sub office into:
Sub-Office (Server2)
Linux Box with two NICs
eth1: 10.0.0.6
eth0: 192.168.0.1

How Can It works as vpn , On this case shall we use (Bridging)?
Please illustrate the case on server.conf

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> this case shall we use (Bridging)?
yes, but I don't know how to configure that
0
 

Author Comment

by:mubama0n
Comment Utility
No Body Has Solve The problem , Administrator please Advice
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
1) You need different Private LAN subnets on each side so 3.1 and 3.2 can not be used.

change one to 4.1

2) You need to test and look at the logs to determine what the issues are.
First try and then post logs.


I hope this helps !
0
 
LVL 2

Accepted Solution

by:
m_adamczyk earned 500 total points
Comment Utility
I have experience creating a very similar scenario. SysExpert is only PARTIALLY correct; when ethernet bridging with OpenVPN you MAY use the same subnet, but I'm not sure how well it will work with static IP addressing. I created an OpenVPN WAN where Server1 had DHCP and gave IPs x.x.x.100-149 and Server2 had DHCP and gave IPs x.x.x.150-199.

Q1: Definitely use ethernet bridging if you wish to keep the same IP subnet. This will also allow DNS information to traverse the VPN link so you can ping by computer name across the VPN.
Q2: I'm not sure what you mean about recreating the PKI on Server 2. I created 1 Certificate Authority and created 2 server keys - Server1 & Server2, then also created client keys designated for each server (Client1-to-Server1, Client1-to-Server2, Client2-to-Server1, Client2-to-Server2, etc.). The CA.KEY and CA.CRT files you use are the 1 and only files you produce by creating your Certificate Authority; All keys should be created from it.
Q3: Pick one Server (1 or 2) to be the OpenVPN server, and the other will be the client. In the OpenVPN.conf file, you will then put the settings accordingly.
Q4: Before creating a bridged network, I found it much easier to test with a routed connection then change the setting into a bridged configuration. If you wish to start with a bridged connection, then start with the OpenVPN HOWTO at http://openvpn.net/bridge.html

When you begin testing, do NOT run OpenVPN as a daemon. Start running in from the command line:
openvpn --config server.conf
and read what it tells you. If there are no errors, then continue to the client and run
openvpn --config client.conf
and read what it tells you. This information will be very useful and quicker than digging through logs.

Regarding specific fields in the configuration, the sample server.ovpn and client.ovpn files are the best starting point. They provide various options you MAY set, but only have the minimum set for secure operation. client-config-dir would be used if you are connecting several remote VPN to the VPN server; you are not doing this, you are bridging one remote VPN client (acting as your local server) to the VPN server. diff hellman parameters depend on your level of desired security. Generate your Diff-Helm key at either 1024 or 2048 bits and set your config file to reflect that.

If you wish to do more with your OpenVPN installation then consider buying the OpenVPN book. The HOWTO guides on OpenVpn.net were very helpful, and the book helped answer detailed questions about the many parameters.

Please try my suggestions and let me know if you have problems and need more detailed help with your config files.
0
 

Author Comment

by:mubama0n
Comment Utility
Thanks for your solution I have some small problem , I complete the setting successfuly as you post, I got (connection  refused) message and I'm trying to solve the problem , Why do think this message displayed?
0
 
LVL 2

Expert Comment

by:m_adamczyk
Comment Utility
"Connection Refused" or "Connection Reset"? I have seen "Connection Reset by Peer" messages in my configs - I will check my notes to see what the cause was. I'm stuck with an XP reinstall and will probably need a day to find my notes. Sorry for the long delay in responding.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now