Installing and configuring Openvpn in bridged mode
Contents
Installation
apt-get update apt-get install openvpn bridge-utils
Obtain Easy-rsa to generate certs for servers and clients
Get easy-rsa.tgz
cd /etc/openvpn wget http://holland.burn/wiki/files/easy-rsa.tgz tar xvf easy-rsa.tgz cd easy-rsa/2.0
Modify /etc/openvpn/easy-rsa/2.0/vars to your configuration.
vi /etc/openvpn/easy-rsa/2.0/vars
Generate Server Certs
Make sure the certs have a place to land.
mkdir -p /etc/openvpn/certs/
Certificates, keys, etc.
I edited the vars file under easy-rsa 2.0 to match my desired configuration. In this case I went paranoid and generated a 2048bit DH.
This site talks about how to use pkitool: http://svn.openvpn.net/projects/openvpn/contrib/dazo/easy-rsa/2.0/README
cd /etc/openvpn/easy-rsa/2.0/ source ./vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key cp server.crt server.key ca.crt dh2048.pem ta.key /etc/openvpn/certs/
Copy generated credentials to /etc/openvpn/certs/
Generate Client Certs
This script will generate certs with a password.
/etc/openvpn/gen_ovpn_pw_client_config.sh
#!/bin/bash ## Variables SERVER="cervin" # Name of Router/Firewall DOMAIN="home" OUTCONF="${SERVER}.ovpn" REMOTEADDR="openvpn_server_ip_address" # Outside Ipaddress of Router/Firewall. If IP changes, this will need to be changed in client config REMOTEPORT="4000" SCRIPT_PATH="/etc/openvpn/client_configs" EASY_RSA_20_PATH="/etc/openvpn/easy-rsa/2.0" # Get client variable from user clear read -p "Did you set the variables in this script? Ctrl+C to break." echo echo -n "Client computer name (one word):" read -e CLIENT # Generate and copy the cert mkdir -p ${SCRIPT_PATH}/${CLIENT} cd ${EASY_RSA_20_PATH} source ./vars sleep 2 ./pkitool --pass ${CLIENT}.${DOMAIN} sleep 2 cd ${EASY_RSA_20_PATH}/keys cp -a ${CLIENT}.* ${SCRIPT_PATH}/${CLIENT} cd /etc/openvpn/certs cp ta.key ${SCRIPT_PATH}/${CLIENT}/${SERVER}.${DOMAIN}.ta.key cp ca.crt ${SCRIPT_PATH}/${CLIENT}/${SERVER}.${DOMAIN}.ca.crt clear sleep 1 clear # Define openvpn config template cat > ${SCRIPT_PATH}/${CLIENT}/$OUTCONF <<-EOF # Client configuration file for OpenVPN Specify that this is a client client # Bridge device setting dev tap proto tcp # Host name and port for the server (default port is 1194) note: replace with the correct values your server set up remote $REMOTEADDR $REMOTEPORT # Client does not need to bind to a specific local port nobind # Keep trying to resolve the host name of OpenVPN server. ## The windows GUI seems to dislike the following rule. You may need to comment it out.resolv-retry infinite # Preserve state across restarts persist-key persist-tun # SSL/TLS parameters - files created previously ca ${SERVER}.${DOMAIN}.ca.crt cert ${CLIENT}.${DOMAIN}.crt key ${CLIENT}.${DOMAIN}.key remote-cert-tls server # Permissions drop privileges to user/group nobody user nobody group nogroup # Use compression comp-lzo # Log verbosity (to help if there are problems) verb 3 # Uncomment if you want to redirect all traffic though the VPN. #redirect-gateway def1 EOF cd ${SCRIPT_PATH} tar czf ${CLIENT}.tgz ${CLIENT} ls -lah echo echo echo "Raw config generated." echo "Path: ${SCRIPT_PATH}/${CLIENT}" echo echo echo "Exportable config tarball generated." echo "Path: ${SCRIPT_PATH}/${CLIENT}.tgz" echo echo "Note: If you wish to recreate the same cert with the same name" echo "you will need to remove it from easy-rsa index.txt and delete the originals:" echo echo "index.txt Path: ${EASY_RSA_20_PATH}/keys/index.txt" echo "Certs Path: ${EASY_RSA_20_PATH}/keys" echo echo "Use a secure means to transport this configuration." echo
Fix Permissions
chmod u+x /etc/openvpn/gen_ovpn_pw_client_config.sh
Execute to build client certs. Follow directions in script.
./etc/openvpn/gen_ovpn_pw_client_config.sh
Configure Server side
openvpn.conf
port 4000 proto tcp dev tap0 ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh2048.pem remote-cert-tls client server-bridge 10.1.1.1 255.255.255.0 10.1.1.80 10.1.1.99 client-to-client keepalive 10 120 comp-lzo persist-key persist-tun script-security 2 up "/etc/openvpn/up.sh br0" down "/etc/openvpn/down.sh br0" status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3
Next we'll create /etc/openvpn/up.sh and /etc/openvpn/down.sh
up.sh
/etc/openvpn/up.sh
#!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /sbin/brctl addif $BR $DEV
down.sh
/etc/openvpn/down.sh
#!/bin/sh BR=$1 DEV=$2 /sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down
Make sure they are executable.
chmod 755 /etc/openvpn/down.sh chmod 755 /etc/openvpn/up.sh
sysctl.conf
This next step is very important, because it allows the VPN to forward information to the bridged network.
Modify /etc/sysctl.conf
net.ipv4.ip_forward=1
Enable for startup
systemctl enable openvpn@openvpn.service
Restart the server for the changes to take effect