UBNT EdgeRouter site to site VPN routes?
-
You use static routes like this form the command line.
jbusch@erl:~$ show configuration commands protocols set protocols static interface-route 10.254.101.0/24 next-hop-interface vtun101 set protocols static interface-route 10.254.102.0/24 next-hop-interface vtun102 set protocols static interface-route 10.254.104.0/24 next-hop-interface vtun104 set protocols static interface-route 10.254.105.0/24 next-hop-interface vtun105 set protocols static interface-route 10.254.201.0/24 next-hop-interface vtun101 set protocols static interface-route 10.254.202.0/24 next-hop-interface vtun102 set protocols static interface-route 10.254.204.0/24 next-hop-interface vtun104 set protocols static interface-route 10.254.205.0/24 next-hop-interface vtun105 jbusch@erl:~$
-
That's what I thought, and I have: (the local side is 192.168.1.254/24 and the far side is 192.168.2.253/23)
protocols {
static {
interface-route 192.168.2.0/23 {
next-hop-interface vtun0 {
description "route to other side"
distance 1
}
}
}
} -
My interfaces look like this on both sides:
in that both have traffic on the Tx side of the tunnel, but nothing on the receive. -
@Mike-Davis said in UBNT EdgeRouter site to site VPN routes?:
That's what I thought, and I have: (the local side is 192.168.1.254/24 and the far side is 192.168.2.253/23)
protocols { static { interface-route 192.168.2.0/23 { next-hop-interface vtun0 { description "route to other side" distance 1 } } } }
You did not specify, but I assume that you have the opposite on the other side?
-
What does your OpenVPN config look like on both sides?
jbusch@erl# show interfaces openvpn vtun101 description "Globe Bldg to Someone" local-address 10.254.254.253 { } local-port 1195 mode site-to-site openvpn-option --comp-lzo remote-address 10.254.254.254 remote-host somesubdomain.mooo.com remote-port 1195 shared-secret-key-file /config/auth/my_secret_file_is_here [edit] jbusch@erl#
-
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.99.99.1 peer xx.101.158.218/32 scope global vtun0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collisions 6418847 27196 0 0 0 0~~~
-
WTF is it with people not posting what is f***[moderated] asked for today?
-
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.99.99.2 peer 10.99.99.1/32 scope global vtun0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collisions 3231942 44734 0 0 0 0 show interfaces openvpn vtun0 vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.99.99.1 peer x.x.x.218/32 scope global vtun0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collisions 6962847 28715 0 0 0 0
-
I see one of the peers is using another IP... but I don't know how to change that.
-
Ok, so the x.x.x.218 IP is the WAN IP of the opposite reouter, instead of using the openvpn IP.
-
#if not in config already configure #then remove all the stuff. delete interfaces openvpn vtun0 delete protocols static interface-route 192.168.1.0/24 delete protocols static interface-route 192.168.2.0/23 #recreate it set interfaces openvpn vtun0 local-address 10.99.99.1 set interfaces openvpn vtun0 local-port 1194 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 openvpn-option --float set interfaces openvpn vtun0 openvpn-option "--ping 10" set interfaces openvpn vtun0 openvpn-option "--ping-restart 20" set interfaces openvpn vtun0 openvpn-option --ping-timer-rem set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" set interfaces openvpn vtun0 remote-address 10.99.99.2 set interfaces openvpn vtun0 remote-host x.x.x.218 set interfaces openvpn vtun0 remote-port 1194 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret set protocols static interface-route 192.168.1.0/24 next-hop-interface vtun0 commit #if works save exit
#other side #if not in config already configure #then remove all the stuff. delete interfaces openvpn vtun0 delete protocols static interface-route 192.168.1.0/24 delete protocols static interface-route 192.168.2.0/23 #recreate it set interfaces openvpn vtun0 local-address 10.99.99.2 set interfaces openvpn vtun0 local-port 1194 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 openvpn-option --float set interfaces openvpn vtun0 openvpn-option "--ping 10" set interfaces openvpn vtun0 openvpn-option "--ping-restart 20" set interfaces openvpn vtun0 openvpn-option --ping-timer-rem set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" set interfaces openvpn vtun0 remote-address 10.99.99.1 set interfaces openvpn vtun0 remote-host x.x.x.51 set interfaces openvpn vtun0 remote-port 1194 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret set protocols static interface-route 192.168.2.0/23 next-hop-interface vtun0 commit #if works save exit
-
if i got the static routing protocols backwards, just reverse them. They should point to the LAN on the opposite router.
That is the last line prior to each
commit
. -
Ok, so it all looks good. What would be the best test?
-
I can't ping LAN IP's on the opposite side...
-
@art_of_shred said in UBNT EdgeRouter site to site VPN routes?:
I can't ping LAN IP's on the opposite side...
Well if the tunnel is up, you should.
I intentionally deleted the OpenVPN interfaces just to make sure there were no firewall policies hanging around on them.
So start with the basic. is the tunnel actually up and able to pass traffic.
From router 1 ping the IP on the other end of the OpenVP tunnel.
ping 10.99.99.1
orping 10.99.99.2
whichever is on the opposite sidenothing but the routers will be able to use these addresses. they are only for pinning up the OpenVPN tunnel
-
Yeah, no dice.
-
@art_of_shred said in UBNT EdgeRouter site to site VPN routes?:
Yeah, no dice.
Then the tunnel is not up. Something else was done wrong.
-
open up 2 ssh sessions to one of the routers.
Do not go into config mode.
in one, watch the log,
show log tail
in the other window, reset the OpenVPN connection
reset openvpn interface vtun0
see if anything in the log is useful
-
Out of curiosity is there a reason to use OpenVPN over IPSEC?
-
Jul 5 17:23:23 ubnt openvpn[3172]: Restart pause, 2 second(s) Jul 5 17:23:25 ubnt openvpn[3172]: Re-using pre-shared static key Jul 5 17:23:25 ubnt openvpn[3172]: Socket Buffers: R=[294912->131072] S=[294912 ->131072] Jul 5 17:23:25 ubnt openvpn[3172]: Preserving previous TUN/TAP instance: vtun0 Jul 5 17:23:25 ubnt openvpn[3172]: UDPv4 link local (bound): [undef] Jul 5 17:23:25 ubnt openvpn[3172]: UDPv4 link remote: [AF_INET]x.x.x.218:1 194 Jul 5 17:23:36 ubnt openvpn[3172]: event_wait : Interrupted system call (code=4 ) Jul 5 17:23:36 ubnt openvpn[3172]: SIGUSR1[hard,] received, process restarting Jul 5 17:23:36 ubnt openvpn[3172]: Restart pause, 2 second(s) Jul 5 17:23:38 ubnt openvpn[3172]: Re-using pre-shared static key Jul 5 17:23:38 ubnt openvpn[3172]: Socket Buffers: R=[294912->131072] S=[294912 ->131072] Jul 5 17:23:38 ubnt openvpn[3172]: Preserving previous TUN/TAP instance: vtun0 Jul 5 17:23:38 ubnt openvpn[3172]: UDPv4 link local (bound): [undef] Jul 5 17:23:38 ubnt openvpn[3172]: UDPv4 link remote: [AF_INET]x.x.x.218:1 194 Jul 5 17:23:58 ubnt openvpn[3172]: Inactivity timeout (--ping-restart), restarting Jul 5 17:23:58 ubnt openvpn[3172]: SIGUSR1[soft,ping-restart] received, process restarting