Installing and configuring Openvpn in bridged mode

From Fyzix
Jump to: navigation, search

Installation

apt-get update
apt-get install openvpn bridge-utils

Obtain Easy-rsa to generate certs for servers and clients

Get easy-rsa.tgz

cd /etc/openvpn
wget http://holland.burn/wiki/files/easy-rsa.tgz
tar xvf easy-rsa.tgz
cd easy-rsa/2.0

Modify /etc/openvpn/easy-rsa/2.0/vars to your configuration.

vi /etc/openvpn/easy-rsa/2.0/vars

Generate Server Certs

Make sure the certs have a place to land.

mkdir -p /etc/openvpn/certs/

Certificates, keys, etc.

I edited the vars file under easy-rsa 2.0 to match my desired configuration. In this case I went paranoid and generated a 2048bit DH.

This site talks about how to use pkitool: http://svn.openvpn.net/projects/openvpn/contrib/dazo/easy-rsa/2.0/README

cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
cp server.crt server.key ca.crt dh2048.pem ta.key /etc/openvpn/certs/

Copy generated credentials to /etc/openvpn/certs/

Generate Client Certs

This script will generate certs with a password.

/etc/openvpn/gen_ovpn_pw_client_config.sh

#!/bin/bash

## Variables
SERVER="cervin" # Name of Router/Firewall
DOMAIN="home"
OUTCONF="${SERVER}.ovpn"
REMOTEADDR="openvpn_server_ip_address" # Outside Ipaddress of Router/Firewall. If IP changes, this will need to be changed in client config
REMOTEPORT="4000"
SCRIPT_PATH="/etc/openvpn/client_configs"
EASY_RSA_20_PATH="/etc/openvpn/easy-rsa/2.0"


# Get client variable from user
clear
read -p "Did you set the variables in this script? Ctrl+C to break."
echo
echo -n "Client computer name (one word):"
read -e CLIENT

# Generate and copy the cert
mkdir -p ${SCRIPT_PATH}/${CLIENT}
cd ${EASY_RSA_20_PATH}
source ./vars
sleep 2
./pkitool --pass ${CLIENT}.${DOMAIN}
sleep 2
cd ${EASY_RSA_20_PATH}/keys
cp -a ${CLIENT}.* ${SCRIPT_PATH}/${CLIENT}
cd /etc/openvpn/certs
cp ta.key ${SCRIPT_PATH}/${CLIENT}/${SERVER}.${DOMAIN}.ta.key
cp ca.crt ${SCRIPT_PATH}/${CLIENT}/${SERVER}.${DOMAIN}.ca.crt
clear
sleep 1
clear

# Define openvpn config template
cat > ${SCRIPT_PATH}/${CLIENT}/$OUTCONF <<-EOF
# Client configuration file for OpenVPN Specify that this is a client
client

# Bridge device setting
dev tap
proto tcp

# Host name and port for the server (default port is 1194) note: replace with the correct values your server set up
remote $REMOTEADDR $REMOTEPORT

# Client does not need to bind to a specific local port
nobind

# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule. You may need to comment it out.resolv-retry infinite

# Preserve state across restarts
persist-key
persist-tun

# SSL/TLS parameters - files created previously
ca ${SERVER}.${DOMAIN}.ca.crt
cert ${CLIENT}.${DOMAIN}.crt
key ${CLIENT}.${DOMAIN}.key
remote-cert-tls server

# Permissions drop privileges to user/group nobody
user nobody
group nogroup

# Use compression
comp-lzo
# Log verbosity (to help if there are problems)
verb 3

# Uncomment if you want to redirect all traffic though the VPN.
#redirect-gateway def1


EOF
cd ${SCRIPT_PATH}
tar czf ${CLIENT}.tgz ${CLIENT}
ls -lah
echo
echo
echo "Raw config generated."
echo "Path: ${SCRIPT_PATH}/${CLIENT}"
echo
echo
echo "Exportable config tarball generated."
echo "Path: ${SCRIPT_PATH}/${CLIENT}.tgz"
echo
echo "Note: If you wish to recreate the same cert with the same name"
echo "you will need to remove it from easy-rsa index.txt and delete the originals:"
echo
echo "index.txt Path: ${EASY_RSA_20_PATH}/keys/index.txt"
echo "Certs Path: ${EASY_RSA_20_PATH}/keys"
echo
echo "Use a secure means to transport this configuration."
echo

Fix Permissions

chmod u+x /etc/openvpn/gen_ovpn_pw_client_config.sh

Execute to build client certs. Follow directions in script.

./etc/openvpn/gen_ovpn_pw_client_config.sh

Configure Server side

openvpn.conf

port 4000
proto tcp
dev tap0
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh2048.pem
remote-cert-tls client
server-bridge 10.1.1.1 255.255.255.0 10.1.1.80 10.1.1.99
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
script-security 2
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

Next we'll create /etc/openvpn/up.sh and /etc/openvpn/down.sh

up.sh

/etc/openvpn/up.sh

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV

down.sh

/etc/openvpn/down.sh

#!/bin/sh

BR=$1
DEV=$2

/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Make sure they are executable.

chmod 755 /etc/openvpn/down.sh
chmod 755 /etc/openvpn/up.sh

sysctl.conf

This next step is very important, because it allows the VPN to forward information to the bridged network.

Modify /etc/sysctl.conf

net.ipv4.ip_forward=1

Enable for startup

systemctl enable openvpn@openvpn.service

Restart the server for the changes to take effect