Scenario: You have a network at Head Office which has resources (Email, Web, Files, etc) and you would like to link a branch office in at the network level to enable bi-directional communication.
The two subnets are as follows:
Head Office - 10.10.1.0/24
Branch Office - 10.10.2.0/24
Two Debian Machines, One at each site:
HEADOFFICE - 10.10.1.200
BRANCHOFFICE - 10.10.2.200
The Debian Machines can have 1 NIC each, or 2 NICs depending on how you want to configure your network.
1 NIC scenario: I would only like to tunnel traffic destined for the remote network via Debian, and not ALL traffic (e.g. Internet). Internet-bound traffic in each site will go out via their normal router/gateway (.254), and only traffic destined for the opposite network will be sent to the Debian machine. ETH0 has an IP on the LAN, and also has a Default Gateway which points to the LAN's Router/Internet Gateway.
2 NIC scenario: ETH0 would connect to the Internet (either via NAT or with a Public IP), and ETH1 would connect to the LAN. All clients on the LAN would have a default gateway that points to the Debian ETH1 interface. Only traffic destined for the remote network would be accepted, all other traffic (e.g. Internet-bound traffic) would be discarded. Workstations would NOT have internet access. (ETH1 would also require a DHCP-Server running to allocate IPs to workstations. Setting up DHCP3-Server is beyond the scope of this document but may be covered later.)
In my configuration, each Debian machine is behind a NAT on the Local Network and only has 1 NIC, ETH0.
Each Debian Machine needs a Standard System install only. You can use a NetInst disc to install as you need very little software on the machines. Installing Debian is beyond the scope of this document.
Configuration for HEADOFFICE:
apt-get install OpenVPN OpenSSH-Server
iface eth0 inet static
address 10.10.1.200
netmask 255.255.255.0
gateway 10.10.1.254
modprobe tun
echo 'tun' >> /etc/modules
iptables -A FORWARD -i tun+ -j ACCEPT
cd /etc/openvpn/
openvpn --genkey --secret tun0.key
shutdown -r now
openvpn --port 5000 --dev tun0 --ifconfig 10.99.0.1 10.99.0.2 --verb 1 --secret /etc/openvpn/tun0.key --fragment 1400 --mssfix 1400 --tun-mtu 1450 &
route add -net 10.10.2.0 netmask 255.255.255.0 gw 10.99.0.1
echo 1 > /proc/sys/net/ipv4/ip_forward
Configuration for BRANCHOFFICE:
apt-get install OpenVPN OpenSSH-Server
iface eth0 inet static
address 10.10.2.200
netmask 255.255.255.0
gateway 10.10.2.254
modprobe tun
echo 'tun' >> /etc/modules
iptables -A FORWARD -i tun+ -j ACCEPT
shutdown -r now
openvpn --remote HEADOFFICEPUBLICIPGOESHERE:5000 --port 5000 --dev tun0 --ifconfig 10.99.0.2 10.99.0.1 --verb 1 --fragment 1400 --mssfix 1400 --tun-mtu 1450 --secret /etc/openvpn/tun0.key &
route add -net 10.10.1.0 netmask 255.255.255.0 gw 10.99.0.2
echo 1 > /proc/sys/net/ipv4/ip_forward
ping 10.10.1.200
On windows machines on each side of the connection, you will need to add a static route to the remote network via the LAN IP of each Debian Machine.
route add -p 10.10.1.0 mask 255.255.255.0 10.10.2.200
route add -p 10.10.2.0 mask 255.255.255.0 10.10.1.200
