Creating a tunnel between two subnets using OpenVPN Access Server

When hosting computing resources in a public cloud, one often needs to ensure secure connections between two different subnets, such as an office network and a test farm in Yandex Cloud. The best way to handle this is using a VPN to:

• Connect geographically remote networks.
• Connect freelancers to the office network.
• Set up an encrypted connection over an open Wi-Fi network.

This tutorial describes how to create a VPN tunnel using the OpenVPN technology.

OpenVPN Access Server is compatible with the OpenVPN open-source version and built on its basis. This product provides clients for Windows, Mac, Android, and iOS and is used to manage connections using a web interface.

In this example, we are going to create a tunnel that connects two different subnets into a single network. It will be working between two VPN gateways, one of them being OpenVPN Access Server and the other, a VM instance with the OpenVPN client. To test the VPN tunnel, configure gateways on both sides of it. In our example, one subnet is hosted in Yandex Cloud, while the other may reside both in Yandex Cloud and in an external network.

To create a tunnel between two different subnets:

1. Prepare your cloud.
2. Create a network and subnets.
3. Create VMs you want to link.
4. Create a VM gateway.
5. Start the VPN server.
6. Configure network traffic permissions.
7. Get the administrator password.
8. Create an OpenVPN user for the tunnel.
9. Set up the second subnet's gateway to access the OpenVPN server.
10. Test the tunnel.

If you no longer need the VPN server, delete the created VMs.

Prepare your cloudPrepare your cloud

Sign up for Yandex Cloud and create a billing account:

1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resourcesRequired paid resources

The cost of infrastructure support for OpenVPN includes:

• Fee for the disks and continuously running VMs (see Yandex Compute Cloud pricing).
• Fee for using a dynamic or static external IP address (see Yandex Virtual Private Cloud pricing).
• Fee for the OpenVPN Access Server license (when using more than two connections).

Create a network and subnetsCreate a network and subnets

To connect cloud resources to the internet, make sure you have a network and subnets.

Create a networkCreate a network

Create subnetsCreate subnets

Create VMs you want to linkCreate VMs you want to link

Create a VM gatewayCreate a VM gateway

Start the VPN serverStart the VPN server

Create a VM to be the gateway for VPN connections:

Configure network traffic permissionsConfigure network traffic permissions

Get the administrator passwordGet the administrator password

The openvpn user with administrator privileges was created on the OpenVPN server in advance. The password is generated automatically when you create a VM.

Get the password in the serial port output or the serial console. The password will display in the following string:

To log in, please use the `openvpn` account with the <password> password.

Where <password> is the openvpn user password.

Log in to the admin panel using the openvpn username and the obtained password.

If you do not get the password after launching the VPN server for the first time, you need to re-create the VM running OpenVPN Access Server. The password will not display when reboot.

Create an OpenVPN user for the tunnelCreate an OpenVPN user for the tunnel

OpenVPN Access Server provides two web interfaces:

1. Client Web UI at https://<VM public IP address>:943/. This interface is used by regular users to download client applications and configuration profiles.
2. Admin Web UI at https://<VM public IP address>:943/admin/. This interface is used to configure the server.

Once you deploy OpenVPN Access Server on the Yandex Cloud VM that will be working as a gateway, you will have specific IP addresses and accounts as follows (the addresses below are provided for indicative purposes, yours may be different):

1. Internal IP of the vpn-server gateway: 10.128.0.3
2. Public IP of the vpn-server VM: <VM public IP address>
3. Admin Web UI: https://<VM public IP address>:943/admin
4. Account for accessing the Admin UI: openvpn/<admin password>
5. Client Web UI: https://<VM public IP address>:943

On the server side, create an OpenVPN user the second subnet's gateway will access the OpenVPN server under for the tunnel to run. To create a user, log in to the Admin Web UI admin panel:

1. In the browser, type a URL in https://<VM public IP address>:943/admin format.
2. Enter the openvpn username and password (to learn how to get the admin password, see this section).
3. Click Agree. This will open the home screen of the OpenVPN admin panel.
4. Go to the User management tab and select User permissions.
5. In the user list, enter the name of the new user in the New Username field, e.g., as-gw-user.
6. Click the pencil icon in the More Settings column and set the new user's password in the Local Password field.
7. In the Access Control field, select User Routing and specify the current local subnet where OpenVPN Access Server is deployed, e.g., 10.128.0.0/24.
8. In the VPN Gateway field, select Yes and specify another local subnet to connect through a tunnel, e.g., 10.253.11.0/24.
9. Click Save settings.
10. Click Update running server.
11. Log in to the user panel under the new as-gw-user account, save the connection profile to the as-gw-user.conf file, and transfer this file to the VM that is going to be a gateway for the OpenVPN tunnel in the other subnet.

