18 Jan 2013

Vyatta / VyOS: site-to-site OpenVPN + Open Shortest Path First (OSPF) setup

Posted in Networking By Alen Krmelj On January 18, 2013

When you scale your network from one location to another, sooner or later you may want to merge those networks and have only one. To merge networks, you need to setup 2 routers and site-to-site connection between them. One of open source solutions is OpenVPN and Vyatta/VyOS. This article will cover setting up site-to-site connection with OpenVPN. I will assume you have already setup your Vyatta/VyOS router so it has basic internet connection and some LAN behind it.

Before you start setting things up you might want to consider few things:
  • First of all, do we have different networks on these 2 sites ? We don’t want to merge same network ranges into one, since we might run into troubles. Consider setting networks logically, so you will know exactly where packets are originating from. Example: 192.168.100.0/24 (Site A) and 192.168.101.0/24 (Site B) (I will take these ranges for my example setup)
  • Second, we should consider using one pool of ip’s for VPN gateway ip’s, on which they will communicate with each other, for easy adding of possible future new VPN sites. Example: 172.16.0.0/16
  • Third, if we are connecting 3 or more sites, we may want to consider cross connecting them with each other, so that our network will still see other networks even though one site lost internet connection. We don’t want single points of failure.
  • Last but not least, to make OSPF work, our Vyatta/VyOS router has to be default gateway for all our LAN computers/servers

As prerequisite to configuring site-to-site with OpenVPN we need to generate a special key, that will serve as authentication between two sites. To generate such key we should log into Site A router and type:

vpn openvpn-key generate /config/auth/site_A_siteB_key.psk

Note: VyOS changed this command for consistency and you have to run:

run generate openvpn key /config/auth/site_A_siteB_key.psk
Site-to-site OpenVPN tunnel

To setup site-to-site VPN enter these commands on Site A router:

set interfaces openvpn vtun1 local-address 172.16.4.1
set interfaces openvpn vtun1 local-host xxx.xxx.xxx.xxx
set interfaces openvpn vtun1 local-port 10001
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 remote-address 172.16.4.2
set interfaces openvpn vtun1 remote-host yyy.yyy.yyy.yyy
set interfaces openvpn vtun1 remote-port 10001
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/siteA_siteB_key.psk

Replace xxx.xxx.xxx.xxx with Site A router’s public ip and yyy.yyy.yyy.yyy with Site B router’s public ip, on which we want to connect routers. For Site A‘s VPN gateway we chose ip 172.16.4.1 and for Site B: 172.16.4.2

Now we have our Site A router trying to connect to Site B, but we haven’t configured Site B yet. To setup Site B, we need to first copy the .psk key to exact same location as on Site A‘s router. Best way is just to scp it to new router:

[email protected]:~$ sudo -s
[email protected]:~# scp /config/auth/siteA_siteB_key.psk [email protected]:/config/auth/siteA_siteB_key.psk

Now we need to setup Site B which is almost exactly the same, except we switch the ip’s around:

set interfaces openvpn vtun1 local-address 172.16.4.2
set interfaces openvpn vtun1 local-host yyy.yyy.yyy.yyy
set interfaces openvpn vtun1 local-port 10001
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 remote-address 172.16.4.1
set interfaces openvpn vtun1 remote-host xxx.xxx.xxx.xxx
set interfaces openvpn vtun1 remote-port 10001
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/siteA_siteB_key.psk

Okay now we should tail our /var/log/messages on one router, to make sure tunnel is successfully established. We can verify successfully established tunnel by pinging from Site A Site B‘s local ip and the other way around. So on Site A we would type: ping 172.16.4.2 and on Site B we should type: ping 172.16.4.1 If we got our packets, we have successfully established tunnel and everything went smooth.

Tailing should return us something similar to this:

Jan 18 09:50:20 vyatta openvpn[8610]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Jan 18 09:50:20 vyatta openvpn[5502]: Local Options hash (VER=V4): '2e1fe9d6'
Jan 18 09:50:20 vyatta openvpn[5502]: Expected Remote Options hash (VER=V4): '57bb0ab0'
Jan 18 09:50:20 vyatta openvpn[5516]: Socket Buffers: R=[112640->131072] S=[112640->131072]
Jan 18 09:50:20 vyatta openvpn[5516]: UDPv4 link local (bound): [undef]
Jan 18 09:50:20 vyatta openvpn[5516]: UDPv4 link remote: [AF_INET]172.16.4.1:10001
Jan 18 09:50:24 vyatta openvpn[5516]: Peer Connection Initiated with [AF_INET]172.16.4.1:10001
Jan 18 09:50:25 vyatta openvpn[5516]: Initialization Sequence Completed
Setting up OSPF with policies

Now that we see each other, we want to set up OSPF to propagate routes from one router to another. To do that, we first need to setup some policies that we will use afterwards with OSPF to make sure we propagate only ip ranges based on RFC flagged as private. Make sure you entered these on both routers:

set policy prefix-list RFC1918PREFIXES rule 1 action permit
set policy prefix-list RFC1918PREFIXES rule 1 le 32
set policy prefix-list RFC1918PREFIXES rule 1 prefix 10.0.0.0/8
set policy prefix-list RFC1918PREFIXES rule 2 action permit
set policy prefix-list RFC1918PREFIXES rule 2 le 32
set policy prefix-list RFC1918PREFIXES rule 2 prefix 172.16.0.0/12
set policy prefix-list RFC1918PREFIXES rule 3 action permit
set policy prefix-list RFC1918PREFIXES rule 3 le 32
set policy prefix-list RFC1918PREFIXES rule 3 prefix 192.168.0.0/16

We should make route map of these prefixes, permit them and drop the rest:

set policy route-map ONLYRFC1918PREFIXES rule 10 action permit
set policy route-map ONLYRFC1918PREFIXES rule 10 match ip address prefix-list RFC1918PREFIXES
set policy route-map ONLYRFC1918PREFIXES rule 90 action deny

Finally we can setup our OSPF:

set protocols ospf area 172.16.0.0 authentication md5
set protocols ospf area 172.16.0.0 network 172.16.4.0/30
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map ONLYRFC1918PREFIXES

Once we have set this up, we should check we can ping internal ip of computer in Site A from computer in Site B. Make sure on both routers you have all-ping enabled in firewall rule. If ping goes thru, everything worked and you have successfully set up site-to-site VPN and OSPF.

Comments

  1. By FALL

    Nice tuto and thank.
    I want to use dynamic dns instead of xxx.xxx.xxx.xxx or yyy.yyy.yyy.yyy for local and remote host what can I do?
    thank you

    Reply

    • By Mal

      Look at tinc vpn. You can use dynamic dns

      Reply

  2. By Alen Krmelj

    I don’t think that is possible. There is no option to dynamically set ip for site-to-site tunnel. Either way, both ends would have to know about the new ip… so basically you need static ip on both sides.

    Reply

  3. By Alen Krmelj

    What you could do is setup openvpn server on some VPS (remote site) and then make normal VPN client connection from site1 and site2 to it, then set openvpn server to disable client isolation. You could then basically push static routes on both clients, to have both networks availiable.

    Reply

  4. By kranthi

    can you share me the topology??

    Reply

  5. By Alen Krmelj

    It’s been a while since I wrote this post… but it should be like this: https://blackbird.si/wp-content/uploads/2015/06/ospf.jpg

    Reply

    • By kranthi

      thank you

      Reply

  6. By Matt

    Howdy,

    I noticed a typo that cost me a few minutes of headscratching:
    set policy prefix-list RFC1918PREFIXES rule 1 action permit
    set policy prefix-list RFC1918PREFIXES rule 1 le 32
    set policy prefix-list RFC1918PREFIXES rule 2 prefix 10.0.0.0/8 <<< TYPO HERE; SHOULD BE rule 1
    set policy prefix-list RFC1918PREFIXES rule 2 action permit
    set policy prefix-list RFC1918PREFIXES rule 2 le 32
    set policy prefix-list RFC1918PREFIXES rule 2 prefix 172.16.0.0/12
    set policy prefix-list RFC1918PREFIXES rule 3 action permit
    set policy prefix-list RFC1918PREFIXES rule 3 le 32
    set policy prefix-list RFC1918PREFIXES rule 3 prefix 192.168.0.0/16

    Thanks much for the guide. This was extremely helpful.

