BSD Router Project

User Tools

Site Tools

Trace:
documentation:examples:gre_ipsec_and_openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
documentation:examples:gre_ipsec_and_openvpn [2020/01/13 14:08] – [VPN with GRE, GIF, IPSec and OpenVPN] olivierdocumentation:examples:gre_ipsec_and_openvpn [2020/06/29 16:48] – [VM2: OpenVPN server] olivier
Line 1053: Line 1053:
 <code> <code>
 passwd passwd
-</code> 
-==== VM4: OpenVPN client ==== 
- 
-As OpenVPN client, VM4 should get these files from VM2 and put them in /usr/local/etc/openvpn: 
-  * ca.crt 
-  * VM4.crt 
-  * VM4.key 
- 
-On this lab, scp can be used for getting these files: 
-<code> 
-mkdir /usr/local/etc/openvpn 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/ca.crt /usr/local/etc/openvpn 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/issued/VM4.crt /usr/local/etc/openvpn 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/private/VM4.key /usr/local/etc/openvpn 
 </code> </code>
  
-Configure openvpn as a client:+Now Generate client configuration file with embedded certificates:
  
 <code> <code>
-cat > /usr/local/etc/openvpn/openvpn.conf <<'EOF'+cat > /usr/local/etc/openvpn/VM4-openvpn.conf <<'EOF'
 client client
 dev tun dev tun
 remote 10.0.23.2 remote 10.0.23.2
-ca ca.crt +<ca>
-cert VM4.crt +
-key VM4.key+
 'EOF' 'EOF'
 +cat /usr/local/etc/easy-rsa/pki/ca.crt >> /usr/local/etc/openvpn/VM4-openvpn.conf
 +echo '</ca>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
 +echo '<cert>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
 +cat /usr/local/etc/easy-rsa/pki/issued/VM4.crt >> /usr/local/etc/openvpn/VM4-openvpn.conf
 +echo '</cert>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
 +echo '<key>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
 +cat /usr/local/etc/easy-rsa/pki/private/VM4.key >> /usr/local/etc/openvpn/VM4-openvpn.conf
 +echo '</key>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
 </code> </code>
 +==== VM4: OpenVPN client ====
 +
 +As OpenVPN client, VM4 should get its openvpn configuration file (that embedded certificate and key) from VM2 and put them in /usr/local/etc/openvpn.
 +
 +On this lab, scp can be used for getting these files:
 +<code>
 +mkdir /usr/local/etc/openvpn
 +scp 10.0.23.2:/usr/local/etc/openvpn/vm4-openvpn.conf /usr/local/etc/openvpn/openvpn.conf
 +</code>
 +
  
 Enable and start openvpn: Enable and start openvpn:
Line 1160: Line 1162:
 16:52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114 16:52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114
 16:52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22 16:52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22
 +</code>
 +
 +===== Wireguard =====
 +
 +==== Key pairs generation ====
 +
 +The first step is to generate a couple of private and public keys on each wireguard endpoint.
 +
 +On VM2 and on VM4, generate the keys:
 +
 +<code>
 +cd /usr/local/etc/wireguard
 +wg genkey > private
 +chmod 600 private
 +wg pubkey < private > public
 +</code>
 +
 +==== Router 2 ====
 +
 +Display router 2 private key, and router 4 public key.
 +
 +<code>
 +cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 +[Interface]
 +PrivateKey = 8Og1cCmvirK+zcGus/EyaA8aiFdzjjtS9GbuBa/bqFQ=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = FSvVqj2s1FZqsSIvPLrE1RRTgbaPLbfG87P36F21M1g=
 +AllowedIPs = 10.0.45.0/24,2001:db8:45::2/64
 +Endpoint = 10.0.34.4:51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</code>
 +
 +==== Router 4 ====
 +
 +Display router 4 private key, and router 2 public key.
 +
 +<code>
 +cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 +[Interface]
 +PrivateKey = ADfm6+sXZnoyDAkG/MXXy062pjSgh2GgfAIKwX+ewGg=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = gaQij176wrz3g+2RTJ/S1oEnc7rx2reU1Z0Thrv4oXc=
 +AllowedIPs = 10.0.12.0/24,2001:db8:12::2/64
 +Endpoint = 10.0.23.2:51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</code>
 +
 +==== Testing ====
 +
 +Pinging VM5 from VM1:
 +
 +<code>
 +[root@VM1]~# ping -c2 10.0.45.5
 +PING 10.0.45.5 (10.0.45.5): 56 data bytes
 +64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=2.135 ms
 +64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.783 ms
 +
 +--- 10.0.45.5 ping statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/stddev = 0.783/1.459/2.135/0.676 ms
 +
 +[root@VM1]~# ping6 -c2 2001:db8:45::5
 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 +16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.779 ms
 +16 bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=0.764 ms
 +
 +--- 2001:db8:45::5 ping6 statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/std-dev = 0.764/1.272/1.779/0.507 ms
 </code> </code>
documentation/examples/gre_ipsec_and_openvpn.txt · Last modified: 2023/07/10 12:40 by olivier
Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki