OpenVPN on Vyatta Gateway

Have used IPSec VPN for 10+ yrs. Recently, I put OpenVPN into one customer’s Softlayer environment. OpenVPN looks quite nice to me: design and implementation is quite easy.

Here I show a site-to-site OpenVPN example.

As normal, topology first

openVPN

Step 1: create a PSK

generate openvpn key /config/auth/openvpn1.key

Make sure that the PSK in the proper folder: /config/auth/. If you put the key into different folder, you will see a warning message as below:

Warning: ‘openvpn1.key’ lies outside of /config/auth directory. It will not get preserved during image upgrade.

NOTE: you must make sure that the PSK is shared with your peering OpenVPN gateway securely.

 

Step 2: add the OpenVPN configuration. On Vyatta, OpenVPN is configured as OpenVPN tunnel interface. In my example, OpenVPN is configured as “vtunn0”

Vyatta-OpenVPN1

set interfaces openvpn vtun0 local-address ‘192.168.200.1’  

set interfaces openvpn vtun0 mode ‘site-to-site’

set interfaces openvpn vtun0 remote-address ‘192.168.200.2’

set interfaces openvpn vtun0 remote-host ‘192.168.100.2’

set interfaces openvpn vtun0 shared-secret-key-file ‘/config/auth/openvpn1.key’

 Vyatta-OpenVPN2

set interfaces openvpn vtun0 local-address ‘192.168.200.2’

set interfaces openvpn vtun0 mode ‘site-to-site’

set interfaces openvpn vtun0 remote-address ‘192.168.200.1’

set interfaces openvpn vtun0 remote-host ‘192.168.100.1’

set interfaces openvpn vtun0 shared-secret-key-file ‘/config/auth/openvpn1.key’

 

Step 3: add the static interface-route routing to use OpenVPN tunnel interface as next-hop

Vyatta-OpenVPN1

set protocols static interface-route 172.16.32.0/24 next-hop-interface ‘vtun0

 Vyatta-OpenVPN2

set protocols static interface-route 172.16.31.0/24 next-hop-interface ‘vtun0’

 

Quick test:

vyatta@openvpn2:/config/auth$ ping 172.16.31.1 interface 172.16.32.1

PING 172.16.31.1 (172.16.31.1) from 172.16.32.1 : 56(84) bytes of data.

64 bytes from 172.16.31.1: icmp_req=1 ttl=64 time=0.549 ms

64 bytes from 172.16.31.1: icmp_req=2 ttl=64 time=0.755 ms

^C

— 172.16.31.1 ping statistics —

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 0.549/0.652/0.755/0.103 ms

 

vyatta@openvpn2:/config/auth$ show openvpn site-to-site status 

OpenVPN client status on vtun0 [] 

 

Remote CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since

————— ————— ————— ——- ——- ————————

None (PSK)      192.168.100.1   192.168.200.1    726.8K  726.7K N/A

 

You see the OpenVPN just works.

FYI: OpenVPN use UDP (port 1194) as transport protocol by default.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s