Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Openvpn Configuration For Static IP Addresses

Posted on 2008-10-07
11
Medium Priority
?
3,458 Views
Last Modified: 2011-10-19
Dear Experts,

I have two offices in two different buildings. I want create VPN link for this. I read this link http://openvpn.net/index.php/documentation/howto.html#config

But i do not understand the configuration file.
I read some case here: http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23711190.html?sfQueryTermInfo=1+openvpn+server.conf+set

but my case liitle bit diiferent:

I am sitting on Head office where i want to creat the VPN server

Head office(Server1)

Linux Box (ubuntu 8.04) with two NICs
eth1: 10.0.0.5  
eth0: 192.168.3.1

Sub-Office (Server2)
Linux Box with two NICs
eth1: 10.0.0.6
eth0: 192.168.3.2
In both offices I have static IP , I create the (PKI) Succesfully on the Head Office (Server1)
Please Look at the figure that attached with this question and please note That on each eth1 on both Servers The following IPS (10.0.0.5) + (10.0.0.6) will be used as Gateway , My questions Based on the requirement above :
Q.1 Which Method Shall I Use (ethernet bridging) or (routed Ip Tunnel) or (eathernet tunnel)?
Q.2 Shall I Repeat the (PKI) Installation On Server2(Client of Server1)?
Q.3 How Server2 (Client) will understand that (Client1.*) files is belongs to them based on the installation of the (PKI)?
 Q.4 I need some one help me on how i set up my configuration file for open VPN On (Serve,Client).Conf ?

Note Please Provide Your Question with detailed about some fields like:
client-config-dir, diff hellman parameters , which parameters shall I leave and modify ,..etc.

Network1.jpg
0
Comment
Question by:mubama0n
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 22666595
in general it's a bad idea to use IP from the same logical subnet on both ends of the tunnel, except you're 101% used to setup correct routing on both ends after establishing the tunnel.
It's geting much simpler if you use different networks.
0
 

Author Comment

by:mubama0n
ID: 22669461
Thanks  for your notes
Ok , No Problem Keep Now this setting and show me how to setup (Server & Client).conf .
0
 

Author Comment

by:mubama0n
ID: 22669492
Dear ahoffmann:

Server2 Is Another Network.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:mubama0n
ID: 22670006
On the Client Site (Server2) , shall we install openvpn & do the same steps?
On which file shall we make the sitting?
0
 

Author Comment

by:mubama0n
ID: 22670185
Dear ahoffmann

 I want Ask you some question , If I cahnge thes setuop of sub office into:
Sub-Office (Server2)
Linux Box with two NICs
eth1: 10.0.0.6
eth0: 192.168.0.1

How Can It works as vpn , On this case shall we use (Bridging)?
Please illustrate the case on server.conf

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 22670903
> this case shall we use (Bridging)?
yes, but I don't know how to configure that
0
 

Author Comment

by:mubama0n
ID: 22709031
No Body Has Solve The problem , Administrator please Advice
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 22715448
1) You need different Private LAN subnets on each side so 3.1 and 3.2 can not be used.

change one to 4.1

2) You need to test and look at the logs to determine what the issues are.
First try and then post logs.


I hope this helps !
0
 
LVL 2

Accepted Solution

by:
m_adamczyk earned 1500 total points
ID: 22805236
I have experience creating a very similar scenario. SysExpert is only PARTIALLY correct; when ethernet bridging with OpenVPN you MAY use the same subnet, but I'm not sure how well it will work with static IP addressing. I created an OpenVPN WAN where Server1 had DHCP and gave IPs x.x.x.100-149 and Server2 had DHCP and gave IPs x.x.x.150-199.

Q1: Definitely use ethernet bridging if you wish to keep the same IP subnet. This will also allow DNS information to traverse the VPN link so you can ping by computer name across the VPN.
Q2: I'm not sure what you mean about recreating the PKI on Server 2. I created 1 Certificate Authority and created 2 server keys - Server1 & Server2, then also created client keys designated for each server (Client1-to-Server1, Client1-to-Server2, Client2-to-Server1, Client2-to-Server2, etc.). The CA.KEY and CA.CRT files you use are the 1 and only files you produce by creating your Certificate Authority; All keys should be created from it.
Q3: Pick one Server (1 or 2) to be the OpenVPN server, and the other will be the client. In the OpenVPN.conf file, you will then put the settings accordingly.
Q4: Before creating a bridged network, I found it much easier to test with a routed connection then change the setting into a bridged configuration. If you wish to start with a bridged connection, then start with the OpenVPN HOWTO at http://openvpn.net/bridge.html

When you begin testing, do NOT run OpenVPN as a daemon. Start running in from the command line:
openvpn --config server.conf
and read what it tells you. If there are no errors, then continue to the client and run
openvpn --config client.conf
and read what it tells you. This information will be very useful and quicker than digging through logs.

Regarding specific fields in the configuration, the sample server.ovpn and client.ovpn files are the best starting point. They provide various options you MAY set, but only have the minimum set for secure operation. client-config-dir would be used if you are connecting several remote VPN to the VPN server; you are not doing this, you are bridging one remote VPN client (acting as your local server) to the VPN server. diff hellman parameters depend on your level of desired security. Generate your Diff-Helm key at either 1024 or 2048 bits and set your config file to reflect that.

If you wish to do more with your OpenVPN installation then consider buying the OpenVPN book. The HOWTO guides on OpenVpn.net were very helpful, and the book helped answer detailed questions about the many parameters.

Please try my suggestions and let me know if you have problems and need more detailed help with your config files.
0
 

Author Comment

by:mubama0n
ID: 22810194
Thanks for your solution I have some small problem , I complete the setting successfuly as you post, I got (connection  refused) message and I'm trying to solve the problem , Why do think this message displayed?
0
 
LVL 2

Expert Comment

by:m_adamczyk
ID: 22947470
"Connection Refused" or "Connection Reset"? I have seen "Connection Reset by Peer" messages in my configs - I will check my notes to see what the cause was. I'm stuck with an XP reinstall and will probably need a day to find my notes. Sorry for the long delay in responding.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month20 days, 19 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question