hi good day,
any one tried and successfully implemented the VPN Tunnel (Site-to-Site) by Hancees.com? please help me correct the LAN IP's and gateway setup configuration below, also for the tunnel layer IP? i have no idea how i get them.
my remote gateway have dynamic ip too.
and i have 2 remote site.
i have the the keys made already.
i have the ff:
--------- main office ------
sme server gateway & server mode
internet ip xxx.xxx.xxx.xxx (static)
gateway 192.168.1.1
network 192.168.1.0
tunnel layer (what should be my tunnel layer ip)
*add to local network in sme manager
network subnet mask router
192.168.110.0 255.255.255.0 192.168.1.1
192.168.120.0 255.255.255.0 192.168.1.1
192.168.130.0 255.255.255.0 192.168.1.1
----- remote office A -------------
sme client a gateway & server mode
internet ip xxx.xxx.xxx.xxx (dynamic IP)
gateway 192.168.110.1
network 192.168.110.0
tunnel layer (what should be my tunnel layer ip)
*add to local network in sme manager
network subnet mask router
192.168.1.0 255.255.255.0 192.168.110.1
----- remote office B -------------
sme client b gateway & server mode
internet ip xxx.xxx.xxx.xxx (dynamic IP)
gateway 192.168.120.1
network 192.168.120.0
tunnel layer (what should be my tunnel layer ip)
*add to local network in sme manager
network subnet mask router
192.168.1.0 255.255.255.0 192.168.120.1
------- configuration file ------------
## for Server
###########server.conf##################
# server.conf see
http://openvpn.net/howto.html#either use remote, or use mode server
##remote
#remote 213.4.3.2
#ifconfig 10.4.0.1 10.4.0.2
##mode server
mode server
server ???.???.???.??? 255.255.255.0
proto udp
port 1194
#optional what address to listen to
#local 213.4.3.1
dev tun
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key #should be kept secret
#secret static.key #you could do without certificates, please don't
comp-lzo # Enable compression on the VPN link.
user nobody
group nobody
daemon
keepalive 10 60
ping-timer-rem
up ./openvpn.up
persist-tun
persist-key
status-version 2
status /var/log/openvpn/openvpn-status.log
verb 3
#########################################
The openvpn.up script in the same directory of the server should look like this:
###########################
#!/bin/sh
#on server route network to the other side's tun-ip
#you should add this route in sme7 server-manager or it will dissappear
route add -net 192.168.110.0 netmask 255.255.255.0 gw ???.???.???.???
# added for the 2 client
route add -net 192.168.120.0 netmask 255.255.255.0 gw ???.???.???.???
# -- how can i add route for the second client??? --
#let openvpn traffic in and out (not needed on sme due to service)
#iptables -A INPUT -p udp --dport 1194 -j ACCEPT
#iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT
#traffic over the tunnel to the server itsself (only icmp for ping)
iptables -A INPUT -i tun+ -p icmp -j ACCEPT
iptables -A OUTPUT -o tun+ -p icmp -j ACCEPT
#allow a network over the tun devices
iptables -A FORWARD -i tun+ -j ACCEPT
logger "openvpn is up"
##################################
## For Client A ##
###########client.conf for clien A ##################
#client.conf
#remote 213.4.3.1 1194
##either use "ifconfig" or use "client". When remote uses "server",
#client should use "client"
##only use ifconfig if server also uses "remote".
#ifconfig 10.4.0.2 10.4.0.1
client
proto udp
dev tun
tls-client
#ns-cert-type server #todo in cert make step
#remote-cert-tls server
dh dh1024.pem
ca ca.crt
cert client.crt
key client.key
comp-lzo
user nobody
group nobody
daemon
keepalive 10 60
ping-timer-rem
up ./openvpn.up
persist-tun
persist-key
status-version 2
status /var/log/openvpn/openvpn-status.log
verb 3
#########################################
make a openvpn.up on the client:
################# for client A ##########
#!/bin/sh
#on client route network to the other side's tun-ip
#you should add this route in severmanager as well or it will dissappear on sme7 route add -net 192.168.110.0 netmask 255.255.255.0 gw ???.???.???.???
#let openvpn traffic in and out
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT
#traffic over the tunnel to the server itsself (only icmp for ping)
iptables -A INPUT -i tun+ -p icmp -j ACCEPT
iptables -A OUTPUT -o tun+ -p icmp -j ACCEPT
#allow a network over the tun devices
iptables -A FORWARD -i tun+ -j ACCEPT
logger "openvpn is up"
######################################
## For client B ##
###########client.conf for clien B ##################
#client.conf
#remote 213.4.3.1 1194
##either use "ifconfig" or use "client". When remote uses "server",
#client should use "client"
##only use ifconfig if server also uses "remote".
#ifconfig 10.4.0.2 10.4.0.1
client
proto udp
dev tun
tls-client
#ns-cert-type server #todo in cert make step
#remote-cert-tls server
dh dh1024.pem
ca ca.crt
cert client.crt
key client.key
comp-lzo
user nobody
group nobody
daemon
keepalive 10 60
ping-timer-rem
up ./openvpn.up
persist-tun
persist-key
status-version 2
status /var/log/openvpn/openvpn-status.log
verb 3
#########################################
make a openvpn.up on the client:
################# for client B ##########
#!/bin/sh
#on client route network to the other side's tun-ip
#you should add this route in severmanager as well or it will dissappear on sme7 route add -net 192.168.1.0 netmask 255.255.255.0 gw ???.???.???.???
#let openvpn traffic in and out
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT
#traffic over the tunnel to the server itsself (only icmp for ping)
iptables -A INPUT -i tun+ -p icmp -j ACCEPT
iptables -A OUTPUT -o tun+ -p icmp -j ACCEPT
#allow a network over the tun devices
iptables -A FORWARD -i tun+ -j ACCEPT
logger "openvpn is up"
######################################
thanks,
hoping to get this up by july 1....
3 Replies
1191 Views