WeOSInternal Routes HowTo
About
This document provides an example of how to set up OpenVPN internal routes. For simplicity, only basic configuration options are used.
Introduction
Company X has two sites A and B in different geographical locations, connected by a public network. They want to connect both sites to the same LAN and and have the networks behind the VPN nodes communicate.
The OpenVPN server node needs to know which networks are behind each of the client nodes. The internal routes associated with each client must be specified in the server configuration, as it is not able to infer this information from the routing table.
Site A Site B
.--------. .--------.
| | | |
| Host | | Host |
| A1 | | B1 |
'----+---' '---+----'
| IP:10.70.0.2 | IP:20.60.0.2
| |
| |
| |
eth1 | IP:10.70.0.1 eth1 | IP:20.60.0.1
.----+---. .---+----.
| | | |
| GW-A | | GW-B |
| server | | client |
'----+---' '---+----'
vlan2 | .--.-. | vlan2
Public IP: | ( ( )__ | Public IP:
192.168.0.21 '-------------(_, \ ) ,_)----------' 192.168.0.22
'-'--`--'
Public Network/Internet
WeOS devices GW-A and GW-B both have a port on VLAN 2 connected to the WAN (Public network/Internet) and eth1 connected to the local network.
The example assumes that certificates have been generated offline and imported into both GW-A and GW-B.
Hosts A1 and B1 are not configured in this example. The gateways GW-A and GW-B are assumed to be able to reach each other via public IPv4 addresses.
Server Configuration
In this setup GW-A is the OpenVPN server node. To configure the server side of the tunnel, enter the following commands in the CLI:
First, create the tunnel:
server:/#> configure tunnel ssl 200 Creating new SSL tunnel 200, check your settings before activating the tunnel! server:/config/tunnel/ssl-200/#> type tun server:/config/tunnel/ssl-200/#> method cert server:/config/tunnel/ssl-200/#> ca-certificate server1 server:/config/tunnel/ssl-200/#> certificate server1 server:/config/tunnel/ssl-200/#> server server:/config/tunnel/ssl-200/#> client-to-client server:/config/tunnel/ssl-200/#> leave
Then add a static ip address to the server’s end of the tunnel:
server:/#> configure iface ssl200 server:/config/iface-ssl200/#> no inet server:/config/iface-ssl200/#> inet static 192.168.254.1/24 server:/config/iface-ssl200/inet-static-192.168.254.1/#> leave
Then create a client configuration:
server:/#> configure tunnel ssl 200 server:/config/tunnel/ssl-200/#> client-config 1 Creating new client config: 1! server:/config/tunnel/ssl-200/client-config-1/#> common-name client1 server:/config/tunnel/ssl-200/client-config-1/#> address 192.168.254.21/24 server:/config/tunnel/ssl-200/client-config-1/#> iroute 20.60.0.0/24 server:/config/tunnel/ssl-200/client-config-1/#> end server:/config/tunnel/ssl-200/#> push-network 10.70.0.0/24 server:/config/tunnel/ssl-200/#> leave
We have created a configuration for a new client, we have assigned a static ip address to its end of the tunnel (192.168.254.21), we have pushed the server’s network to the client (10.70.0.0/24), and we have also configured the tunnel to know about the internal routes to network behind the client’s node (20.60.0.0/24).
The final step is to add the routes to the client’s network.
server:/#> configure ip server:/config/ip/#> route 20.60.0.0/24 ssl200 server:/config/ip/#> leave
Now we can check the tunnel and ssl interface status:
server:/#> show tunnel ssl
TUNNEL DESCRIPTION STATUS UPTIME
200 ssl200 Down
server:/#> sh iface ssl200
Name : ssl200
Admin. State : Up
Oper. Status : DOWN
MAC Address : N/A
IP Addresses : 192.168.254.1/24 (static)
MTU : 1500
Statistics :
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
0 0 0 0 0 0
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
0 0 0 0 0 0
The tunnel as DOWN, which is expected. This changes to UP once a connection with a client has been established.
Client Configuration
GW-B is the OpenVPN client node. To configure the client side of the tunnel, enter the following commands in the CLI:
client:/#> configure tunnel ssl 200 Creating new SSL tunnel 200, check your settings before activating the tunnel! client:/config/tunnel/ssl-200/#> type tun client:/config/tunnel/ssl-200/#> method cert client:/config/tunnel/ssl-200/#> ca-certificate client1 client:/config/tunnel/ssl-200/#> certificate client1 client:/config/tunnel/ssl-200/#> no server client:/config/tunnel/ssl-200/#> peer 192.168.0.21 client:/config/tunnel/ssl-200/#> leave
The IP address for the peer is the public IP address of the server.
Again, we can check the tunnel and ssl interface status:
client:/#> show tunnel ssl
TUNNEL DESCRIPTION STATUS UPTIME
200 ssl200 UP 0 Days 0 Hours 0 Mins 10 Secs
client:/#> sh iface ssl200
Name : ssl200
Admin. State : Up
Oper. Status : UP
MAC Address : N/A
IP Addresses : 192.168.254.21/24 (UNKNOWN)
MTU : 1500
Statistics :
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
0 0 0 0 0 0
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
0 0 0 0 0 0
Verifying connectivity
From host A1 to host B1:
a1:/#> ping count 5 20.60.0.2 Press Ctrl-C to abort PING 20.60.0.2 (20.60.0.2): 56 data bytes 64 bytes from 20.60.0.2: seq=0 ttl=62 time=5.482 ms 64 bytes from 20.60.0.2: seq=1 ttl=62 time=5.229 ms 64 bytes from 20.60.0.2: seq=2 ttl=62 time=5.225 ms 64 bytes from 20.60.0.2: seq=3 ttl=62 time=2.512 ms 64 bytes from 20.60.0.2: seq=4 ttl=62 time=5.215 ms --- 20.60.0.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 2.512/4.732/5.482 ms a1:/#>
From host B1 to host A1:
b1:/#> ping count 2 10.70.0.2 Press Ctrl-C to abort PING 10.70.0.2 (10.70.0.2): 56 data bytes 64 bytes from 10.70.0.2: seq=0 ttl=62 time=4.953 ms 64 bytes from 10.70.0.2: seq=1 ttl=62 time=5.440 ms --- 10.70.0.2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 4.953/5.196/5.440 ms
Note
Do not forget to add the route from host B1 to the tunnel so that the ping replies are routed correctly.
b1:/#> configure ip route 192.168.254.0/24 20.60.0.1 b1:/config/#> leave
Final Topology
The following figure illustrates the resulting topology, with an L3 tunnel connecting the two LANs via the virtual interface ssl200 on each GW device.
Site A Site B
.--------. .--------.
| | | |
| Host | | Host |
| A1 | | B1 |
'----+---' '---+----'
| IP:10.70.0.2 | IP:20.60.0.2
| |
| |
| |
eth1 | IP:10.70.0.1 eth1 | IP:20.60.0.1
.----+---. .---+----.
| `. | OpenVPN Tunnel | .´ |
| GW-A `+==============================+´ GW-B |
| | ssl200 ssl200 | |
| |192.168.254.1 192.168.254.21| |
'----+---' '---+----'
vlan2 | .--.-. | vlan2
Public IP: | ( ( )__ | Public IP:
192.168.0.21 '--------------(_, \ ) ,_)------------' 192.168.0.22
'-'--`--'
Public Network/Internet