My Favorites


Please to see your favorites.

  • Bookmark
  • Email Document
  • Printer Friendly
  • Favorite
  • Rating:

How To Set Up Site To Site VPN With NOWS

This document (3165776) is provided subject to the disclaimer at the end of this document.


Novell Open Workgroup Suite Small Business Edition (NOWS)


Reference Diagram

Installing two NICs with NOWS-SBE:

When you install and configure a NOWS-SBE server, do not configure the second network interface card (NIC) until you have completed the installation and configured the primary NIC through the Web configuration tool. After the initial Web configuration is complete, you can then use YaST to configure the second NIC.

NOTE: Since you will be routing traffic through the server, be sure to enableIPForwardingwhen configuring the second NIC.

Setting up VPN site to site:

1. Synchronize the time between the two servers usingntpdate.

2. In the NOWS-SBE Web administration tool, installFirewall (IPTables)andVPN Server(OpenVPN)on both Server A and Server B.

  • For Server A replace"auto" in theVirtual IP Address Networkfield with an address, such as
  • For Server B replace"auto" in theVirtual IP Address Networkfield with a distinct segment address, such as
  • Replace "auto" in theVPN Network Maskfield with the appropriate mask, such as
  • Verify thatAllow VPN Clients Access to Internal Networkis selected

3. From Server A's Web Administration tool, create a client key for Server B to use:

  • Go toProducts and Service>>VPN Server (Open VPN)>>Administrative Console>>OpenVPN Key Management
  • Enter a unique name and selectGenerate(Hint: Using the name of Server B is a nice way to keep things organized)
  • SelectWindows Client and Configurationto download and save the Windows Client zip file. File name is based on the unique name selected.

4. Copy the client zip file to/etc/openvpnon Server B.

5. Extract the client zip file into the/etc/openvpn/folder using the command"unzip" If desired, delete the Windows install files.

6. Rename (mv) or copy (cp) the.ovpnfile toclient.conf

7. Using a text editor, such as vi, open theserver.conffile and comment out the second to last line so that it looks something like this:

push "route"
#push "route"
push "dhcp-option DNS"

This prevents the VPN from pushing the public route to the other server and allows each server to access the public network directly

8. Create a client key for ServerA to use by repeating step 3, from Server B's Web administration tool

9. Finalize ServerA's configuration by repeating steps 4-7 on Server A. When completed, each server should have aserver.confand aclient.conffile in the /etc/openvpn directory

10. Restart openvpn on each server using/etc/init.d/openvpn restart.

11. You should now have a functioning VPN tunnel in each direction. Each server should push its private routes to the other. Test the connection by pinging a host on Network A from ServerB, and a host on Network B from ServerA

12. For most networks with more than a single subnet or where Server A and Server B are not the default gateway for clients on their networks you will also need to setup routing on internal switches and routers so that clients on Network A know to point to Server A as the next hop to Network B. The same will also have to be done so that clients on Network B know to point to Server B as the next hop to Network A.(WARNING: This involves modifying systems beyond the NOWS-SBE servers and can break the network if performed incorrectly. You are on your own at this point)

Troubleshooting tips:

1. To verify the validity of the certificates on the vpn issue the following command:

openssl verify -ca.crt -purpose sslclient .crt

2. In step 7 above, it suggests commenting out the public push statements for the VPN. If this is not done and the VPN servers are on the same network segment, the servers will hang. Pushing the public route may also cause trouble communicating over the VPN tunnel.

3. Uninstalling the Firewall (IP Tables) component does not undo any firewall configuration changes that may have been made. Changes to the Firewall configuration can cause the Site-to-Site VPN to stop functioning, so make firewall changes with care.

4. To verify the firewall configuration:

  • In a text editor, open/etc/sysconfig/SuSEfirewall2
  • Find the line beginning with"FW_DEV_INT”
  • Verify that it looks like this:

FW_DEV_INT="eth1 tun0 tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9”


This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:3165776
  • Creation Date:05-FEB-08
  • Modified Date:27-APR-12
    • SUSESUSE Linux Enterprise Server

Did this document solve your problem? Provide Feedback

< Back to Support Search

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center