I plan on setting up some ClearOS boxes at several sites, and would like to set up site-to-site VPN between the remote sites and a main site (all running ClearOS enterprise 5.2sp1 / latest version).
I have found references for how to set up ClearOS to VPN in to devices such as cisco for IPSEC, and others with PPTP. But for these methods it did not mention how you might configure 2 ClearOS boxes to talk to each other ipsec or pptp.
I also saw documentation on installing OpenVPN and using the OpenVPN client software to VPN in to the ClearOS box. I will probably use this for individual users to VPN in, but I have some small sites ( 1 to 10 users) that will have their own ClearOS box and need to create a site to site VPN link back to the main site's OpenVPN box.
Is this possible, can you point me to docs, or other info or basically, how?
A couple updates:
I did find a thread that asks the same basic question, where the user has a vpn set up between the two clearos machines (after installing ipsec vpn modules), just not transporting traffic between the LANS – and the very last post claims you have to edit some files (/etc/ipsec.conf) and set leftnexthop rightnexthop values to %direct. After that, it's supposed to work. Could it be that simple?
I also posted to clear foundation, and they pointed me to some documentation for setting up ipsec unmanaged vpn. This looks pretty good, but, I will most likely need to figure out how to handle a dynamic dns type setup at least on one end. Also, what does it mean by multi-wan? Finally, what happens when a vpn connection goes down exactly – someone has to reboot the box or ?
Best Answer
There is two different setup/install instructions on OpenVPN's site, standard howto and static key howto. Static key is only usable for a 2 machine setup.
You will want to follow the standard howto: http://openvpn.net/index.php/open-source/documentation/howto.html
Basically you will need 2 configuration files, 1 for the server, 1 for the clients. You will need to create certificates and keypairs for the server, and for all the clients, each client will need it's own certificate and a copy of the servers certificate. Also watch out for the pitfall of having the same "Subnet" for client LAN's and your servers LAN. The client will not be able to easily access the servers LAN if it is the same subnet like 192.168.1.x.
Feel free to leave comments on spots where you get stuck, been through this setup many times.