Posted inAdvanced DIY Lab

Site to Site VPN with OpenVPN

Introduction

Setting up a site-to-site VPN using OpenVPN lets you securely connect two or more separate networks over the internet, as if they were physically linked. This is especially useful for businesses or organizations with multiple offices that need to share resources securely and seamlessly. Unlike typical VPNs that connect individual devices, site-to-site VPNs create a tunnel between entire networks, allowing all devices on each side to communicate safely.

This guide walks you through building a site-to-site VPN with OpenVPN from start to finish. It’s designed for readers who have some networking basics and want to implement a robust, secure connection between sites. We’ll cover what you’re building, the necessary prerequisites, detailed setup steps, configuration nuances, testing, common pitfalls, and security hardening tips. By the end, you’ll have a clear understanding of how OpenVPN manages control and data traffic in this setup and how to troubleshoot and optimize your deployment.

This DIY guide explains OpenVPN for site to site with a practical setup path, validation steps, and the details needed to build it safely.

What You Are Building

A site-to-site VPN connects two distinct local networks (LANs) over a public network like the internet. Think of it as a private, encrypted tunnel that links two offices so devices on one LAN can access devices and services on the other as if they were on the same local network.

OpenVPN acts as the software that creates and manages this tunnel. It uses TLS (Transport Layer Security) for authenticating and securing the control channel (the connection setup and management part), and encrypts all data traffic passing through the tunnel.

In this setup:

  • One site runs the OpenVPN server, listening for incoming connections.
  • The other site runs the OpenVPN client, initiating the connection.
  • Both sides route traffic destined for the opposite LAN through the VPN tunnel.
  • The VPN handles encryption, authentication, and routing between the two sites.

This is typically a layer 3 (IP layer) routing setup, meaning the VPN routes IP packets between networks rather than bridging Ethernet frames (layer 2), which is more complex and less common today.

Diagram: Simple Site-to-Site OpenVPN Architecture

graph LR
    Internet((Internet))
    SiteA[Site A LAN<br>192.168.1.0/24]
    SiteB[Site B LAN<br>192.168.2.0/24]
    Server[OpenVPN Server<br>Public IP]
    Client[OpenVPN Client]

    SiteA -->|LAN traffic| Server
    Server -->|VPN Tunnel| Internet
    Internet -->|VPN Tunnel| Client
    Client -->|LAN traffic| SiteB

Prerequisites

Before starting, ensure you have:

  • Two networks with their own IP subnets (e.g., Site A: 192.168.1.0/24, Site B: 192.168.2.0/24).
  • A server machine at one site with a public IP address or reachable hostname to act as the OpenVPN server.
  • A client machine at the other site with internet access to connect to the server.
  • Administrative access on both machines to install and configure OpenVPN.
  • Basic knowledge of Linux command line and networking concepts (IP addressing, routing).
  • OpenVPN installed on both server and client machines.
  • Firewall rules configured to allow OpenVPN traffic (default UDP port 1194 or your chosen port).
  • A Public Key Infrastructure (PKI) setup for TLS authentication — certificates and keys generated for server and client.

Step-by-Step Setup

1. Set Up the Certificate Authority (CA) and Generate Keys

OpenVPN uses TLS certificates for secure authentication. You need a CA to sign certificates for the server and clients.

# Initialize easy-rsa (or your chosen PKI tool)
cd /etc/openvpn/easy-rsa/
./easyrsa init-pki
./easyrsa build-ca nopass

# Generate server certificate and key
./easyrsa gen-req server nopass
./easyrsa sign-req server server

# Generate client certificate and key
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

# Generate Diffie-Hellman parameters
./easyrsa gen-dh

2. Configure the OpenVPN Server

Create the server config file /etc/openvpn/server.conf with key settings:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.8.0.0 255.255.255.0  # VPN subnet for tunnel IPs

push "route 192.168.1.0 255.255.255.0"  # Local LAN route
push "route 192.168.2.0 255.255.255.0"  # Remote LAN route

keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun

status openvpn-status.log
verb 3

Enable IP forwarding on the server:

echo 1 > /proc/sys/net/ipv4/ip_forward

Add firewall rules to allow forwarding between VPN and LAN interfaces.

3. Configure the OpenVPN Client

On the client side, create /etc/openvpn/client.conf:

client
dev tun
proto udp
remote your.server.ip 1194

ca ca.crt
cert client1.crt
key client1.key

cipher AES-256-CBC
persist-key
persist-tun
verb 3

route 192.168.1.0 255.255.255.0  # Route to server LAN

Enable IP forwarding on the client as well.

4. Routing and Firewall

  • Add static routes on both LAN routers or configure the VPN endpoints to route traffic between LANs.
  • Adjust firewall rules to allow VPN traffic and forwarding between interfaces.

Configuration Details

OpenVPN separates the control plane and data plane:

  • Control plane manages connection setup, authentication, and key exchange using TLS over UDP or TCP.
  • Data plane carries encrypted user traffic through the tunnel.

In site-to-site mode, OpenVPN assigns virtual IP addresses to each endpoint on the VPN subnet (e.g., 10.8.0.1 for server, 10.8.0.2 for client). It then routes traffic between the LAN subnets through this tunnel.

Key configuration points:

  • Use server directive on the server to define the VPN subnet.
  • Use route and push "route ..." to tell each side about the remote LAN subnet.
  • Enable IP forwarding on both endpoints.
  • Use consistent encryption settings (cipher, TLS version).
  • Choose UDP for better performance unless TCP is needed for firewall traversal.

Validation and Testing

After starting OpenVPN on both ends:

  • Check the OpenVPN status logs (openvpn-status.log) for connection success.
  • Use ping to test connectivity between hosts on opposite LANs.
  • Verify routing tables with ip route or route -n.
  • Use tcpdump or Wireshark to inspect VPN traffic if needed.
  • Test failover by restarting the VPN service and ensuring reconnection.

Common Mistakes

  • Forgetting to enable IP forwarding on server or client.
  • Missing or incorrect firewall rules blocking VPN or forwarding traffic.
  • Incorrect routing configuration causing traffic to not reach the remote LAN.
  • Mismatched certificates or keys causing TLS handshake failures.
  • Using conflicting IP subnets on both LANs.
  • Not matching cipher or protocol settings between server and client.

Hardening Tips

  • Use strong TLS certificates with proper key lengths.
  • Enable TLS authentication (tls-auth) to protect against DoS attacks.
  • Use modern ciphers like AES-256-GCM or ChaCha20-Poly1305.
  • Limit VPN user privileges by running OpenVPN under a dedicated user.
  • Regularly update OpenVPN and dependencies.
  • Monitor logs and set up alerts for unusual activity.
  • Consider using firewall rules to restrict VPN traffic to known IPs.

Related Reading

Related protocol articles:

Troubleshooting articles:

Foundational article:

Conclusion

Building a site-to-site VPN with OpenVPN is a powerful way to securely connect multiple networks over the internet. While the setup requires careful attention to certificates, routing, and firewall rules, the resulting encrypted tunnel provides a reliable and private connection between sites. By understanding both the control and data planes, and following best practices for configuration and hardening, you can deploy a robust VPN tailored to your organization’s needs.

References

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *