OpenVPN: New feature: site-to-site VPN with two Fonera

[sboniolo@…]

I recently purchased and installed my second Fonera, Fonera N this time! I easily configured OpenVPN to access from my PC to the home network but one thing that I think might be useful is to set up two or more "Fonera" to get a site-to-site VPN. OpenVPN package allows this, because of OpenVPN is deep integrated into LaFonera? functionality, in my opinion would be inexpensive and very useful to have this functionality (perhaps, wanting to exaggerate, not limited to 2 subnets). I remain available for any questions or concerns. Simone Boniolo

[Jon "The Nice Guy" Spriggs <jon@…>]

In all honesty, I think the amount of rework that would be required to get the OpenVPN client behaving like this, it would be a better idea to perhaps create a separate plugin for this.

In this way, you could add new startup files to /etc/init.d/, configure the VPN settings appropriately (perhaps as openvpn.site-to-site.x in UCI), set up proper routing and firewall rules, and use the TAP rather than TUN interface for your tunnel.

It's a lot of work, but I think it's pretty do-able, especially if you base the work off the code in source:trunk/luci/applications/luci-openvpn

[matthijs]

A separate luci application would certainly make sense, not sure if it should be a separate plugin (since the OpenVPN binary is already included in the firmware, the plugin would mostly contain lua files, which aren't very big. Also, this feature might require changes to the networking core of the firmware, which is hard to do from a plugin).

Furthermore, I think the biggest challenge is to get this feature to play nicely with all the existing networking and firewalling code (to be honest, some of it has become a bit messy over time).

In any case: This feature would be awesome to add, but it's too much work for 2.3.7.0.

Jon, if you'd like to have a stab at this, I'd welcome that. If you have any questions or want some feedback, feel free to bugger me (easiest is through irc, probably).

[matthijs]

Just one addition: I think it would be useful to make this a slightly more generic OpenVPN client feature, so not limited to a Fonera -> Fonera VPN.

[matthijs]

#1193 is a duplicate of this ticket.

[jdevora@…]

You can manually configure it as a OpenVPN client following the steps at:

 http://oldwiki.fon.com/wiki/Advanced_OpenVPN_Configuration#Configure_Fonera_as_a_OpenVPN_client_for_connexion_to_an_OpenVPN_Server