Lee Crawford's picture

I am attempting to set up a site-to-site VPN connection using the Turnkey VMWare appliance.  I have read that it's doable, but haven't yet found any step-by-step for creating a site-to-site link.  I have an ESXi 5.5 host at each site, with so far one OpenVPN appliance deployed, and I would like to know if there's a guide I haven't been able to find, or if someone could point me in the right direction to get this process started.

Thanks greatly, in advance!

Forum: 
John Carver's picture

Lee, SmallNetBuilder has a tutorial about setting up a site-to-site vpn using OpenVPN.  It's not specific to the TurnKey/GNU appliance, but that shouldn't matter.  The tutorial is a bit dated (2008) but I'm not aware of major changes to OpenVPN that would change the procedure much.  If something doesn't work, just Google to see if there is a newer way to configure the options.  This tutorial discussed the pros and cons of bridging and routing.  I recommend routing.  If you're using Windows clients at a remote site which need to access servers at the main site across the routed network, you'll need a WINS server at the remote site.  I'd consider adding Samba on the remote vpn appliance to serve this function.

Good Luck and please post back here with your results so others can benefit.

Information is free, knowledge is acquired, but wisdom is earned.

Jeremy Davis's picture

Have a look here for the TurnKey OpenVPN site-to-site docs. I haven't used the appliance really nor followed the docs so I can't comment on how good (or not) they are, but probably worth a shot for starters (if you haven't already had a look through...)

Lee Crawford's picture

Thanks for the links!  I tried yesterday to update my original post with the SmallNetBuilder link and to say that I had tried those steps, but I think for my particular situation I want to set up a site-to-site link that can be expanded to more sites without me editing the routers on the additional sites, so I believe I'm going to want bridged instead of routed.  (And then I failed the stupid CAPTCHA because I can't tell an I from a 1, and got locked out and couldn't update my post.)

The SmallNetBuilder link compares the bridged and routed approaches, but then only gives steps for the routed approach.  Perhaps this means I'll eventually have to go that route, which will mean a bit more setup and maintenance on the additional WINS server at any additional sites.

I'll look through the docs and see if I can get a bit further along.  Thanks again for the pointers!

Jeremy Davis's picture

The TurnKey OpenVPN appliance is essentially a headless Debian server with OpenVPN installed from the Debian repos; with the addition of some helper scripts. So OpenVPN community probably are the ones that would know the most about it... IIRC they have a wiki and forums...

John Carver's picture

The OpenVPN HowTo at https://openvpn.net/index.php/open-source/documentation/howto.html has sample configuration files for server (main office) and client.  I recommend you change the key length to 2048.  The default of 1024 is no longer considered to be secure.

On the server, edit /etc/openvpn/easy-rsa/vars and change the KEY_SIZE and any other key information.  Mine looks like this:

...
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_SIZE=2048
export KEY_ORG="LinuxGeeks"
export KEY_EMAIL="dude4linux@gmail.com"
export KEY_NAME="openvpn"
export KEY_OU="OpenVPN"
export KEY_COUNTRY="US"
export KEY_PROVINCE="IA"
export KEY_CITY="Cedar Rapids"
export KEY_CN="must-be-unique"

Next build a Diffie-Hellman parameters dh2048.pem.

/etc/openvpn/easy-rsa/build-dh

Edit the server.conf and replace dh1024.pem with dh2048.pem

...
ca /etc/openvpn/easy-rsa/keys/ca.crt
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
key /etc/openvpn/easy-rsa/keys/server.key
cert /etc/openvpn/easy-rsa/keys/server.crt
...

Restart openvpn and then you can generate 2048 bit keys for the clients

service openvpn restart
openvpn-addclient username user-email

These changes need to be made to the next version of the OpenVPN appliance.

I also had to make a change to the gateway configuration to get it to work while at the home network.
Add 'local' to the gateway push.

push "redirect-gateway local def1 bypass-dhcp"

EDIT:  Apparently changing the client keys is not sufficient to achieve 2048 bit operation.  I'm working out how to re-gen the server.key and which ciphers to use.  Will post more later.

PPS: I'm running OpenVPN in a virtual machine behind my firewall.  Adding the 'local' option to the push statement allowed me to test from my home network (laptop -- vpn tunnel --> server --> firewall --> internet) but it broke when I tried from a remote location.  I had hoped to find a configuration that would work for both locations without having to remember to start or stop the openvpn client.  Ubuntu's network-manager seems broken for VPN's at the moment.  I had no success getting it to work with OpenVPN.  Was forced to use 'sudo service openvpn start/stop' to control the client.

I've been using Ivan Ristić's book, Bulletproof SSL and TLS, as a reference for enhancing security, but unfortunately he does not have a chapter on OpenVPN.  I'm waiting for a reply from Ivan on the merits of increasing OpenVPN's default cipher's (BF-CBC) keysize from 128 to 256 (or higher) versus switching to AES-256-CBC.  I'm currently running the latter without a noticable performance impact (supposed to be about 20% penalty relative to BF-CBC)

 

 

 

 

Information is free, knowledge is acquired, but wisdom is earned.

Jeremy Davis's picture

I'm not really very familiar with OpenVPN so it's fantastic to have someone in the community that is up to speed with it! Thanks ofr your great contributions! :)

Add new comment