Benutzer-Werkzeuge
Inhaltsverzeichnis
Setting up Standalone S2S VPN OpenVPN
This Setup was taken from https://dlucre.blogspot.com/2020/01/debian-openvpn-site-to-site-vpn.html
Server
- Static IP
- Port forwarding 5000 UDP to the Server
once
Normal Debian Core install.
Install OpenVPN & enable tun & enable firewall forwarding
apt-get install openvpn modprobe tun echo 'tun' >> /etc/modules iptables -A FORWARD -i tun+ -j ACCEPT
for every tun
Generate a key. This key must be present on Server and Client and must be the same. Easiest is to copy with SCP.
cd /etc/openvpn openvpn --genkey --secret tun0.key
Create Startupscript
- /etc/init.d/S99startvpn
#! /bin/sh ### BEGIN INIT INFO # Provides: startvpn # Required-Start: # Required-Stop: # Default-Start: 2 # Default-Stop: # Short-Description: Host OpenVPN Servers # Description: ### END INIT INFO #Tun 0 - Client will connect in to us here on UDP PORT 5000 openvpn --port 5000 --dev tun0 --ifconfig 10.99.0.1 10.99.0.2 --verb 1 --secret /etc/openvpn/tun0.key --fragment 1400 --mssfix 1400 --tun-mtu 1450 & sleep 3 #set up a route to the remote LAN subnet for this tunnel ip route add 192.168.10.0/24 via 10.99.0.1 #enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
If there are multiple Clients, each will need their own line unter #Tun. There can only be one server per port, so they need to be incremented.
The routes also need to be added for every site. Watch out to choose the right next hop IP-address.
Next, make the script executable by root. Not sure if it needs to be done every time, but cant hurt.
chmod +x /etc/init.d/S99startvpn chown root:root /etc/init.d/S99startvpn
Then enable the init on boot. 
(This is different than the blogspot post)
update-rc.d S99startvpn defaults
systemctl enable S99startvpn
Then reboot
reboot
Client
Normal Debian Core install.
Install OpenVPN & enable tun & enable firewall forwarding
apt-get install openvpn modprobe tun echo 'tun' >> /etc/modules iptables -A FORWARD -i tun+ -j ACCEPT
Copy over the key file from the Server and place it in /etc/openvpn/tunx.key
Then create startup script. Dont forget to enter all information to match the server. IP, Port, tun-number, IP-Addresses, secret-path, routes and server-ip
- /etc/init.d/S99startvpn
#! /bin/sh ### BEGIN INIT INFO # Provides: startvpn # Required-Start: # Required-Stop: # Default-Start: 2 # Default-Stop: # Short-Description: Connect to VPN Server # Description: ### END INIT INFO #Tun0 - Connect to SITE A openvpn --remote [INSERT_PUBLIC_IP_FOR_REMOTE_SITE_HERE] --port 5000 --dev tun0 --ifconfig 10.99.0.2 10.99.0.1 --verb 1 --secret /etc/openvpn/tun0.key --fragment 1400 --mssfix 1400 --tun-mtu 1450 & sleep 30 #set up a route to the remote LAN subnet for this tunnel ip route add 192.168.6.0/24 via 10.99.0.2 #set up a ping to keep NAT alive, one ping sent once every 60 seconds, otherwise NAT translations get deleted and the tunnel won't pass traffic when needed ping [IP_OF_SERVER] -i 60 & #enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
Now the same process as on the Server:
Make the script executable by root. Not sure if it needs to be done every time, but cant hurt.
chmod +x /etc/init.d/S99startvpn chown root:root /etc/init.d/S99startvpn
Then enable the init on boot. (This is different than the blogspot post)
update-rc.d S99startvpn defaults
systemctl enable S99startvpn
Then reboot
reboot
Router
Dont forget to add the Routes to the Router!
The routes have to be on both sides, and for the actual subnet (192.168.x.0/24) as well as the NAT Server (10.99.x.0/24) !!!
fill in
pfSense needs some Firewall rule enabled to allow „Stateless Traffic“ oder so.
Troubleshooting
Watch out for spelling errors!
chown +x
chown +x [...]
there needs to be a plus for the systemctl script to work!
Seiten-Werkzeuge
