14.4 VPN Site-to-Site

14.4.1 Installing Two NICs

It is best to complete the installation and configuration of the first network interface card (NIC) through the Web configuration tool before configuring a second NIC. After the initial Web configuration is complete, you can then use YaST to configure the second NIC.

NOTE:Because traffic is routed through the server, be sure to enable IP Forwarding when configuring the second NIC.

14.4.2 VPN Site-to-Site Setup

The process of setting up a site-to-site VPN between two NOWS SBE servers is to create two client-to-server VPNs between the servers in opposite directions.

  1. Synchronize the time between the two servers by using ntpdate.

  2. In the NOWS SBE Web administration tool, install Firewall (IPTables) and VPN Server (OpenVPN) on both Server A and Server B.

    1. For Server A, replace auto in the Virtual IP Address Network field with a distinct segment address, such as 172.16.150.0.

    2. For Server B, replace auto in the Virtual IP Address Network field with a distinct segment address, such as 172.16.151.0.

    3. Replace auto in the VPN Network Mask field with the appropriate mask, such as 255.255.255.0.

    4. Verify that Allow VPN Clients Access to Internal Network is selected.

  3. From Server A’s Web administration tool, create a client key for Server B to use.

    1. Go to Products and Service > VPN Server (OpenVPN) > Administrative Console > Open VPN Key Management.

    2. Specify a unique name and select Generate.

      Using the name of Server B helps maintain organization.

    3. Select Windows Client and Configuration to download and save the Windows client .zip file. The filename is based on the unique name selected.

  4. Copy the client .zip file to /etc/openvpn on Server B.

  5. Extract the client .zip file into the /etc/openvpn folder using the command unzip unique_name_client.zip. If desired, delete the Windows install files.

  6. Rename (mv) or copy (cp) the unique_name.ovpn file to client.conf.

  7. Using a text editor, such as vi, open the server.conf file and comment out the second to the last line with a # symbol. This prevents the VPN from pushing the public route to the other server and allows each server to access the public network directly.

  8. Create a client key for Server A to use by repeating Step 3 from Server B’s Web administration tool.

  9. Finalize Server A’s configuration by repeating Step 4 through Step 7 on Server A. When complete, each server should have a server.conf and a client.conf file in the /etc/openvpn/ directory.

  10. Restart OpenVPN on each server by using /etc/init.d/openvpn restart.

    You should now have a functioning two-way VPN tunnel. Each server should push its private routes to the other.

  11. Test the connection by pinging a host on Network A from Server B, and a host on Network B from Server A.

For most networks with more than a single subnet, or where Server A and Server B are not the default gateway for clients on their networks, you also need to set up routing on internal switches and routers so that clients on Network A know to point to Server A as the next hop to Network B. This also needs to be done so that clients on Network B know to point to Server B as the next hop to Network A.

WARNING:This involves modifying systems beyond the NOWS SBE servers and can break the network if performed incorrectly. You are on your own at this point.

14.4.3 Troubleshooting Tips

  • To verify the validity of the certificates on the VPN, issue the following command:

    openssl verify-<keyname>ca.crt-purpose sslclient <keyname>.crt 
    
  • Step 7 suggests commenting out the public push statements for the VPN. If this is not done and the VPN servers are on the same network segment, the servers will hang. Pushing the public route can also cause trouble communicating over the VPN tunnel.

  • Uninstalling the Firewall (IPTables) component does not undo any firewall configuration changes that have been made. Changes to the firewall configuration can cause the Site-to-Site VPN to stop functioning, so make firewall changes with care.

  • To verify the firewall configuration, follow these directions:

    1. In a text editor, open /etc/sysconfig/SuSEfirewall2

    2. Find the line beginning with FW_DEV_INT

    3. Verify that it looks like this:

      FW_DEV_INT="eth1 tun0 tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9