Vyatta / VyOS: site-to-site OpenVPN + Open Shortest Path First (OSPF) setup

When you scale your network from one location to another, sooner or later you may want to merge those networks and have only one. To merge networks, you need to setup 2 routers and site-to-site connection between them. One of open source solutions is OpenVPN and Vyatta/VyOS. This article will cover setting up site-to-site connection with OpenVPN. I will assume you have already setup your Vyatta/VyOS router so it has basic internet connection and some LAN behind it.

Before you start setting things up you might want to consider few things:
  • First of all, do we have different networks on these 2 sites ? We don’t want to merge same network ranges into one, since we might run into troubles. Consider setting networks logically, so you will know exactly where packets are originating from. Example: 192.168.100.0/24 (Site A) and 192.168.101.0/24 (Site B) (I will take these ranges for my example setup)
  • Second, we should consider using one pool of ip’s for VPN gateway ip’s, on which they will communicate with each other, for easy adding of possible future new VPN sites. Example: 172.16.0.0/16
  • Third, if we are connecting 3 or more sites, we may want to consider cross connecting them with each other, so that our network will still see other networks even though one site lost internet connection. We don’t want single points of failure.
  • Last but not least, to make OSPF work, our Vyatta/VyOS router has to be default gateway for all our LAN computers/servers

As prerequisite to configuring site-to-site with OpenVPN we need to generate a special key, that will serve as authentication between two sites. To generate such key we should log into Site A router and type:

vpn openvpn-key generate /config/auth/site_A_siteB_key.psk

Note: VyOS changed this command for consistency and you have to run:

run generate openvpn key /config/auth/site_A_siteB_key.psk
Site-to-site OpenVPN tunnel

To setup site-to-site VPN enter these commands on Site A router:

set interfaces openvpn vtun1 local-address 172.16.4.1
set interfaces openvpn vtun1 local-host xxx.xxx.xxx.xxx
set interfaces openvpn vtun1 local-port 10001
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 remote-address 172.16.4.2
set interfaces openvpn vtun1 remote-host yyy.yyy.yyy.yyy
set interfaces openvpn vtun1 remote-port 10001
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/siteA_siteB_key.psk

Replace xxx.xxx.xxx.xxx with Site A router’s public ip and yyy.yyy.yyy.yyy with Site B router’s public ip, on which we want to connect routers. For Site A‘s VPN gateway we chose ip 172.16.4.1 and for Site B: 172.16.4.2

Now we have our Site A router trying to connect to Site B, but we haven’t configured Site B yet. To setup Site B, we need to first copy the .psk key to exact same location as on Site A‘s router. Best way is just to scp it to new router:

[email protected]:~$ sudo -s
[email protected]:~# scp /config/auth/siteA_siteB_key.psk [email protected]:/config/auth/siteA_siteB_key.psk

Now we need to setup Site B which is almost exactly the same, except we switch the ip’s around:

set interfaces openvpn vtun1 local-address 172.16.4.2
set interfaces openvpn vtun1 local-host yyy.yyy.yyy.yyy
set interfaces openvpn vtun1 local-port 10001
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 remote-address 172.16.4.1
set interfaces openvpn vtun1 remote-host xxx.xxx.xxx.xxx
set interfaces openvpn vtun1 remote-port 10001
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/siteA_siteB_key.psk

Okay now we should tail our /var/log/messages on one router, to make sure tunnel is successfully established. We can verify successfully established tunnel by pinging from Site A Site B‘s local ip and the other way around. So on Site A we would type: ping 172.16.4.2 and on Site B we should type: ping 172.16.4.1 If we got our packets, we have successfully established tunnel and everything went smooth.

Tailing should return us something similar to this:

Jan 18 09:50:20 vyatta openvpn[8610]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Jan 18 09:50:20 vyatta openvpn[5502]: Local Options hash (VER=V4): '2e1fe9d6'
Jan 18 09:50:20 vyatta openvpn[5502]: Expected Remote Options hash (VER=V4): '57bb0ab0'
Jan 18 09:50:20 vyatta openvpn[5516]: Socket Buffers: R=[112640->131072] S=[112640->131072]
Jan 18 09:50:20 vyatta openvpn[5516]: UDPv4 link local (bound): [undef]
Jan 18 09:50:20 vyatta openvpn[5516]: UDPv4 link remote: [AF_INET]172.16.4.1:10001
Jan 18 09:50:24 vyatta openvpn[5516]: Peer Connection Initiated with [AF_INET]172.16.4.1:10001
Jan 18 09:50:25 vyatta openvpn[5516]: Initialization Sequence Completed
Setting up OSPF with policies

Now that we see each other, we want to set up OSPF to propagate routes from one router to another. To do that, we first need to setup some policies that we will use afterwards with OSPF to make sure we propagate only ip ranges based on RFC flagged as private. Make sure you entered these on both routers:

set policy prefix-list RFC1918PREFIXES rule 1 action permit
set policy prefix-list RFC1918PREFIXES rule 1 le 32
set policy prefix-list RFC1918PREFIXES rule 1 prefix 10.0.0.0/8
set policy prefix-list RFC1918PREFIXES rule 2 action permit
set policy prefix-list RFC1918PREFIXES rule 2 le 32
set policy prefix-list RFC1918PREFIXES rule 2 prefix 172.16.0.0/12
set policy prefix-list RFC1918PREFIXES rule 3 action permit
set policy prefix-list RFC1918PREFIXES rule 3 le 32
set policy prefix-list RFC1918PREFIXES rule 3 prefix 192.168.0.0/16

We should make route map of these prefixes, permit them and drop the rest:

set policy route-map ONLYRFC1918PREFIXES rule 10 action permit
set policy route-map ONLYRFC1918PREFIXES rule 10 match ip address prefix-list RFC1918PREFIXES
set policy route-map ONLYRFC1918PREFIXES rule 90 action deny

Finally we can setup our OSPF:

set protocols ospf area 172.16.0.0 authentication md5
set protocols ospf area 172.16.0.0 network 172.16.4.0/30
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map ONLYRFC1918PREFIXES

Once we have set this up, we should check we can ping internal ip of computer in Site A from computer in Site B. Make sure on both routers you have all-ping enabled in firewall rule. If ping goes thru, everything worked and you have successfully set up site-to-site VPN and OSPF.

Comments

  1. By FALL

    Reply

    • By Mal

      Reply

  2. Reply

  3. Reply

  4. By kranthi

    Reply

  5. Reply

    • By kranthi

      Reply

  6. By Matt

    Reply

  7. Reply

  8. By Beny

    Reply

    • Reply

  9. By Erich

    Reply

    • Reply

  10. By Simon

    Reply

  11. By Brian Topping

    Reply

Leave a Reply

help-hint.png
Purpose of the commenting system is to share your experience. I encourage you to post feedback with your own suggestions, ideas or optimizations regarding the topic of a blog post. What commenting system isn't for, is asking questions about similar issues of yours and requesting support for it. Blog post is provided as is and I am not here to solve all your problems. Please bear that in mind and try to avoid posting such comments. I do take privilege to remove comment from my blog for any reason whatsoever. Usually I do it when I sense a comment was posted only for spam/seo reasons or is out of blog post's topic. Thank you for reading this, now you may continue :)
 

Your email address will not be published. Required fields are marked *