Table of Contents
This chapter describes how to configure your LEAF system(s) to build Virtual Private Networks (VPN) with OpenVPN.
The setup described here assumes you are using openvpn 2.x in server/client mode. Furthermore the setup used for this chapter is based on LEAF systems connected to the internet via dynamic IP's. It will be similar, but easier, to build VPN's between LEAF systems with a fixed IP or a mixed environment.
We also had in mind to tunnel the subnets behind the LEAF routers. Connecting one or more road-warriors should be easier again.
Additionally only routing (using the TUN interface) between subnets is described, for bridging (using the TAP interface), the differences to routing and advantages/disadvantages of tunneling or bridging please read the according Openvpn documentation.
In our example OpenVPN setup, openvpn uses lzo compression and the keys (esp.the CA authority) are build and stored on the LEAF router.
Following the description about creating keys may impose security risks! It's only useful to help you to start with openvpn, in no way it's meant to be used in a production environment.
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including road warrior access, home/office/campus telecommuting, WiFi security, secure branch office linking, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.
Compared with ipsec implemenations like freeswan/openswan it's easier to setup, supports dynamic IP addresses out of the box and doesn't need any kernel patches.