http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routersOpenVPN - Site-to-Site routed VPN between two routersRouter PreparationThese VPN scripts have been tested starting v23 and have been confirmed to work in v24 of DD-WRT. Before proceeding, you need to download the VPN-flavoured version of DD-WRT from the DD-WRT Download Page. Due to the fact that most of us have DHCP-assigned dynamic IPs, you are also recommended to create a dynamic dns host for the server router. More information on this procedure is available here. Finally, make sure that your two routers are not distributing an overlapping IP subnet range. Usually, all routers come preconfigured with a 192.168.1.0 DHCP range distribution. Since you are doing routed configurations, you need to change the 192.168.1.0 subnet to another one. The easiest way is to adopt a sequential assignment: Server side: 192.168.1.0; Client1 side: 192.168.2.0 Client2 side: 192.168.3.0 etc... This way, when your internal networks communicate with each other, they don't overlap and you don't end up having miscommunication. If you are looking for a bridged configuration, you'd better check this Wiki page instead. Secret Key GenerationPrior to configuring your routers, you need to create a shared secret key. This key will be used to authenticate and encrypt your site to site communication. Start by downloading the latest OpenVPN package from OpenVPN's main site. Install the package (Usually gets installed in C:\Program Files\OpenVPN if you are running Windows). Now, get a command prompt and issue the following command from the OpenVPN directory:
This will create a text file named 'static.key'. Opening it in Notepad, or any text editor will get you an output similar to the following one:
Warning: Don't go lazy and copy the above, doing so will jeopardize your secure connection, recreate the file from scratch. Server ConfigurationUsing Notepad or any text editor, create the following two configurations:
сссс /tmp/myvpn --mktun --dev tun0 Warning: Watch out for the OTHERSUBNET chunk, you should replace it with your client network's subnet (for example: 192.168.2.0 or 192.168.3.0). Also, do note that the static key that was created in the previous step should be pasted in the appropriate section, right after the 'echo text. Now, create a second configuration with the following text. Config 2
Now, go to your Router configuration interface, click on 'Administration' then 'Commands'. Paste your 'Config 1' in your 'Startup' section and you 'Config 2' in your 'Firewall' section. You're done with the server configuration! Client ConfigurationThe client configuration is very similar to the server configuration, with a few small modifications. Again, you need to create two configs:
Warning: Watch out for the OTHERSUBNET chunk, you should replace it with your server network's subnet (for example: 192.168.1.0). Also, do note that the static key that was created in the previous step should be pasted in the appropriate section, right after the 'echo text. In addition to the above, and since this is your client, you need to replace the REMOTEADDRESS with your server's IP address or the dynamic DNS address you created in the previous Router Preparation section.
Now, go to your Router configuration interface, click on 'Administration' then 'Commands'. Paste your 'Config 1' in your 'Startup' section and you 'Config 2' in your 'Firewall' section. You're done with the client configuration! Advanced Configuration: Multiple routed networksWarning: This section is not for the faint-hearted people. Please read carefully and email me should you have any questions/comments/thoughts. Wiki is all about teamplay! You need to first start by duplicating the above Client configuration on the two 'Client1' and 'Client2' routers. Pay extra attention to the IPs and IP ranges you are using and write down your configs. In essence, both clients will have pretty much the same configuration with one minor change. Since both will be connecting to the same server, you cannot use the same port number for both clients, so we will be giving port 1999 for the first client and 2000 for the second client. Client1 Configuration
Client1 -- Firewall
Client2 ConfigurationClient2 -- Startup
Client2 -- Firewall
Server ConfigurationAs for the server, we need to perform three modifications: Server -- Startup
Server -- Firewall
