====== Setting up Standalone S2S VPN OpenVPN ======
This Setup was taken from https://dlucre.blogspot.com/2020/01/debian-openvpn-site-to-site-vpn.html
===== Server =====
* Static IP
* Port forwarding 5000 UDP to the Server
==== once ====
Normal Debian Core install.
[[knowledge_base:linux:staticip|Set a static IP.]]
[[knowledge_base:linux:ssh|Open SSH for root.]]
Install OpenVPN & enable tun & enable firewall forwarding
apt-get install openvpn
modprobe tun
echo 'tun' >> /etc/modules
iptables -A FORWARD -i tun+ -j ACCEPT
==== for every tun ====
Generate a key. This key must be present on Server and Client and must be the same. Easiest is to copy with SCP.
cd /etc/openvpn
openvpn --genkey --secret tun0.key
Create Startupscript
#! /bin/sh
### BEGIN INIT INFO
# Provides: startvpn
# Required-Start:
# Required-Stop:
# Default-Start: 2
# Default-Stop:
# Short-Description: Host OpenVPN Servers
# Description:
### END INIT INFO
#Tun 0 - Client will connect in to us here on UDP PORT 5000
openvpn --port 5000 --dev tun0 --ifconfig 10.99.0.1 10.99.0.2 --verb 1 --secret /etc/openvpn/tun0.key --fragment 1400 --mssfix 1400 --tun-mtu 1450 &
sleep 3
#set up a route to the remote LAN subnet for this tunnel
ip route add 192.168.10.0/24 via 10.99.0.1
#enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
If there are multiple Clients, each will need their own line unter ''#Tun''. There can only be one server per port, so they need to be incremented.
The routes also need to be added for every site. Watch out to choose the right next hop IP-address.
Next, make the script executable by root. Not sure if it needs to be done every time, but cant hurt.
chmod +x /etc/init.d/S99startvpn
chown root:root /etc/init.d/S99startvpn
Then enable the init on boot. :!://(This is different than the blogspot post)//
update-rc.d S99startvpn defaults
systemctl enable S99startvpn
Then reboot
reboot
===== Client =====
Normal Debian Core install.
[[knowledge_base:linux:staticip|Set a static IP.]]
[[knowledge_base:linux:ssh|Open SSH for root.]]
Install OpenVPN & enable tun & enable firewall forwarding
apt-get install openvpn
modprobe tun
echo 'tun' >> /etc/modules
iptables -A FORWARD -i tun+ -j ACCEPT
Copy over the key file from the Server and place it in ''/etc/openvpn/tunx.key''
Then create startup script. Dont forget to enter all information to match the server. IP, Port, tun-number, IP-Addresses, secret-path, routes and server-ip
#! /bin/sh
### BEGIN INIT INFO
# Provides: startvpn
# Required-Start:
# Required-Stop:
# Default-Start: 2
# Default-Stop:
# Short-Description: Connect to VPN Server
# Description:
### END INIT INFO
#Tun0 - Connect to SITE A
openvpn --remote [INSERT_PUBLIC_IP_FOR_REMOTE_SITE_HERE] --port 5000 --dev tun0 --ifconfig 10.99.0.2 10.99.0.1 --verb 1 --secret /etc/openvpn/tun0.key --fragment 1400 --mssfix 1400 --tun-mtu 1450 &
sleep 30
#set up a route to the remote LAN subnet for this tunnel
ip route add 192.168.6.0/24 via 10.99.0.2
#set up a ping to keep NAT alive, one ping sent once every 60 seconds, otherwise NAT translations get deleted and the tunnel won't pass traffic when needed
ping [IP_OF_SERVER] -i 60 &
#enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Now the same process as on the Server:
Make the script executable by root. Not sure if it needs to be done every time, but cant hurt.
chmod +x /etc/init.d/S99startvpn
chown root:root /etc/init.d/S99startvpn
Then enable the init on boot. :!://(This is different than the blogspot post)//
update-rc.d S99startvpn defaults
systemctl enable S99startvpn
Then reboot
reboot
===== Router =====
:!: Dont forget to add the Routes to the Router!
The routes have to be on both sides, and for the actual subnet (192.168.x.0/24) as well as the NAT Server (10.99.x.0/24) !!!
FIXME fill in
FIXME pfSense needs some Firewall rule enabled to allow "Stateless Traffic" oder so.
===== Troubleshooting =====
Watch out for spelling errors!
=== chown +x ===
chown +x [...]
there needs to be a plus for the systemctl script to work!