Site-to-site mode with preshared secret

The following figure shows site-to-site VPN configured with preshared secret.

In this example:

The physical IP addresses for V1 and V2 are 12.34.56.78 and 87.65.43.21, respectively.
The tunnel IP addresses for V1 and V2 are 192.168.200.1 and 192.168.200.2, respectively.
The subnet to be accessed from V1 (through V2 over the VPN) is 192.168.100.0/24.
The subnet to be accessed on V2 (through V1 over the VPN) is 192.168.101.0/24.

To configure an OpenVPN tunnel, you create an interface of the openvpn type. The interface name is in the form of vtunnum; for example, vtun0, vtun1, and so on.

In addition, you must add a static interface route to direct traffic for the remote subnet through the vtun0 tunnel interface. For information on setting up static routes, see .

Figure 1. Site-to-site VPN with preshared secret

To configure the V1 endpoint, perform the following steps in configuration mode.

Table 1. Site-to-site OpenVPN with preshared secret: V1 endpoint
Step	Command
Create the vtun0 configuration node.	`vyatta@V1# set interfaces openvpn vtun0`
Set the tunnel IP address for the local endpoint.	`vyatta@V1# set interfaces openvpn vtun0 local-address 192.168.200.1`
Set the OpenVPN mode to site-to-site.	`vyatta@V1# set interfaces openvpn vtun0 mode site-to-site`
Set the tunnel IP address of the remote endpoint.	`vyatta@V1# set interfaces openvpn vtun0 remote-address 192.168.200.2`
Specify the physical IP address of the remote host.	`vyatta@V1# set interfaces openvpn vtun0 remote-host 87.65.43.21`
Specify the location of the file containing the preshared secret.	`vyatta@V1# set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret`
Commit the change.	`vyatta@V1# commit`
Show the OpenVPN configuration.	`vyatta@V1# show interfaces openvpn vtun0 local-address 192.168.200.1 mode site-to-site remote-address 192.168.200.2 remote-host 87.65.43.21 shared-secret-key-file /config/auth/secret`

To configure a static route to access the remote subnet through the OpenVPN tunnel, perform the following steps in configuration mode.

Step Command

Table 2. Site-to-site OpenVPN with preshared secret: V1 static route
Step	Command
Create the static route to access the remote subnet through the OpenVPN tunnel.	`vyatta@V1#set protocols static interface-route 192.168.101.0/24 next-hop-interface vtun0`
Commit the change.	`vyatta@V1# commit`
Show the static routing configuration.	`vyatta@V1# show protocols static interface-route 192.168.101.0/24 { next-hop-interface vtun0 { } }`

Create the static route to access the remote subnet through the OpenVPN tunnel.

vyatta@V1#set protocols static interface-route 192.168.101.0/24 next-hop-interface vtun0

Commit the change.

vyatta@V1# commit

Show the static routing configuration.

vyatta@V1# show protocols static
 interface-route 192.168.101.0/24 {
    next-hop-interface vtun0 {
    }
 }

The V2 VPN endpoint is identical to the V1 endpoint, except that local and remote tunnel IP addresses are reversed. To configure the V2 endpoint, perform the following steps in configuration mode.

Table 3. Site-to-site OpenVPN with preshared secret: V2 endpoint
Step	Command
Create the vtun0 configuration node.	`vyatta@V2# set interfaces openvpn vtun0`
Set the tunnel IP address for the local endpoint.	`vyatta@V2# set interfaces openvpn vtun0 local-address 192.168.200.2`
Set the OpenVPN mode to site-to-site.	`vyatta@V2# set interfaces openvpn vtun0 mode site-to-site`
Set the tunnel IP address of the remote endpoint.	`vyatta@V2# set interfaces openvpn vtun0 remote-address 192.168.200.1`
Specify the physical IP address of the remote host.	`vyatta@V2#set interfaces openvpn vtun0 remote-host 12.34.56.78`
Specify the location of the file containing the preshared secret.	`vyatta@V2# set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret`
Commit the change.	`vyatta@V2# commit`
Show the OpenVPN configuration.	`vyatta@V2# show interfaces openvpn vtun0 local-address 192.168.200.2 mode site-to-site remote-address 192.168.200.1 remote-host 12.34.56.78 shared-secret-key-file /config/auth/secret`

Again, the shared secret file (created by generating the key with the generate openvpn key command on one system and then copying the key to the other system) must be the same on both endpoints (the path need not be the same, but the content must be). Note also that the remote-host option is required only on one of the endpoints; that is, the site-to-site tunnel can be established as long as even one endpoint has enough information to contact the other.

To configure a static route to access the remote subnet through the OpenVPN tunnel, perform the following steps in configuration mode.

Step Command

Table 4. Site-to-site OpenVPN with preshared secret: V2 static route
Step	Command
Create the static route to access the remote subnet through the OpenVPN tunnel.	`vyatta@V2# set protocols static interface-route 192.168.100.0/24 next-hop-interface vtun0`
Commit the change.	`vyatta@V2# commit`
Show the static routing configuration.	`vyatta@V2# show protocols static interface-route 192.168.100.0/24 { next-hop-interface vtun0 { } }`

Create the static route to access the remote subnet through the OpenVPN tunnel.

vyatta@V2# set protocols static interface-route 192.168.100.0/24 next-hop-interface vtun0

Commit the change.

vyatta@V2# commit

Show the static routing configuration.

vyatta@V2# show protocols static
 interface-route 192.168.100.0/24 {
    next-hop-interface vtun0 {
    }
 }

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Site-to-site mode with preshared secret

Helpful Links

Key Resources