running OSPF over OpenVPN

 

Let's assume the following network topology and ip setup.

Topology

network topology

  • Aldebaran
    • public interface eth0: 10.10.1.1
    • local network on eth1: 192.168.1.1/24
    • vpn sagittarius on tun0: 172.16.1.1/30
    • vpn aquarius on tun1: 172.16.2.1/30
    • vpn draco on tun2: 172.16.99.1/24
  • Beteigeuze
    • public interface eth0: 10.20.2.2
    • local network on eth1: 192.168.2.1/24
    • vpn sagittarius on tun0: 172.16.1.2/30
    • vpn columba on tun1: 172.16.3.1/30
  • Castor
    • public interface eth0: 10.30.3.3
    • local network on eth1: 192.168.3.1/24
    • vpn aquarius on tun0: 172.16.2.2/30
    • vpn columba on tun1: 172.16.3.2/30

Setup OpenVPN

We need to set up openvpn on all servers. I'll use a very basic example with preshared secrets to show the concept. Please use additional security measures in your production, like client certificates, user authentication, strong ciphers, etc.pp.

First, generate some shared keys:

for s in sagittarius aquarius columba draco; do
  openvpn --genkey --secret ${s}.key
done

then, create openvpn's configuration files on the corresponding servers.

  • Aldebaran

    # /etc/openvpn/server/sagittarius.conf
    local 10.10.1.1
    proto udp
    port 11961
    dev tun
    topology p2p
    ifconfig 172.16.1.1 172.16.1.2
    persistent-tun
    persistent-key
    auth SHA512
    cipher AES-256-CBC
    secret /etc/openvpn/sagittarius.key
    # /etc/openvpn/server/aquarius.conf
    local 10.10.1.1
    proto udp
    port 11962
    dev tun
    topology p2p
    ifconfig 172.16.2.1 172.16.2.2
    persistent-tun
    persistent-key
    auth SHA512
    cipher AES-256-CBC
    secret /etc/openvpn/aquarius.key
    # /etc/openvpn/server/draco.conf
    local 10.10.1.1
    proto udp
    port 1196
    dev tun
    topology subnet
    mode server
    server 172.16.99.1 255.255.255.0
    persist-tun
    persist-key
    auth SHA512
    cipher AES-256-CBC
    secret /etc/openvpn/draco.key
  • Beteigeuze

    # /etc/openvpn/client/sagittarius.conf
    remote 10.10.1.1 11961
    proto udp
    dev tun
    topology p2p
    ifconfig 172.16.1.2 172.16.1.1
    persistent-tun
    persistent-key
    persist-remote-ip
    auth SHA512
    cipher AES-256-CBC
    secret /etc/openvpn/sagittarius.key
    # /etc/openvpn/server/columba.conf
    local 10.10.2.2
    proto udp
    port 11961
    dev tun
    topology p2p
    ifconfig 172.16.3.1 172.16.3.2
    persistent-tun
    persistent-key
    auth SHA512
    cipher AES-256-CBC
    secret /etc/openvpn/columba.key
  • Castor
    # /etc/openvpn/client/aquarius.conf
    remote 10.10.1.1 11962
    proto udp
    dev tun
    topology p2p
    ifconfig 172.16.2.2 172.16.2.1
    persistent-tun
    persistent-key
    persist-remote-ip
    auth SHA512
    cipher AES-256-CBC
    secret /etc/openvpn/aquarius.key
    # /etc/openvpn/client/columba.conf
    remote 10.10.2.2 11961
    proto udp
    dev tun
    topology p2p
    ifconfig 172.16.3.2 172.16.3.1
    persistent-tun
    persistent-key
    persist-remote-ip
    auth SHA512
    cipher AES-256-CBC
    secret /etc/openvpn/columba.key

Now start up the daemons and wait for them connecting to each other:

systemctl start openvpn-server@*
systemctl start openvpn-client@*

Setup frr

  • Aldebaran
    hostname aldebaran
    interface eth0
    description public
    link-detect
    !
    interface eth1
    description local network
    link-detect
    !
    interface tun0
    description sagittarius
    link-detect
    !
    interface tun1
    description aquarius
    link-detect
    !
    interface tun2
    description draco
    link-detect
    !
    ip forwarding
    !
    router ospf
    router-id 1
    network 172.16.1.0/30 area 0
    network 172.16.2.0/30 area 0
    network 172.16.99.0/24 area 0
    network 192.168.1.0/24 area 2
    !
  • Beteigeuze
    hostname beteigeuze
    interface eth0
    description public
    link-detect
    !
    interface eth1
    description local network
    link-detect
    !
    interface tun0
    description sagittarius
    link-detect
    !
    interface tun1
    description columba
    link-detect
    !
    ip forwarding
    !
    router ospf
    router-id 2
    network 172.16.1.0/30 area 0
    network 172.16.3.0/30 area 0
    network 192.168.2.0/24 area 2
    !
  • Castor
    hostname castor
    interface eth0
    description public
    link-detect
    !
    interface eth1
    description local network
    link-detect
    !
    interface tun0
    description aquarius
    link-detect
    !
    interface tun1
    description columba
    link-detect
    !
    ip forwarding
    !
    router ospf
    router-id 3
    network 172.16.2.0/30 area 0
    network 172.16.3.0/30 area 0
    network 192.168.3.0/24 area 2
    !