Site-to-site routable VPN using OpenVPN

In order to access machines at a remote site from my home network and vice-versa, I needed to set up OpenVPN in site-to-site mode, allowing for clients to route to remote networks. Whilst doing this, I also wanted to keep certain regions of each network secure and non-routable over the VPN. Join me on this journey of fun in setting up a server, configuring the correct options, and playing with iptables.

Step 1 - Install OpenVPN

In order to set up OpenVPN, I followed this excellent guide from DigitalOcean:

Step 2 - Issue client configurations

cd ~/openvpn-ca
source vars
./build-key client1

For passworded key:

./build-key-pass client1
cd ~/client-configs
./ client1

ls ~/client-configs/files

Step 3 - Configure site-to-site routing

sudo nano /etc/openvpn/server.conf

client-config-dir ccd

Tell which client routes what.

sudo nano /etc/openvpn/ccd/[clientname].conf


Step 4 - Configuring firewalls

NAT all the things!

If routing into VPN server (e.g. want to route server lan to client lans)

iptables -A POSTROUTING -s <lan subnet> -o tun0 -j MASQUERADE

On VPN Client

iptables -A POSTROUTING -s <vpn subnet> -o eth0 -j MASQUERADE
I dont know whether these did anything...
iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

Step 5 - Revoking client access

cd ~/openvpn-ca
source vars

./revoke-full client3

sudo cp ~/openvpn-ca/keys/crl.pem /etc/openvpn
Published 2017-08-25