Question

Site-to-Site VPN Support - Any Updates?

Posted September 8, 2020 2.5k views
VPN

I have been searching for any updates to this, but everything I have found so far is years old. Can we do a site to site OpenVPN between networks with the new private networking updates? Or does the system still filter out packets from foreign networks?

With the number of droplets and I create and destroy, it would be nice to just have one VPN server between my local network and my DO private network that they can communicate back and forth with.

Thanks.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

Hi @knightcrusader ,

I understand what you mean, most of the tutorials and documents are still usable however. Have you taken a look at the tinc daemon to setup this connection?
https://www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04

by Mitchell Anicas
In this tutorial, we will go over how to use Tinc, an open source Virtual Private Network (VPN) daemon, to create a secure VPN that your servers can communicate on as if they were on a local network. We will also demonstrate how to use Tinc to set up a secure tunnel into a private network. We will be using Ubuntu 14.04 servers, but the configurations can be adapted for use with any other OS.
  • Yes, I read that, but that doesn’t change anything for what I need. Right now I have a VPN connection for each droplet I create, I just want to eliminate that extra annoying step.

    I just want to be able to create a droplet and have it reach the other side of the vpn network without having to go through the trouble of having to set up each one individually.

    I was hoping with the new VPC update that maybe that limitation was relaxed. There should be a way to add trusted networks to the VPC for situations like this, or better yet, set up a VPN connection to the VPC right from the interface, even if it does cost extra a month, I’d pay for it.

    • if you have a VPC with several droplets on same subnet, you dont need to create VPN conn on each droplet,

      create ipsec vpn connection on 1 droplet Drop1, lets say its internal IP is 172.35.26.10

      lets say the remote network youre trying to conn to is 192.168.66.0/24 (internal IP)

      on another host in same VPC, Drop2 (172.35.26.11), to get to 192.168.66.0/24, all you need to do is add a route via Drop1

      on Drop2 (centos)
      root@drop2> ip route add 192.168.66.0/24 via 172.35.26.10)

      on Drop1, edit iptables rule to masquerade all packets coming from its own subnet and to remote network,

      root@drop1> iptables -t nat -A POSTROUTING -s 172.35.26.0/24 -d 192.168.66.0/24 -j MASQUERADE
      root@drop1> iptables-save > /etc/sysconfig/iptables

      on each additional droplet, just add a route to go via Drop1, you’ll be all set.

Hi @knightcrusader,

I have recently (and successfully) configured VPN connection between my DO droplets and home office (with OpenVPN). I do not know if it is a result of any changes made by DO on VPC because I have never configured VPN with DO before. Take a look at my configuration, please. I guess your configuration might be similar.

 ------------------                          ------------------
|   DO Droplet 1   |     10.8.0.0/24        |   Home Office    |
|    (CentOS 8)    |_________VPN_______     |   ISP's router   |
| Internet gateway |-------------------\----| Internet gateway |
|    VPN Server    |          |         \    ------------------
| Front-end Server |          |          \____  |
 ------------------        Internet           | |LAN 192.168.0.0/24
          |                                   | |------------
          |VPC                                | |            |
          |10.106.0.0/20                     -------------   | 
          |                                 |     PC 1    |  |
 -----------------                          | VPN Client/ |  |
|  DO Droplet 2   |                         | VPN Gateway |  |
|  (Ubuntu 20.4)  |                         |  (CentOS 7) |  |
|   VPN Access    |                          -------------   |
 -----------------                                           |
                                             -------------   |
                                            |     PC 2    |  |
                                            |  VPN Access |--
                                            | (Windows 10)|
                                             -------------

I can reach both droplets from my home office, and both PCs from the droplets.

Configuring VPN connection I generally based on DO’s doc:
https://www.digitalocean.com/docs/networking/vpc/resources/droplet-as-gateway/

and OpenVPN community How To:
https://community.openvpn.net/openvpn/wiki/HOWTO

I put some tips below which can be useful during setting VPN up.

1. If you use DO cloud firewall, you need to add the inbound rule to access particular service available in VPC (behind VPN Server); e.g. to get/send echo from/to DO VPC you need to add following rule

Type    Protocol    Port Range     Sources
ICMP    ICMP                       10.106.0.0/20
                                   10.8.0.0/24
                                   192.168.0.0/24

2. Check the firewall settings on each node of VPN network. If it is necessary, add/modify rules to get an access to needed services through VPN network. Just for testing, you can disable firewalls temporarily.

3. Add static routes, if it is necessary. I did it because there were different network devices for Internet and VPN access in my Home Office network. I had to do that directly on PC 2 because it was not possible to add the routes and propagate them with my Home Office router (it is ISP’s router, and I have an access to its basic GUI only). I added static routes for destinations 10.106.0.0/20 and 10.8.0.0/24.

