HOWTO_OpenVPN_Server_for_Ethernet_Bridging_with_Server_Certificates

Introduction

OpenVPN Server for Ethernet Bridging with Server Certificates

In this tutorial, I'll go over how to establish an ethernet bridge in Gentoo as well as creating OpenVPN certificates and configuring the server.

Network Layout

This tutorial uses an office as example. This office has a 192.168.20.0/24 network for its system. The client will be in a bridged part of this network. This means that they will have addresses in the 192.168.20.0/24 address space. You need to verify the clients don't have this network "at home" (they can still have any other private network like 192.168.1.0/24). You also need to check that there are no IP address collisions (make sure the IP addresses that need to be available for OpenVPN are not used by local clients).

General Setup

First of all you need to enable some basic kernel features to get OpenVPN up and running. This is necessary for the client and the server.

Enabling Bridging in Kernel

You will need to enable TUN/TAP support in your kernel:

[*] Networking support
       Networking options  --->
 [ ] Amateur Radio support  --->
 < > IrDA (infrared) subsystem support  --->
 < > Bluetooth subsystem support  --->
 [*] Network device support
 < >   Dummy net driver support
 < >   Bonding driver support
 < >   EQL (serial line load balancing) support
 <M>   Universal TUN/TAP device driver support  // This option must be enabled
      [*] Network packet filtering (replaces ipchains)  --->
          SCTP Configuration (EXPERIMENTAL)  ---> 
      < > Asynchronous Transfer Mode (ATM) (EXPERIMENTAL) 
      <*> 802.1d Ethernet Bridging
      < > 802.1Q VLAN Support 

Note: in more recent kernels the Universal TUN/TAP option has been moved to Device Drivers->Network Devices.

Note: for building of bridge.ko sometimes necessary execute make in linux source directory instead of make modules and then make modules_install && make install && update-modules and reboot.

Emerging Software

You will need bridge-utils and openvpn

emerge net-misc/bridge-utils net-misc/openvpn

Optional: You dont need sys-apps/usermode-utilities in order to bring up tun/tap ifaces via baselayout. Having net-misc/openvpn is enough for >=sys-apps/baselayout-1.12.6

Configuring your Network

For the sake of this tutorial, we'll assume eth0 is your office's private network. We'll also assume the address for eth0 is 192.168.20.80. What we're going to do is change eth0 to not have an IP address, then attach it, along with a tap interface, to an Ethernet bridge. Then after all that's complete, we're going to assign the original 192.168.20.80 to the new bridge (not the original eth0. The tap adapter will not actually have an IP address.)

Here is an example of what your /etc/conf.d/net may look like:

depend_br0() {
   need net.tap0 net.eth0
}

tuntap_tap0="tap"
config_eth0=( "null" )
config_tap0=( "0.0.0.0 promisc" )
bridge_br0="eth0 tap0"
# or dynamically add them when the interface comes up
#bridge_add_eth0="br0"
config_br0=( "192.168.20.80" )

Also, make sure you have all the correct network scripts setup:

cd /etc/init.d
ln -s net.lo net.eth0
ln -s net.lo net.tap0
ln -s net.lo net.br0

Now add them all to the default run-level:

rc-update add net.br0 default

And of course, go ahead and start them:

/etc/init.d/net.br0 start

Starting net.br0 should automatically bring up net.tap0 and net.eth0 thanks to that depends() function in our /etc/conf.d/net file.

Add Iptables rules

Please note for iptables users to add the following to your iptables rules to allow traffic across your LAN from your VPN connection (without the following I was only able to connect to the box hosting the vpn as it wouldn't forward connections to other hosts on the subnet).

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

Establishing OpenVPN Keys

In Gentoo, the easy-rsa scripts that come packaged with OpenVPN are installed into /usr/share/openvpn/. It's good to make a local copy of these before you start working with them, so I suggest the following:

cd /etc/openvpn
cp -r /usr/share/openvpn/easy-rsa .

You'll want to go into the easy-rsa directory and edit the vars script to your liking. The full details of how to make the keys can be found at the OpenVPN Howto so I won't go into the details here. It's really not that difficult.

The Server Configuration File

Here is a sample server configuration file. I won't go into a detailed explanation as one can be found on in the examples file at http://openvpn.net/howto.html#examples, however here is the configuration that fits our parameters above. You should adjust it to your liking:

local 192.168.20.80
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

#this will assign connecting clients address between the range of 100 and 150
server-bridge 192.168.20.80 255.255.255.0 192.168.20.100 192.168.20.150

#this will allow for people to get the same IP address after a reconnect
ifconfig-pool-persist /etc/openvpn/ipp.txt

push "route 192.168.20.0 255.255.255.0"

#change this to your companies DNS server or omit it entirely
push "dhcp-option DNS 192.168.20.240"
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status /tmp/openvpn-status.log
log-append  /var/log/openvpn.log
verb 6

Note, I think the line starting "local" is wrong. Surely this should be set to an external IP address otherwise you will not let anyone from the internet connect? 217.205.167.137 17:24, 8 March 2007 (UTC)

In regards to the above note, the local string refers to the internal ip address for the server to listen on, as stated in the example openvpn.cnf file [1]

Start The Server

Add the server to the default runlevel and then start it:

rc-update add openvpn default
/etc/init.d/openvpn start

Configure the Client

The client's config file should look something like this:

client
dev tap
proto udp
remote myserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ns-cert-type server
user nobody
group nogroup
ca ca.crt
cert client1.crt
key client1.key

Of course you're going to want to replace "myserver.com" with the actual FQDN of your OpenVPN Server, and copy the client.* and ca.crt file from the server over to /etc/openvpn on the client. To start the client and set it to run at boot:

/etc/init.d/openvpn start
rc-update add openvpn default

Running Multiple VPNs

The config above uses the default file location of /etc/openvpn/openvpn.conf. However, if you need to have multiple configs on one machine you can do this:

Create a new config file, for example /etc/openvpn/extravpn.conf

Now make symlinks to start them (like you would for net scripts)

cd /etc/init.d
ln -s openvpn openvpn.extravpn

Start and runlevel commands would then be:

/etc/init.d/openvpn.extravpn start
rc-update add openvpn.extravpn default

NOTE: you can rename the symlink to any arbitrary name as long as your config file for that server has the same name. So this means VPN server 'foo' must have:

ln -s /etc/init.d/openvpn /etc/init.d/foo

and a corresponding config file with the same name:

nano /etc/openvpn/foo

Conclusion

That's it. You should be up and running now with a fully bridged OpenVPN connection. Try pinging something on your internal network to test it.

About the Author:

The original entry was created by Sumit Khanna (sumdog AT NO SPAM gmail d0t com) on July 21st 2005. If you find any mistakes or have any suggestions, please add them!