Skip to content

Site to site links

Author: Nikos Mavrogiannopoulos

In this scenario we describe a VPN server which provides multiple subnets to connecting users, and some of these subnets are routed by some of the users themselves. That is, a simple to setup site to site link. For simplicity we examine an IPv4 setup like the following. Modification for other setups should be trivial.
       |   Site1  |
       /          \
      /            \
 ------------     ------------
 |   Site2  |     |  Client1 |
 ------------     ------------

In that scenario Site1 advertises the, and we would like it to route through 'Site2' when they are connected.


The following instructions require ocserv 0.10.10.



In order to enable this setup the server must have preconfigured the routes that each client will serve. This can be done with the following configuration settings in ocserv.conf of Site1.

split-dns =
split-dns =
ipv4-network =

route =

config-per-user = /etc/ocserv/config-per-user/

expose-iroutes = true

The 'ipv4-network' entry contains the addresses that the VPN clients will be assigned to. The 'route' entry adds the routes that are directly routed by the VPN server. The 'config-per-user' option instructs ocserv to read for each user connecting the additional configuration file placed in /etc/ocserv/config-per-user/ which has the name of the user. If the user is named 'Site2' ocserv will open /etc/ocserv/config-per-user/Site2.

The 'expose-iroutes' option instructs ocserv to expose/advertise any 'iroute' options found in the per-user configuration files to all connecting clients (except the one serving it).

Hence, in our scenario the Site2 file will contain the following.

iroute =

This will instruct ocserv to setup route via Site2 once it connects.

We skipped intentionally the 'split-dns' options in the config file above. For the connecting VPN clients to be able to resolve both and sites the Site1 DNS server must be instructed to contact the Site2 DNS server for the '' addresses. That configuration is DNS-server specific. In dnsmasq, for example, that can be achieved by adding a configuration line such as "server=/" in its config file.


Site2 will be a typical openconnect client. It will only need to allow forwarding to and from the routes of Site1 (i.e., and to and from VPN client addresses (i.e.,


No special configuration is needed for any of the openconnect clients.