Set up the second subnet's gateway to access the OpenVPN serverSet up the second subnet's gateway to access the OpenVPN server

Run the following commands in the vm-ovpn-gw VM console:

sudo apt update
sudo apt install openvpn
cp as-gw-user.conf /etc/openvpn/client/
echo -e "as-gw-user\n<password>" > /etc/openvpn/client/param.txt

As a result, the param.txt file should appear in the /etc/openvpn/client/ directory. Copy the previously created as-gw-user.conf file of the OpenVPN user created for the tunnel to run, to the same directory:

ls -lh /etc/openvpn/client/

Result:

total 16K
-rw-rw-r-- 1 root root 9.7K Nov 10 14:37 as-gw-user.conf
-rw-r--r-- 1 root root 24 Nov 10 14:31 param.txt

In the auth-user-pass string of the /etc/openvpn/as-gw-user.conf file, provide the param.txt file name:

dev tun
dev-type tun
remote-version-min 1.2
reneg-seq 604800
auth-user-pass param.txt
verb 3
push-peer-info

Run the following commands:

sudo systemctl enable openvpn-client@as-gw-user
sudo systemctl start openvpn-client@as-gw-user
sudo systemctl status openvpn-client@as-gw-user

The result should look like this:

● openvpn-client@as-gw-user.service - OpenVPN tunnel for as/gw/user
    Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset:
enabled)
    Active: active (running) since Fri 2022-11-11 20:12:49 UTC; 1h 6min ago
        Docs: man:openvpn(8)
            https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
            https://community.openvpn.net/openvpn/wiki/HOWTO
    Main PID: 2626 (openvpn)
    Status: "Initialization Sequence Completed"
        Tasks: 1 (limit: 2237)
    Memory: 2.0M
        CPU: 157ms
    CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@as-gw-user.service
            └─2626 /usr/sbin/openvpn --suppress-timestamps --nobind --config as-gw-user.conf

To enable packet transfers from other hosts, run these commands:

vm-ovpn-gw:~$ sudo bash -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
vm-ovpn-gw:~$ sudo sysctl -p

Check whether the vpn-server gateway has a route to 10.253.11.0/24:

vpn-server:~$ sudo ip route

Result:

default via 10.128.0.1 dev eth0 proto dhcp src 10.128.0.3 metric 100
10.128.0.0/24 dev eth0 proto kernel scope link src 10.128.0.3
10.128.0.1 dev eth0 proto dhcp scope link src 10.128.0.3 metric 100
10.253.11.0/24 dev as0t2 proto static
172.27.224.0/22 dev as0t0 proto kernel scope link src 172.27.224.1
172.27.228.0/22 dev as0t1 proto kernel scope link src 172.27.228.1
172.27.232.0/22 dev as0t2 proto kernel scope link src 172.27.232.1
172.27.236.0/22 dev as0t3 proto kernel scope link src 172.27.236.1

Check whether the vm-ovpn-gw VM has a route to 10.128.0.0/24:

sudo ip route

Result:

default via 10.253.11.1 dev ens18 proto dhcp src 10.253.11.19 metric 100
10.128.0.0/24 via 172.27.232.1 dev tun0 metric 101
10.253.11.0/24 dev ens18 proto kernel scope link src 10.253.11.19 metric 100
10.253.11.1 dev ens18 proto dhcp scope link src 10.253.11.19 metric 100
172.27.224.0/20 via 172.27.232.1 dev tun0 metric 101
172.27.232.0/22 dev tun0 proto kernel scope link src 172.27.232.5
178.154.226.72 via 10.253.11.1 dev ens18

Test the tunnelTest the tunnel

To test the tunnel, you will need the test VMs we mentioned above; those VMs should reside in both subnets and be different from the tunnel gateways.

For these two VMs to exchange data, both of them should have access to static routes to the other subnet. On the ao-openvpn-test VM, this is a route to 10.253.11.0/24, while on the vm-ovpn-host VM, this is 10.128.0.0/24.

Run the following command on the vm-ovpn-host VM:

sudo ip route add 10.128.0.0./24 via 10.253.11.19

On the test VM in Yandex Cloud, adding a static route within the VM will not help. In Yandex Cloud, static routes for VMs should be specified in a different way.

In Yandex Cloud, the ao-openvpn-as (OpenVPN server) and ao-openvpn-test VMs are hosted in the same default subnet. In the settings of this subnet, add a static route with the following parameters:

Name: office-net
Prefix: 10.253.11.0/24
Next hop: 10.128.0.3

To apply this static route to the ao-openvpn-test VM, shut it down and start it again.

After that, from the vm-ovpn-host VM, test the tunnel to the other test VM by running the ping command:

ping 10.128.0.4

Result:

PING 10.128.0.4 (10.128.0.4) 56(84) bytes of data.
64 bytes from 10.128.0.4: icmp_seq=1 ttl=61 time=7.45 ms
64 bytes from 10.128.0.4: icmp_seq=2 ttl=61 time=5.61 ms
64 bytes from 10.128.0.4: icmp_seq=3 ttl=61 time=5.65 ms
^C
--- 10.128.0.4 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.613/6.235/7.446/0.855 ms

Run the same command on the other end of the tunnel, from the ao-openvpn-test VM:

ping 10.253.11.110

Result:

PING 10.253.11.110 (10.253.11.110) 56(84) bytes of data.
64 bytes from 10.253.11.110: icmp_seq=1 ttl=61 time=6.23 ms
64 bytes from 10.253.11.110: icmp_seq=2 ttl=61 time=5.90 ms
64 bytes from 10.253.11.110: icmp_seq=3 ttl=61 time=6.09 ms
64 bytes from 10.253.11.110: icmp_seq=4 ttl=61 time=5.69 ms
^C
--- 10.253.11.110 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 5.688/5.976/6.229/0.203 ms

How to delete the resources you createdHow to delete the resources you created

To free up resources in the folder, delete the vpn-server VM and the test VM.

If you reserved a public static IP address, delete it.

See alsoSee also

• OpenVPN Project Wiki
• Get the contents of the Let's Encrypt certificate
• Connecting to Access Server