    Reply

  7. By Alen Krmelj

    Oh! Sorry about that. I fixed it now.

    Reply

  8. By Beny

    Hi,

    I’m getting the error in the OSPF part.
    # set protocols ospf area 172.16.0.0 redistribute connected metric-type 2

    Configuration path: protocols ospf area 172.16.0.0 [redistribute] is not valid
    Set failed

    Please help!!

    Reply

    • By Alen Krmelj

      I see the problem. There was a typo. Please check that part of configuration again. I fixed it in the post.

      Reply

      • By Alen Krmelj

        It should look similar to this:

        [email protected]# show protocols 
 ospf {
     area 172.30.0.0 {
         authentication md5
         network 172.30.4.0/30
     }
     redistribute {
         connected {
             metric-type 2
             route-map ONLYRFC1918PREFIXES
         }
     }
 }

  9. By Erich

    This is super helpful – thanks very much. For the total layman, one thing that would help is at the end – I’m not clear which router I’m supposed to be entering the OSPF policies in – both?

    Also, for those of us still grasping at the concepts, I’d like to confirm that the purpose of creating the routing table for local addy space, and only propagating these routes, is to *not* override the remote routers route to the net?

    I realize that all probably seems obvious, so thanks very much for any clarifications.

    Finally – any observations about how this configuration can be expanded to treat, i.e. a multi-tenant environment, each with several offices organized into their own ospf areas would be killer. Oh.. and a pony – I’ve always wanted one, so if you can throw that in too it would be great!

    But seriously – very helpful starting point, and I’ve been looking!

    Reply

    • By Alen Krmelj

      To answer your question, yes. OSPF policies should be entered on both routers. And yes, it’s a good practice to make sure that only internal networks get propagated thru OSPF – it is interior routing protocol after all. :) I will fix howto, so it’s more clear that rules should be applied on both routers.

      I can’t really help you with more complex environment, but since you have the basics here, it shouldn’t be too hard to expand it to multiple routers etc. It’s basically the same procedure for each… Create a small virtualbox environement with couple of Vyos routers and try it out.

      As of pony: https://blackbird.si/wp-content/uploads/2015/12/pony.png

      Reply

  10. By Simon

    Hi Alen,

    I tried to setup OSPF but without successful. I am using vyOS and Ubiquiti Router.
    I set up policy-prefix, route-map and nothing. Of course VPN site-to-site works corectly. I am able to ping gateway on second side, but other computer not. :-(

    Site A: local-address: 10.20.14.2, network 10.10.0.0/16
    Site B: local-address: 10.20.14.1, network 10.14.0.0/16

    If I set static route it works.
    Do you know where is the problem?

    Thank you!

    Reply

  11. By Brian Topping

    Hi Alex, thanks for the great post!

    Curious, the docs say “Exactly one comparison (ge, le, or prefix) may be specified for a prefix list rule”, but you have both `prefix` and `le`. It seems like the `le` comparison should be removed, no?

    Reply

Leave a Reply

help-hint.png
Purpose of the commenting system is to share your experience. I encourage you to post feedback with your own suggestions, ideas or optimizations regarding the topic of a blog post. What commenting system isn't for, is asking questions about similar issues of yours and requesting support for it. Blog post is provided as is and I am not here to solve all your problems. Please bear that in mind and try to avoid posting such comments. I do take privilege to remove comment from my blog for any reason whatsoever. Usually I do it when I sense a comment was posted only for spam/seo reasons or is out of blog post's topic. Thank you for reading this, now you may continue :)
 

Your email address will not be published. Required fields are marked *