Passing DNS requests over your Routed VPN configurationThis section would not have been possible without the augmented work of Jean-Marc L. A question that comes often once we get our routed network up is DNS resolution. Ideally, you would like to have all your machines on all networks to be able to "speak" to each other using DNS and not just via their IP addresses. This section describes the procedure you use to integrate DNS resolution in your routed VPN structure. Let's say we have 2 subnets. Subnet1, with network ID 192.168.1.0/24 served by Router1 (ip: 192.168.1.1) and Subnet2, with network ID 192.168.2.0/24 served by Router2 (ip: 192.168.2.1). We would like to configure the two subnets as two domains: Domain1 and Domain2, assigning Domain1 to Subnet1 and Domain2 to Subnet2. Our target is to get Router1 to transfer all requests for Domain2 to Router2 and Router2 to transfer all requestes for Domain1 to Router1. Router1 DNS setupFirst we will need to configure the DNSMasq options on Router1. Go to the Services configuration page 'Services' -> 'Services' and perform the following modifications: - Set the DHCPserver to use domain on LAN & WLAN. - Set the LAN domain to be domain1. - Enable DNSMasq. - Enable Local DNS. - No DNS Rebind -- Disable ***NOTE
This will instruct your router to use local domains when resolving adresses and turn the local DNS service on the router on. Next we need to configure Router1 to act as a DNS on both subnets (so it will answer Router2 requests as well). To perform this operation, you need to add the following options in the 'Additional DNSMasq Options' text box:
The first line instructs DNSMasq to listen for request from the Subnet2 on the tunnel tun0. The second line ensures that the DHCP will not respond to remote subnet requests. And finally, the last line will instruct DNSMasq to redirect any requests for Domain2 entries to Router2. In addition, we will also need to open port 53 by adding the 2 lines to the firewall section in our configuration. To do this, you need to go to 'Administration' --> 'Commands' and add the following lines to your firewall configuration:
This will allow the firewall to pass DNS request from Subnet2 to Router1. Finally, reboot rooter1. Router2 DNS SetupOn Router2, you need to replicate the configuration you performed for Router1. This means that you need to add the same frewall rule:
As well as: (Watch out, it's domain2 and NOT domain1) - Set the DHCPserver to use domain on LAN & WLAN. - Set the LAN domain to be domain2. - Enable DNSMasq. - Enable Local DNS. Finally, you'll need to include the DNSMasq options, watch out for the server line, the ip address is now 192.168.1.1 instead of 192.168.2.1
You should notice that the options are very similar to the ones in Router1, but in this case we are forwarding all requests to *.domain1 to Router1. Again, reboot Router2. Testing DNSTo test your configuration, simply go to your Router1 status page 'Status' -> 'LAN'. You should see the list of available hosts that have a DNS registration. Next, go to a PC located on Subnet1 and try the following: nslookup pconsubnet1.domain1 (Replace pconsubnet1 with the hostname of any PC on Subnet 1) nslookup pconsubnet2.domain2 (Replace pconsubnet2 with the hostname of any PC on Subnet 2) Both resolutions should work fine. You can go ahead and try the same operation from a PC located on Subnet 2. The DNS query should return the correct IP adresses. Otherwise, check your configuration. Troubleshooting / FAQI will be including in this section any troubleshooting questions I received as well as their solution (If I have one or if the sender found a fix for it). DMZ feature is used on your DD-WRT router(Thanks TJ T. for that one) My tunnel is up but I cannot ping the remote endpoint(Thanks Ben G. for that one)
Great! How about internal remote administration through HTTP?(Thanks Marc D. for that question) iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT Why should I use a routed configuration and not a bridged configurationInteresting question. Well, a bridged configuration will 'join' both networks together as one, same subnet, same IP range... Looks easier, but the problem here would be that all kinds of packets, including the infamous broadcasts will be traveling from one side of the network to the other, resulting in less-than-optimized usage of your precious bandwidth. On the other hand, a routed network will only send directed packets from one side of the network to the other. I have a problem connecting my VPNs while using Chillispot, what's the issue?(Thanks Chris A. for bringing this one up) DHCP Forwarder / DHCP Server feature of DD-WRTPlease take note that this VPN configuration will not work if your router(s) is/are set up as DHCP forwarders. They must be DHCP servers in order for the VPN to connect properly. |