Configuring the Server Side OpenVPN Machine
The server side OpenVPN machine is the heart of the VPN. In routed mode, all clients will connect to the OpenVPN server and all communication between clients (if the "client-to-client" option is enabled) is routed by the OpenVPN server, so it's best to have a dedicated, always-up machine to run it on.
Clients need the server side IP address hardcoded in their config files, so it's usually best and easiest to set up a domain name to point to your server side network. (There are many free services out there for free domain names. You'll also need a dynamic DNS service, such as TZO or DynDNS, if the IP address of your server's WAN connection changes frequently.)
First, we need to create a configuration directory for OpenVPN. Elevate yourself to root and create the directory /etc/openvpn with subdirectories /etc/openvpn/certs and /etc/openvpn/keys.
~ # mkdir /etc/openvpn ~ # mkdir /etc/openvpn/certs /etc/openvpn/keys
Next, copy the server's certificate (server.crt) and the CA's certificate (ca.crt) we created earlier with OpenVPN's easy-rsa into /etc/openvpn/certs. Likewise, copy the server's key (server.key) into /etc/openvpn/keys. The server's key should be kept secret, lock down the permissions on the key with:
~ # chmod -R 600 /etc/openvpn/keys/
Next, we need to create the Diffie-Hellman parameters for symmetric key agreement and exchange. After creation, copy the DH parameters (dh2048.pem) to /etc/openvpn.
~ $ openssl dhparam -out dh2048.pem 2048
One of the great features of OpenVPN is the ability to "push" specific configurations to individual clients. This allows you to set up a very powerful and flexable VPN network with multiple types of clients all connecting back to one central server.
This is accomplished by setting up a client configuration directory on the OpenVPN server that contains short configuration files for each client that connects to the server. When a client connects, the server looks for the configuration file with the same common name as the client's certificate and executes any configuration parameters in that file.
Create the directory /etc/openvpn/client-configs and in it, create a file with the same common name as the client network (remote_office in this example).
~ # mkdir /etc/openvpn/client-configs ~ # touch /etc/openvpn/client-configs/remote_office
Open up remote_office with your favorite text editor and enter the following configuration:
iroute 192.168.1.0 255.255.255.0 push "route 10.1.1.0 255.255.255.0 vpn_gateway"
The iroute directive sets an internal route on the OpenVPN server, so it knows to route all traffic bound for the network 192.168.1.0/24 through the remote_office client. Pushing the route 10.1.1.0/24 allows the client advertises the server's network to the client.
Finally, we need to edit the OpenVPN config file. OpenVPN ships with a collection of good example config files (found in ~/openvpn-2.0.9/sample-config-files) that are very well documented starting points. The man page is also very well written and contains loads of useful information.
For this example, the OpenVPN server's config file (server.conf) looks like this.
Configuring the Server Side Router
In order to route traffic from the server-side network through OpenVPN to the client, the machines on the server's network need to know how to reach the client. So we need to add a route to the server-side router to route all traffic bound for the client subnet (192.168.1.0/24) to the OpenVPN machine (10.1.1.2).
On the DGL-4300, this is found under Advanced > Routing (Figure 3).
Figure 3: Adding a Route to the Server-side Router
Now we can start up the OpenVPN server:
~ # openvpn --config /etc/openvpn/server.conf