Site-to-site routable VPN using OpenVPN

In order to access machines at a remote site from my home network and vice-versa, I needed to set up OpenVPN in site-to-site mode, allowing for clients to route to remote networks. Whilst doing this, I also wanted to keep certain regions of each network secure and non-routable over the VPN. Join me on this journey of fun in setting up a server, configuring the correct options, and playing with iptables.

Step 1 - Install OpenVPN

In order to set up OpenVPN, I followed this excellent guide from DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

Step 2 - Issue client configurations

cd ~/openvpn-ca
source vars
./build-key client1

For passworded key:

./build-key-pass client1
cd ~/client-configs
./make_config.sh client1

ls ~/client-configs/files

Step 3 - Configure site-to-site routing

sudo nano /etc/openvpn/server.conf

client-config-dir ccd
route 10.0.0.0 255.255.255.0

Tell which client routes what.

sudo nano /etc/openvpn/ccd/[clientname].conf

iroute 10.0.0.0 255.255.255.0

Step 4 - Configuring firewalls

NAT all the things!

If routing into VPN server (e.g. want to route server lan to client lans)

iptables -A POSTROUTING -s <lan subnet> -o tun0 -j MASQUERADE

On VPN Client

iptables -A POSTROUTING -s <vpn subnet> -o eth0 -j MASQUERADE
I dont know whether these did anything...
iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

Step 5 - Revoking client access

cd ~/openvpn-ca
source vars

./revoke-full client3

sudo cp ~/openvpn-ca/keys/crl.pem /etc/openvpn
Published 2017-08-25