In case of any questions, do not hesitate, ask them here :)

  • So you can ping each device on both ends with their local IP addresses without a problem? The old documents said this was not possible, so if you can, my hunch that they changed the way the private networking is correct. I will have to create a small cloud of droplets to try it out.

    • @knightcrusader wrote
      So you can ping each device on both ends with their local IP addresses without a problem?
      

      Yes, exactly. I can ping every PC/droplet from anywhere inside VPN network, using their local IP adressess. To achieve that, the firewalls’ settings and static routes (in my configuration) were essential.

  • I was able to get it to work. Thanks for the help!

  • Dear all,

    Could you please provide more info about how you implement this?

    1.You create a vm in DO as an openVPN server and you connect a WINDOWS pc from your premises with this server ?

    1. You add static routes to your desktops in your premises, regarding the private network in the DO environment? and also you add static routes in your other vm’s in the DO environment?

    Thank you in advance.

    • Hi @ictsupport,

      @ictsupport wrote
      Could you please provide more info about how you implement this?

      In my case, it was a configuration like on the above diagram. It was routed VPN.

      @ictsupport wrote
      You create a vm in DO as an openVPN server (...) ?

      Yes, it was a basic droplet based on CentOS 8, configured as an internet gateway (due to this doc), with OpenVPN installed and set up by hand.

      @ictsupport wrote
      (...) and you connect a WINDOWS pc from your premises with this server ?

      It was a site-to-site VPN connecting two private networks: VPC in DO cloud, and LAN on premises. A VPN tunnel, between these private networks, was created with the Internet gateway droplet mentioned above (Droplet 1) and PC1 in the LAN on premises. Using OpenVPN terms, Droplet 1 was an OpenVPN server, and PC1 was an OpenVPN client. None of any other machines, both in VPC and LAN, had to have OpenVPN software installed. The VPN tunnel was configured in the way that allowed the workstations of LAN having an access to the services/resources shared by droplets of DO VPC, and vice versa, DO droplets could get an access to the resources/services shared by the workstations of LAN. LAN consisted of the mixed machines based both on Windows and Linux. The above diagram is just to outline a concept, it does not reflect the all environment.

      @ictsupport wrote
      You add static routes to your desktops in your premises, regarding the private network in the DO environment? and also you add static routes in your other vm’s in the DO environment?

      I had to add a static route to VPC on all the machines in LAN that were supposed to have an access to the resources/services in DO VPC and/or be accessible from DO VPC. I would not have to do that, if my Internet gateway in LAN was a VPN gateway (OpenVPN client) simultaneously. Then, the routing configuration done with OpenVPN would be automatically applied to the traffic from/to LAN’s workstations, as the default route for all the traffic outside of the LAN addressing scope was directed through their default gateway.
      I had not to add a static route to any droplet behind my VPC Internet gateway in DO (Droplet 1), as the Internet gateway was the VPN gateway (OpenVPN server) simultaneously.
      For more details, look at a community OpenVPN how-to. Here is the paragraph on how to expand the VPN network scope behind the OpenVPN server, and here is the paragraph on how to expand the VPN network scope behind the OpenVPN client.

      I hope it helps.

      • Dear Yanek,

        Thank you for your quick reply

        I have another question

        I have created the s2s vpn between a desktop in my premises and the DO enviroment.
        From the client server i can ping the Openvpn server (DO environment private ip) but i cant ping the server from a different desktop from the same premises vlan.
        I have add static route to my second desktop in my premises but the connection fails.

        Do you know how i can fix that?

        • Hi,

          I guess your VPN client is not an Internet gateway for your LAN nodes at the same time, is it ? Then, double check whether IP packet forwarding is turned on in its OS configuration. To make your VPN client a VPN gateway for your LAN nodes, it has to act as a router, so packet forwarding has to be turned on. If your VPN client OS is Linux, you can check IP packet forwarding state executing:

          sysctl net.ipv4.ip_forward
          

          If a result is 0, you have to turn the IP packet forwarding on with:

          sudo sysctl -w net.ipv4.ip_forward=1
          

          To make this setting persistent, you need to edit a file /etc/sysctl.conf or some file in /etc/sysctl.d/, depending on your Linux distro convention.

          The other thing I can suggest is to check OpenVPN configuration both on VPN server and VPN client. I recommend going through comments in sample configuration files, as they are very informative. Here is the sample configuration file for server, and here is the sample configuration file for client.
          E.g., one of those comments considers a firewall:

          # On most systems, the VPN will not function
          # unless you partially or fully disable
          # the firewall for the TUN/TAP interface.
          

          I hope it helps.

          • Dear Yannek,

            I have tried that,
            The thing is that i have a windows server and i turn on the packet forwarding but when i connect to openvpn from my premises windows server i have lost the connection to the server, from a different vlan.
            Also, i try from a vm in the same vlan to ping the private ip of the vm in DO but no reply.