OpenVPN: Connect your LANs over the Internet

Setup

by ross at 14:30:54 on December 31, 2012

Here I will show how to connect a server (192.168.0.1/24) and any number of clients: client1 (192.168.10.1/24), client2 (192.168.20.1/24), client3 (192.168.30.1/24) etc.

Server

/usr/local/etc/openvpn/openvpn_officelan.conf:

port 1194
dev tun0 # use unique tunN for every config
server 172.16.0.0 255.255.0.0
up openvpn_officelan.up.sh
down openvpn_officelan.down.sh
client-to-client
client-config-dir officelan-ccd

dh officelan-rsa/keys/dh1024.pem
ca officelan-rsa/keys/ca.crt
cert officelan-rsa/keys/server.host.name.crt
key officelan-rsa/keys/server.host.name.key

script-security 2

/usr/local/etc/openvpn/openvpn_officelan.up.sh:

#!/bin/sh

# Add route to every client LAN:
/sbin/route add -net 192.168.10.0/24 -interface $1
/sbin/route add -net 192.168.20.0/24 -interface $1
/sbin/route add -net 192.168.30.0/24 -interface $1
# continue for the rest of clients

/usr/local/etc/openvpn/openvpn_officelan.down.sh:

#!/bin/sh

/sbin/ifconfig $1 destroy
# chmod a+x *.sh

Create directory officelan-ccd. When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. Remember the field “Common Name” when you created the certificate for the client? Use it as file name. I will use client1, client2, etc. here.

/usr/local/etc/openvpn/officelan-ccd/client1:

iroute 192.168.10.0 255.255.255.0

/usr/local/etc/openvpn/officelan-ccd/client2:

iroute 192.168.20.0 255.255.255.0

/usr/local/etc/openvpn/officelan-ccd/client3:

iroute 192.168.30.0 255.255.255.0

Repeat for every client.

Clients

/usr/local/etc/openvpn/openvpn_officelan.conf (the same for every client):

remote vpn.example.com 1194 # replace with your server address
dev tun0 # use unique tunN for every config
client
up openvpn_officelan.up.sh
down openvpn_officelan.down.sh

dh openvpn_officelan.dh1024.pem
ca openvpn_officelan.ca.crt
cert openvpn_officelan.crt
key openvpn_officelan.key

script-security 2

/usr/local/etc/openvpn/openvpn_officelan.up.sh (for client1):

#!/bin/sh
# We are client1 (192.168.10.1/24) — add server and other clients:
/sbin/route add -net 192.168.0.0/24 -interface $1
/sbin/route add -net 192.168.20.0/24 -interface $1
/sbin/route add -net 192.168.30.0/24 -interface $1

/usr/local/etc/openvpn/openvpn_officelan.up.sh (for client2):

#!/bin/sh
# We are client2 (192.168.20.1/24) — add server and other clients:
/sbin/route add -net 192.168.0.0/24 -interface $1
/sbin/route add -net 192.168.10.0/24 -interface $1
/sbin/route add -net 192.168.30.0/24 -interface $1

/usr/local/etc/openvpn/openvpn_officelan.up.sh (for client3):

#!/bin/sh
# We are client3 (192.168.30.1/24) — add server and other clients:
/sbin/route add -net 192.168.0.0/24 -interface $1
/sbin/route add -net 192.168.10.0/24 -interface $1
/sbin/route add -net 192.168.20.0/24 -interface $1

/usr/local/etc/openvpn/openvpn_officelan.down.sh (the same for every client):

#!/bin/sh

/sbin/ifconfig $1 destroy
# chmod a+x *.sh

Run

Create rc.d script and run the daemon.

Comments