Setting Up Site-To-Site OpenVPN
Written by Sam James   
Monday, 30 August 2021
Article Index
Setting Up Site-To-Site OpenVPN
Setting Up a Simple Server and Client
A Working Site-to-Site VPN
Overcoming the Firewall


To add the TUN0 device to the LAN firewall zone on the server, select Network→Firewall from the top menu then the Edit button next to the lan→wan in the Zones list:


From the “Advance Settings” tab add tun0 to the covered devices:


You should now find you can ping other devices on the subnet from the client router. However, you still won’t be able to ping those devices from other computers connected to the client router as the server has no way of routing the return packets to the subnet.

A quick and dirty way to get around this is to add the TUN0 device to the WAN firewall zone. By default the WAN zone uses masquerading which make it look like the packets the client is sending is coming from it. However, as we are wanting to make a bi-directional site-to-site set up we don’t need to do this. Instead we can move our attention to allowing computers on the server “see” the computers on the client.

To do this we first have to create a client configuration directory on the server. The easiest way is to once again SSH into the server and create a directory etc/openvpn/ccd and create a new file called client inside it:


Then add the line iroute


Next log back on to the server with a web browser and select VP→OpenVPN from the top menu and then edit the sample_server once more. Switch to advanced configuration then go to the Networking tab and add a route field:


then enter the network details of the client subnet:


you must click the “+” at the side for the text entry box and then “Save & Apply” before editing anything else! Next go to the VPN tab and a “client_config_dir” field which by default should already be filled in with etc/openvpn/ccd:


Finally to get everything working we need to add the TUN0 device to the LAN firewall zone on the client which is exactly the same as the way we added it to the server.

Before final checking of everything working it might be a good idea to reboot both routers to make sure everything is refreshed. Once that is done verify everything is working by connecting to the wi-fi of the client router, SSH into a computer on the server and finally ping back to the first computer.

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Advances In Confidential Computing

Edgeless Systems, a company that aims to turn the public cloud into the safest place for sensitive data, is hosting the annual online Open Confidential Computing Conference (OC3) where CTOs  [ ... ]

VSCode Can Do More Than You Imagine

Did you know about a list of videos that clearly depict tips and tricks that VSCode is able to do that nobody ever bothered to tell you about? Well if you didn't, you do now...

More News





or email your comment to:


QuickSort Exposed

QuickSort was published in July 1961 and so is celebrating its 60th birthday.  QuickSort is the most elegant of algorithms and every programmer should study it. It is also subtle and this often m [ ... ]

AWS Low Cost Mailing List Using phpList And SES

Running a mailing list is not easy or cheap, but if you use AWS it can be. Find out how to create a low-cost and highly effective mailing list server.

Other Projects


    Last Updated ( Monday, 30 August 2021 )