Installing OpenVPN with Ethernet bridge

Why?

Getting through the steps you can set up a stable VPN connection for any of the following situations:

  • I don’t live in the hostel, but would like to play LAN games with friends 🙂
  • I have a small multi site firm, and need to work as we were in one local network – use common shares, printers and other internal resources securely (detailed steps will be later described if needed)
  • I’d like to enable teleworkers to work with the company’s internal network resources securely from home
  • I’d like to hide all my traffic from my current network provider, and route them through the VPN tunnel (default routing will be later described if needed)

Basics

http://en.wikipedia.org/wiki/Virtual_private_network

http://en.wikipedia.org/wiki/Openvpn

http://en.wikipedia.org/wiki/Ethernet_bridge

Installing OpenVPN

Installing Server on Debian

apt-get install openvpn
  • creating folders, copying example configs
mkdir -p /usr/share/openvpn
cp -R /usr/share/doc/openvpn/* /usr/share/openvpn/
cp -R /usr/share/openvpn/examples/easy-rsa /usr/share/openvpn/
  • creating placeholder fot keys
cd /usr/share/openvpn/easy-rsa/2.0/
mkdir keys
cd keys/
echo 01 > serial
touch index.txt
  • editing /usr/share/openvpn/easy-rsa/2.0/vars if needed
export KEY_COUNTRY="US"
export KEY_PROVANCE=""
export KEY_CITY="Chicago"
export KEY_ORG="John Doe Ltd."
export KEY_EMAIL="john@john-doe.jane"
  • creating placeholder for log files
mkdir /var/log/openvpn
  • creating the file containing local IP addresses for clients
touch /etc/openvpn/ipp.txt
  • creating the server configuration file /etc/openvpn/server.conf
port 1194
proto udp
dev tap0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server-bridge 10.x.y.1 255.255.255.0 10.x.y.170 10.x.y.180
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 10.x.y.0 255.255.255.0" # routing to the local network
keepalive 10 120
comp-lzo
client-to-client # enable clients to "see" each other
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
mute 20

Certificates

generating certificates

server

cd /usr/share/openvpn/easy-rsa/2.0
source vars
./build-ca
./build-dh
./build-key-server server

client

one key – one client correspondence

  • you have to replace the client00 for each client to distinct names
cd /usr/share/openvpn/easy-rsa/2.0
source vars
./pkitool --interact --inter client00

replacing keys

in case of all keys were compromised

  • delete all keys
cd /usr/share/openvpn/easy-rsa/2.0
./clean-all
  • regenerate them
  • put everithing in place
  • restart openvpn on the server and on the clients too

revoking a single key – http://openvpn.net/index.php/documentation/howto.html#revoke

verifying the certificate revocation list

openssl crl -in ./keys/crl.pem -text

Tidying up

copy theese server config and related files to /etc/openvpn

ca.crt
ca.key
server.crt
server.csr
server.key
dh1024.pem

pack theese client files together

ca.crt
client00.crt
client00.csr
client00.key
  • replace 10.x.y.. to your local network address
  • it’s important to use a network, that doesn’t overlap with any of the clients’ networks

Configuring the Ethernet bridge

installing the bridge

apt-get install bridge-utils

create /etc/openvpn/bridge-start

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="10.x.y.1"
eth_netmask="255.255.255.0"
eth_broadcast="10.x.y.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

create /etc/openvpn/bridge-stop

#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done

chmod +x /etc/openvpn/bridge-st*

Further steps

firewall

  • local interface identifiers have to be replaced from “ethx” to “br0” in the iptables commands
  • the server must accept connections to UDP port 1194 in it’s INPUT chain
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
  • have to enable traffic for tun & tap interfaces in the INPUT and FORWARD chains
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

samba config

local interface identifiers have to be replaced from “ethx” to “br0”

dhcp server

local interface identifiers have to be replaced from “ethx” to “br0” in /etc/default/dhcp3-server

auto bridge-up

ln -s /etc/openvpn/bridge-start /etc/rcS.d/S99bridge-start

openvpn init

for advanced and brave admins: you can start everithing with a script. if it fails, you might brick your local network connectivity

  • it starts the bridge and restarts the services ina few seconds
  • it’s wise to schedule it to tale night
#!/bin/sh

/etc/openvpn/bridge-start
/etc/init.d/openvpn restart
/etc/init.d/samba restart
/etc/init.d/dhcp3-server restart
/etc/init.d/firewall.sh

Client settings

Debian / Ubuntu

  • install the software
  • apt-get install openvpn
  • ensure that systime is accurate
  • extract ca.crt, client.crt, client.key to /etc/openvpn
  • create client.conf
client
remote {ip address / dns name of the server}
port 1194
proto udp
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
dev tap
comp-lzo
verb 3
mute 10
ns-cert-type server
persist-key
persist-tun
  • modify the firewall to allow all traffic on the tap0 interface
  • also masquerade traffic leaving the tap0 (for site2site configuration)
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A FORWARD -i tap0 -j ACCEPT
iptables -A FORWARD -o tap0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
iptables -A INPUT -i tap+ -p icmp -m limit --limit 10/sec -j ACCEPT
  • restart openvpn
/etc/init.d/openvpn restart

windows

client
remote <ip/dns name of the server>
port 1194
proto udp
ca C:\\Progra~1\\OpenVPN\\config\\ca.crt
cert C:\\Progra~1\\OpenVPN\\config\\.crt
key C:\\Progra~1\\OpenVPN\\config\\.key
dev tap
comp-lzo
verb 3
mute 10
ns-cert-type server
persist-key
persist-tun
  • start OpenVPN GUI (on x64 OS as Administartor – for route entries to be created

This concludes the setup of a simple OpenVPN server-client configuration.

Have fun with it. Any comments/suggestions are welcome 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s