Solved

Openvpn Configuration For Static IP Addresses

Posted on 2008-10-07
11
3,363 Views
Last Modified: 2011-10-19
Dear Experts,

I have two offices in two different buildings. I want create VPN link for this. I read this link http://openvpn.net/index.php/documentation/howto.html#config

But i do not understand the configuration file.
I read some case here: http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23711190.html?sfQueryTermInfo=1+openvpn+server.conf+set

but my case liitle bit diiferent:

I am sitting on Head office where i want to creat the VPN server

Head office(Server1)

Linux Box (ubuntu 8.04) with two NICs
eth1: 10.0.0.5  
eth0: 192.168.3.1

Sub-Office (Server2)
Linux Box with two NICs
eth1: 10.0.0.6
eth0: 192.168.3.2
In both offices I have static IP , I create the (PKI) Succesfully on the Head Office (Server1)
Please Look at the figure that attached with this question and please note That on each eth1 on both Servers The following IPS (10.0.0.5) + (10.0.0.6) will be used as Gateway , My questions Based on the requirement above :
Q.1 Which Method Shall I Use (ethernet bridging) or (routed Ip Tunnel) or (eathernet tunnel)?
Q.2 Shall I Repeat the (PKI) Installation On Server2(Client of Server1)?
Q.3 How Server2 (Client) will understand that (Client1.*) files is belongs to them based on the installation of the (PKI)?
 Q.4 I need some one help me on how i set up my configuration file for open VPN On (Serve,Client).Conf ?

Note Please Provide Your Question with detailed about some fields like:
client-config-dir, diff hellman parameters , which parameters shall I leave and modify ,..etc.

Network1.jpg
0
Comment
Question by:mubama0n
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 22666595
in general it's a bad idea to use IP from the same logical subnet on both ends of the tunnel, except you're 101% used to setup correct routing on both ends after establishing the tunnel.
It's geting much simpler if you use different networks.
0
 

Author Comment

by:mubama0n
ID: 22669461
Thanks  for your notes
Ok , No Problem Keep Now this setting and show me how to setup (Server & Client).conf .
0
 

Author Comment

by:mubama0n
ID: 22669492
Dear ahoffmann:

Server2 Is Another Network.
0
 

Author Comment

by:mubama0n
ID: 22670006
On the Client Site (Server2) , shall we install openvpn & do the same steps?
On which file shall we make the sitting?
0
 

Author Comment

by:mubama0n
ID: 22670185
Dear ahoffmann

 I want Ask you some question , If I cahnge thes setuop of sub office into:
Sub-Office (Server2)
Linux Box with two NICs
eth1: 10.0.0.6
eth0: 192.168.0.1

How Can It works as vpn , On this case shall we use (Bridging)?
Please illustrate the case on server.conf

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 22670903
> this case shall we use (Bridging)?
yes, but I don't know how to configure that
0
 

Author Comment

by:mubama0n
ID: 22709031
No Body Has Solve The problem , Administrator please Advice
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 22715448
1) You need different Private LAN subnets on each side so 3.1 and 3.2 can not be used.

change one to 4.1

2) You need to test and look at the logs to determine what the issues are.
First try and then post logs.


I hope this helps !
0
 
LVL 2

Accepted Solution

by:
m_adamczyk earned 500 total points
ID: 22805236
I have experience creating a very similar scenario. SysExpert is only PARTIALLY correct; when ethernet bridging with OpenVPN you MAY use the same subnet, but I'm not sure how well it will work with static IP addressing. I created an OpenVPN WAN where Server1 had DHCP and gave IPs x.x.x.100-149 and Server2 had DHCP and gave IPs x.x.x.150-199.

Q1: Definitely use ethernet bridging if you wish to keep the same IP subnet. This will also allow DNS information to traverse the VPN link so you can ping by computer name across the VPN.
Q2: I'm not sure what you mean about recreating the PKI on Server 2. I created 1 Certificate Authority and created 2 server keys - Server1 & Server2, then also created client keys designated for each server (Client1-to-Server1, Client1-to-Server2, Client2-to-Server1, Client2-to-Server2, etc.). The CA.KEY and CA.CRT files you use are the 1 and only files you produce by creating your Certificate Authority; All keys should be created from it.
Q3: Pick one Server (1 or 2) to be the OpenVPN server, and the other will be the client. In the OpenVPN.conf file, you will then put the settings accordingly.
Q4: Before creating a bridged network, I found it much easier to test with a routed connection then change the setting into a bridged configuration. If you wish to start with a bridged connection, then start with the OpenVPN HOWTO at http://openvpn.net/bridge.html

When you begin testing, do NOT run OpenVPN as a daemon. Start running in from the command line:
openvpn --config server.conf
and read what it tells you. If there are no errors, then continue to the client and run
openvpn --config client.conf
and read what it tells you. This information will be very useful and quicker than digging through logs.

Regarding specific fields in the configuration, the sample server.ovpn and client.ovpn files are the best starting point. They provide various options you MAY set, but only have the minimum set for secure operation. client-config-dir would be used if you are connecting several remote VPN to the VPN server; you are not doing this, you are bridging one remote VPN client (acting as your local server) to the VPN server. diff hellman parameters depend on your level of desired security. Generate your Diff-Helm key at either 1024 or 2048 bits and set your config file to reflect that.

If you wish to do more with your OpenVPN installation then consider buying the OpenVPN book. The HOWTO guides on OpenVpn.net were very helpful, and the book helped answer detailed questions about the many parameters.

Please try my suggestions and let me know if you have problems and need more detailed help with your config files.
0
 

Author Comment

by:mubama0n
ID: 22810194
Thanks for your solution I have some small problem , I complete the setting successfuly as you post, I got (connection  refused) message and I'm trying to solve the problem , Why do think this message displayed?
0
 
LVL 2

Expert Comment

by:m_adamczyk
ID: 22947470
"Connection Refused" or "Connection Reset"? I have seen "Connection Reset by Peer" messages in my configs - I will check my notes to see what the cause was. I'm stuck with an XP reinstall and will probably need a day to find my notes. Sorry for the long delay in responding.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Available cert SBS2008 for L2TP /IPSec 4 31
nagios monitor 3 44
Cisco ASDM device NT domain question 4 35
2012 r2 branch office DNS 2 17
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now