Overview

The following section will guide you through the process of setting up an OpenVPN Site-to-Site configuration with certificate based authentication on VyOS.

If you are yet to provision your VyOS instances on the CloudCo Partner platform please follow our Getting Started guide.


Certificates and Keys

The first step is to copy the easy-rsa folder and modify some fields at the bottom of the vars file to match your company information. This is used as default values for the script to sign the certificates.

cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2
nano /config/easy-rsa2/vars

We then create certificates and keys for the passive (server) and active (client) sides. We do this from the command line of the passive side. For certs, do not set passwords, and sign and commit certs if requested.

cd /config/easy-rsa2
source ./vars
./build-ca
./build-dh
./build-key-server site2site_passive
./build-key site2site_active

Finally, we copy the server files to the correct location:

sudo mkdir /config/auth
sudo cp keys/ca.crt /config/auth/
sudo cp keys/dh1024.pem /config/auth/
sudo cp keys/site2site_passive.key /config/auth/
sudo cp keys/site2site_passive.crt /config/auth/

Copying Client Files

The active certificates and keys must then be moved to the /config/auth/ on the active side. We do this using scp from the passive side:

scp keys/site2site_active.* vyos@<active-ip-address>:/config/auth/
scp keys/ca.crt vyos@<active-ip-address>:/config/auth/

Configuring the Active Side

We will now configure the interface settings for the active side. Note that for both local and remote ports we use 1195, as 1194 is generally used for Client/Server OpenVPN configurations.

For the purposes of this guide, the public IP for the active side is 23.90.55.23 and the passive side is 23.90.55.24.

set interfaces openvpn vtun1
set interfaces openvpn vtun1 local-address 172.16.1.1
set interfaces openvpn vtun1 remote-address 172.16.1.2
set interfaces openvpn vtun1 remote-host 23.90.55.24

set interfaces openvpn vtun1 local-port 1195
set interfaces openvpn vtun1 remote-port 1195

set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 tls role active
set interfaces openvpn vtun1 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun1 tls key-file /config/auth/site2site_active.key
set interfaces openvpn vtun1 tls cert-file /config/auth/site2site_active.crt 

Configuring the Passive Side

We will now do the same for the passive side. Make sure the local and remote addresses are swapped.

set interfaces openvpn vtun1
set interfaces openvpn vtun1 local-address 172.16.1.2
set interfaces openvpn vtun1 remote-address 172.16.1.1
set interfaces openvpn vtun1 remote-host 23.90.55.23

set interfaces openvpn vtun1 local-port 1195
set interfaces openvpn vtun1 remote-port 1195

set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 tls role passive
set interfaces openvpn vtun1 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun1 tls key-file /config/auth/site2site_passive.key
set interfaces openvpn vtun1 tls cert-file /config/auth/site2site_passive.crt
set interfaces openvpn vtun1 tls dh-file /config/auth/dh1024.pem 

Testing Your VPN Connection

The two sides of the VPN should now be connected by private tunnel. To test if the connection is working correctly you can perform a ping from the local address to the remote address for both the passive and active sides.

If you wish, you can also specify requests to a specific subnet to route via the tunnel using the remote address. In the example below, we wish to route traffic from the passive side to 192.168.1.0/24 via the private tunnel. We thus input the following on the passive side:

set protocols static route 192.168.1.0/24 next-hop 172.16.1.1

Similarly, if we wish to route traffic from the active side to 192.168.2.0/24 via the private tunnel, we input the following on the active side:

set protocols static route 192.168.2.0/24 next-hop 172.16.1.2