Question

VPN tunnel from DO to private network

Hello,

I’m running a local network, with a few web servers and what not. For some of my web servers, I use a DO server as a reverse proxy and cache.

As of right now it is just connecting through the public IPs, but I wish to create a private VPN (or sock) tunnel between the DO server and my private network. I’ve searched this DO site and google, but they mostly come up with a normal VPN client which is not what I need. The VPN doesn’t need to forward any traffic, just simply provide a private (secure) network between the two networks.

The server which i use on DO is Ubuntu 16.04, and the load balancer on my private network is a raspberry pi running Raspbian.

Anyone able to help me out? or at least point me the right way?

Show comments

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Brook Shelley
DigitalOcean Employee
DigitalOcean Employee badge
July 22, 2016
Accepted Answer

This question was answered by @sierracircle:

The option you describe, could be done with server-server, instead of server-router?

Yes…the DDWRT router is basically a small linux server with some router stuff built in. You could totally set up another linux server as a client, and even configure that server to be a router for other computers behind it.

Another problem is now that I can only ping one way, from my network to DO, not from DO to my network

Are you pinging the tun0 address or the network addresses?

If I remember correctly, the trick was you have to kind of tell the server where the clients are so it can send replies to them

On OpenVPN server, in /etc/openvpn create a folder called ccd then, in the server.conf file add a line like this:

client-config-dir ccd

then, in the ccd folder, create a file for each client (name it whatever you called the client when creating the ovpn file) and add something like this to the file:

ifconfig-push 10.8.0.11 10.8.0.12
iroute 10.1.3.0 255.255.255.0

the first line is the static tun0 ip address for that particular client…note how it has the next address above it reserved as well…so that line will be different for each client so you are not assigning the same address to each client. The second line is the subnet you are using for that particular client.

I seem to remember something else that needs to be added to the server.conf, but try that and let me know if it works for you.

View the original comment

Brook Shelley
DigitalOcean Employee
DigitalOcean Employee badge
July 22, 2016

This question was answered by @sierracircle:

I have a setup that will do what you want:

  • DO Droplet runs an OpenVPN Server ( I used this script to set up the server and generate my client-connect files: https://github.com/Nyr/openvpn-install )
  • My Private Network uses a DDWRT Router with OpenVPN Client installed -All Computers on the private network can access the the OpenVPN server and vice-versa since they use the DDWRT Router as the gateway
  • I also have a couple of other DO Droplets connected as clients to the OpenVPN server and those Droplets can also access all the computers on the private network and vice-versa.

You can use IPTables to further lock everything down. For example, one of the DO droplets run a database server. I have that locked down so only specific computers/droplets can access that db server via the VPN.

The DDWRT Router cost me about $30.00 from Amazon

Furthermore, you can install the same router on other private networks and have them join your VPN as well.

My setup has 3 different home-networks joined (each with a DDWRT router as the client)…I can access all 3 home networks. One of the home-networks has a Plex Server, the other runs some office printers.

Works great. Took a lot of dinkering, but once I got it all set up I was able to duplicate it easily for someone else. It has been rock-solid for several months now.

-Encrypted Private Network -Access to other small networks -Shared Media Server -Central Database only accessible from the VPN

Lots of other use-cases

View the original comment

This comment has been deleted

    Try DigitalOcean for free

    Click below to sign up and get $200 of credit to try our products over 60 days!

    Sign up

    Get our biweekly newsletter

    Sign up for Infrastructure as a Newsletter.

    Hollie's Hub for Good

    Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

    Become a contributor

    Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

    Welcome to the developer cloud

    DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

    Learn more
    DigitalOcean Cloud Control Panel