Inhaltsverzeichnis

Setting up Standalone S2S VPN OpenVPN

This Setup was taken from https://dlucre.blogspot.com/2020/01/debian-openvpn-site-to-site-vpn.html

Server

once

Normal Debian Core install.

Set a static IP.

Open SSH for root.

Install OpenVPN & enable tun & enable firewall forwarding

apt-get install openvpn
 
modprobe tun
echo 'tun' >> /etc/modules
 
iptables -A FORWARD -i tun+ -j ACCEPT

for every tun

Generate a key. This key must be present on Server and Client and must be the same. Easiest is to copy with SCP.

cd /etc/openvpn
openvpn --genkey --secret tun0.key

Create Startupscript

/etc/init.d/S99startvpn
#! /bin/sh
### BEGIN INIT INFO
# Provides:          startvpn
# Required-Start:
# Required-Stop:
# Default-Start:      2
# Default-Stop:
# Short-Description: Host OpenVPN Servers
# Description:
### END INIT INFO
 
#Tun 0 - Client will connect in to us here on UDP PORT 5000
openvpn --port 5000 --dev tun0 --ifconfig 10.99.0.1 10.99.0.2 --verb 1 --secret /etc/openvpn/tun0.key --fragment 1400 --mssfix 1400 --tun-mtu 1450 &
sleep 3
 
#set up a route to the remote LAN subnet for this tunnel
ip route add 192.168.10.0/24 via 10.99.0.1
 
#enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

If there are multiple Clients, each will need their own line unter #Tun. There can only be one server per port, so they need to be incremented.

The routes also need to be added for every site. Watch out to choose the right next hop IP-address.

Next, make the script executable by root. Not sure if it needs to be done every time, but cant hurt.

chmod +x /etc/init.d/S99startvpn
chown root:root /etc/init.d/S99startvpn

Then enable the init on boot. :!:(This is different than the blogspot post)

update-rc.d S99startvpn defaults
systemctl enable S99startvpn

Then reboot

reboot

Client

Normal Debian Core install.

Set a static IP.

Open SSH for root.

Install OpenVPN & enable tun & enable firewall forwarding

apt-get install openvpn
 
modprobe tun
echo 'tun' >> /etc/modules
 
iptables -A FORWARD -i tun+ -j ACCEPT

Copy over the key file from the Server and place it in /etc/openvpn/tunx.key

Then create startup script. Dont forget to enter all information to match the server. IP, Port, tun-number, IP-Addresses, secret-path, routes and server-ip

/etc/init.d/S99startvpn
#! /bin/sh
### BEGIN INIT INFO
# Provides:          startvpn
# Required-Start:
# Required-Stop:
# Default-Start:      2
# Default-Stop:
# Short-Description: Connect to VPN Server
# Description:
### END INIT INFO
 
#Tun0 - Connect to SITE A
openvpn --remote [INSERT_PUBLIC_IP_FOR_REMOTE_SITE_HERE] --port 5000 --dev tun0 --ifconfig 10.99.0.2 10.99.0.1 --verb 1 --secret /etc/openvpn/tun0.key --fragment 1400 --mssfix 1400 --tun-mtu 1450 &
sleep 30
 
#set up a route to the remote LAN subnet for this tunnel
ip route add 192.168.6.0/24 via 10.99.0.2
 
#set up a ping to keep NAT alive, one ping sent once every 60 seconds, otherwise NAT translations get deleted and the tunnel won't pass traffic when needed
ping [IP_OF_SERVER] -i 60 &
 
#enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Now the same process as on the Server:

Make the script executable by root. Not sure if it needs to be done every time, but cant hurt.

chmod +x /etc/init.d/S99startvpn
chown root:root /etc/init.d/S99startvpn

Then enable the init on boot. :!:(This is different than the blogspot post)

update-rc.d S99startvpn defaults
systemctl enable S99startvpn

Then reboot

reboot

Router

:!: Dont forget to add the Routes to the Router!

The routes have to be on both sides, and for the actual subnet (192.168.x.0/24) as well as the NAT Server (10.99.x.0/24) !!!

FIXME fill in

FIXME pfSense needs some Firewall rule enabled to allow „Stateless Traffic“ oder so.

Troubleshooting

Watch out for spelling errors!

chown +x

chown +x [...]

there needs to be a plus for the systemctl script to work!