Implementing a Site-to-Site VPN with OpenVPN involves several steps, from configuring the servers to installing the certificates and defining the firewall rules. Here is a step-by-step guide to setting up a Site-to-Site VPN using OpenVPN. ## Prerequisites required + Two servers with Linux-based operating systems (e.g. Ubuntu). + Root access to both servers. + OpenVPN installed on both servers. ## Installing OpenVPN On both servers, install OpenVPN and the necessary tools ```bash sudo apt update sudo apt install openvpn easy-rsa -y ``` ## Configuring the Certificate Authority (CA) On the server that will be the CA: ```bash make-cadir ~/openvpn-ca cd ~/openvpn-ca ``` Edit the **vars** file and adjust the settings according to your organization ```bash nano vars ``` Then load the variables and build the CA ```bash source vars ./clean-all ./build-ca ``` ### Generating Keys and Certificates On the server that will be the OpenVPN server ```bash cd ~/openvpn-ca source vars ./build-key-server server ./build-dh openvpn --genkey --secret keys/ta.key ``` Transfer the generated files (**ca.crt**, **server.crt**, **server.key**, **dh2048.pem**, **ta.key**) to **/etc/openvpn/**. ### <br>Configuring the OpenVPN server Create the server configuration file ```bash sudo nano /etc/openvpn/server.conf ``` Example configuration: ```bash port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 3 ``` Start the OpenVPN service: ```bash sudo systemctl start openvpn@server sudo systemctl enable openvpn@server ``` ### Configuring the OpenVPN Client On the second server, generate the client's key and certificate ```bash cd ~/openvpn-ca source vars ./build-key client1 ``` Transfer the files (**ca.crt**, **client1.crt**, **client1.key**, **ta.key**) to the **/etc/openvpn/** directory on the client. Create the client configuration file ```bash sudo nano /etc/openvpn/client.conf ``` Example configuration ```bash client dev tun proto udp remote <IP_do_servidor> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC verb 3 ``` Start the OpenVPN service on the client ```bash sudo systemctl start openvpn@client sudo systemctl enable openvpn@client ``` ## Configuring Firewall Rules #### On the OpenVPN Server ```bash sudo ufw allow 1194/udp sudo ufw allow OpenSSH sudo ufw enable ``` Add routing rules ```bash sudo nano /etc/ufw/before.rules ``` Add the following lines before the **filter line** ```bash *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT ``` Enable packet forwarding by editing ```bash sudo nano /etc/sysctl.conf ``` Uncomment the line ```bash net.ipv4.ip_forward=1 ``` Reload the settings ```bash sudo sysctl -p ``` ## Checking To check that the VPN is working correctly: + On the client, **ping 10.8.0.1** (VPN server IP). + On the server, **ping 10.8.0.2** (VPN client IP). If the ping is successful, the VPN connection is working correctly. These are the steps to set up a site-to-site VPN using OpenVPN. Be sure to adjust the settings as necessary for your specific environment and requirements.