Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Client-specific settings (server only)

In a typical remote access VPN setup, the clients are remote users—for example, users trying to access the company private network from home. Therefore, when a client establishes a VPN tunnel with the VPN server, it only needs to ensure that the client host itself can access the private network; so, it can use any tunnel IP address assigned by the server.

However, in some environments, the remote access mode is used to implement site-to-site functionality; that is, each client is in fact a site that establishes, in effect, a site-to-site tunnel with the server. The following figure illustrates this functionality.

Figure 1. Remote access mode

In such an environment, it may be useful to give a fixed IP address to each OpenVPN client. Furthermore, in such cases there may be a private network behind a client as well, and the OpenVPN server needs to determine that traffic destined to this private network should be routed to the particular client. Similarly, there may be networks behind the OpenVPN server that the client needs to access. In other words, these client-specific settings are tied to a particular client, and they can be configured by using the options that are shown in the following example and explained after the example.

Configuration options related to remote access mode

interfaces {
    openvpn if_name {
        server {
            client client_name {
               ip client_ip
               push-route ipv4net
               subnet client_subnet
            }
        }
    }
}
  • client: This argument is the name for the client; this name corresponds to the common name specified in the certificate of the client. When a client initiates the VPN session, the server uses the name in the certificate to look up and apply client-specific settings (if any).
  • ip: This argument is the fixed IP address that is assigned to the particular client.
  • push-route: This argument is the network address of a network behind the OpenVPN server to which the client can route traffic. Multiple networks can be specified with multiple push-route configuration statements.

    subnet: This argument is the private subnet behind the particular client, and the OpenVPN process routes traffic destined to this subnet to the client. Multiple networks can be specified with multiple subnet configuration statements.

    Note that this setting only informs the OpenVPN server to which client the traffic for this subnet should be routed. However, before the OpenVPN server is in a position to make this decision, the traffic must be routed to the tunnel interface, so that it is processed by the OpenVPN server. For this reason, a static interface route must be added separately to direct traffic for this subnet to the tunnel interface.

In the preceding example, the V1 server can be configured with the client settings specific to the V2 client as follows (note that a static interface route is also needed for the subnet of the V2 client).

To configure this scenario, perform the following steps in configuration mode.

Table 1. V1 OpenVPN configuration: site-to-site with preshared secret
Step Command
Create the vtun0 configuration node.
vyatta@V1# set interfaces openvpn vtun0
Enter configuration commands.
...

Create the server configuration node.

vyatta@V1# set interfaces openvpn vtun0 server
Enter configuration commands.
...
Create the V2 client configuration node.
vyatta@V1# set interfaces openvpn vtun0 server client V2
Specify the IP address of the client.
vyatta@V1# set interfaces openvpn vtun0 server client V2 ip 192.168.200.100
Specify the subnet at the server that the client can access.
vyatta@V1# set interfaces openvpn vtun0 server client V2 push-route 192.168.300.0/24
Set the subnet at the client.
vyatta@V1# set interfaces openvpn vtun0 server client V2 subnet 192.168.100.0/24
Enter configuration commands.
...
Commit the change.
vyatta@V1# commit
Show the OpenVPN configuration.
vyatta@V1# show interfaces openvpn vtun0
 ...
 server {
    ...
    client V2 {
        ip 192.168.200.100
        push-route 192.168.300.0/24
        subnet 192.168.100.0/24
    }
    ...
 }
 ...

To configure the static interface route to access the remote subnet through the OpenVPN tunnel, perform the following steps in configuration mode.

Table 2. V1 static interface route configuration
Step Command

Create the static interface route to access the remote subnet through the OpenVPN tunnel.

vyatta@V1# set protocols static interface-route 192.168.100.0/24 next-hop-interface vtun0

Commit the change.

vyatta@V1# commit

Show the static routing configuration.

vyatta@V1# show protocols static
 interface-route 192.168.100.0/24 {
    next-hop-interface vtun0 {
    }
 }