How to configure an OpenVPN LAN to LAN tunnel using 2 Digi DAL routers

Introduction

How to configure an OpenVPN LAN to LAN tunnel using 2 Digi DAL routers

Prerequisites

• The DAL Router that acts as server must have a Public IP on the WAN interface (or at least reachable by the Client).
• A set of Certificates (CA public cert, Server cert & Private Key, Client Cert & Private key) have been created to be used in the OpenVPN Tunnel (for example, with XCA: XCA Download)

Issue/Question

How can I configure a LAN to LAN OpenVPN Tunnel using Digi DAL routers?

Solution

The following example provides instructions on how to configure two Digi DAL Routers to set up a LAN to LAN Open VPN tunnel between them.

Digi DAL router as Open VPN Server configuration:

1. Access the router via CLI - Shell (Using Terminal or SSH Connection) and create the following folder (you can enable interactive-shell access for admin users, going in Configuration > Authentication > Groups > admin)

mkdir /etc/config/openvpn/ccd/

2. In this folder, create a txt file to route the client LAN (192.168.3.0/24 in this example). Please note that the file names need to be the Common Name used in the client certificates (in this example this is client1)

echo 'iroute 192.168.3.0 255.255.255.0' > /etc/config/openvpn/ccd/client1

3. Access the WEB UI and browse to System > Device Configuration > VPN > Open VPN > Servers, chose a name and click on the + to add it:

4. Configure the options as below, copying the content of the Certificates in the proper fields. Below is shown the example of the CA certificate: -B

Do the same for the rest of Certificates/Keys:

 Set the Advanced options as following:

--push "route 192.168.30.0 255.255.255.0" --client-config-dir /etc/config/openvpn/ccd/ --route 192.168.3.0 255.255.255.0

More info about Open VPN Advanced options on DAL here: OpenVPN Server Advanced Options on DAL routers.

Click Apply and the Server is shown as enabled under Status > Open VPN > Servers. There, can be also downloaded the Open VPN File for the client:

This File needs to be modified inserting the WAN IP address of the Digi DAL Router and the content of the Client cert & private key. The CA Certificate will be already filled in:

5. Add a static route for the client LAN to pass via the OpenVPN interface:

Digi DAL router as Open VPN Client configuration:

Access the WEB UI and browse to System > Device Configuration > VPN > Open VPN > Clients, chose a name and click on the + to add it:

The client can be configured both copying directly the content of the .ovpn file content in the proper field or without. Below both examples: 

Click Apply and the Client status can be checked under Status > Open VPN > Clients:

Can be also verified that the routing table is updated with the Open VPN Server subnet as well as the Pushed route to reach the DAL Server LAN: -I

The successful connection can be also checked on the DAL router acting as Server under Status > Open VPN > Servers:

Can be also verified that the routing table is updated with the Open VPN tunnel addresses as well as the Client LAN subnet:

LAN to LAN traffic test

To test that the LAN to LAN traffic is working as expected via the tunnel, a ping can be performed from a device in the Server LAN to a device in the Client LAN and viceversa.

Server LAN to Client LAN:

Client LAN to Server LAN: