{"id":1758,"date":"2014-02-16T23:06:18","date_gmt":"2014-02-16T21:06:18","guid":{"rendered":"http:\/\/raftaman.net\/?p=1758"},"modified":"2021-05-15T11:46:37","modified_gmt":"2021-05-15T09:46:37","slug":"how-to-set-up-a-basic-openvpn-bridging-server","status":"publish","type":"post","link":"https:\/\/possiblelossofprecision.net\/?p=1758","title":{"rendered":"How to set up a basic OpenVPN bridging server"},"content":{"rendered":"

Beside the official OpenVPN documentation<\/a> there’s a vast number of howtos and guides out there, that’ll tell you how to set up an OpenVPN<\/a> server. Unfortunately, most of these use a tunneling setup including some sort of router and packet filter. If you want to transport non-IP based traffic and can accept the increased broadcast overhead and poor scalability, you need to setup an OpenVPN bridge<\/a>.<\/p>\n

<\/p>\n

Installing the packages<\/h2>\n

Since OpenVPN is one of the most popular VPN solutions, we don’t have to worry about compiling the software ourselves. Fedora ships a pre-packaged version and even offers a bunch of scripts (easy-rsa<\/code>) that greatly simplify key-handling.<\/p>\n

\r\nyum install openvpn easy-rsa\r\n<\/pre>\n
Generating the keys<\/h2>\n
Before we can configure the actual OpenVPN server, we have to deal with key management. There are a couple of ways to authenticate with an OpenVPN server instance, but the best choice is usually an X.509 certificate and pre-shared keys.<\/p>\n
The first step is to set some environment variables (KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL), which are found at the bottom of \/usr\/share\/easy-rsa\/2.0\/vars<\/code><\/p>\n
\r\n[...]\r\nexport KEY_COUNTRY="US"\r\nexport KEY_PROVINCE="CA"\r\nexport KEY_CITY="City"\r\nexport KEY_ORG="Company"\r\nexport KEY_EMAIL=mail@example.org\r\nexport KEY_CN=server-CA\r\nexport KEY_NAME=server-CA\r\nexport KEY_OU=""\r\n<\/pre>\n
Next, we can create our Certificate Authority key<\/p>\n
\r\n# cd \/usr\/share\/openvpn\/easy-rsa\/2.0\/\r\n# source .\/vars \r\nNOTE: If you run .\/clean-all, I will be doing a rm -rf on \/usr\/share\/easy-rsa\/2.0\/keys\r\n# .\/clean-all\r\n# .\/build-ca \r\nGenerating a 1024 bit RSA private key\r\n[...]\r\n<\/pre>\n
and generate the server key and Diffie-Hellman<\/a> key afterwards.<\/p>\n
\r\n# .\/build-key-server server\r\nGenerating a 1024 bit RSA private key\r\n[...]\r\n\r\n# .\/build-dh\r\nGenerating DH parameters, 1024 bit long safe prime, generator 2\r\nThis is going to take a long time\r\n[...]\r\n<\/pre>\n
Finally, we need to build a certificate and key for each client with a unique common name. OpenVPN assigns IP addresses by common name, so non-unique names would result in conflicting IP addresses.<\/p>\n
\r\n# .\/build-key client\r\nGenerating a 1024 bit RSA private key\r\n..............++++++\r\n...........................................++++++\r\nwriting new private key to 'client.key'\r\n[...]\r\n<\/pre>\n
The only thing left to do is copying the keys to the OpenVPN configuration directory and adjusting the permissions accordingly.<\/p>\n
\r\n# cp -a keys\/ \/etc\/openvpn\/\r\n# chmod 755 \/etc\/openvpn\/keys\/\r\n<\/pre>\n
Setting up the server<\/h2>\n
To set up the server, generate a configuration file in \/etc\/openvpn<\/code> with the following content:<\/p>\n
\r\nport 1194\r\nproto udp\r\nserver-bridge 192.168.8.10 255.255.255.0 192.168.8.20 192.168.8.30\r\ndev tap\r\nca keys\/ca.crt\r\ncert keys\/server.crt\r\nkey keys\/server.key \r\ndh keys\/dh1024.pem\r\nup bridge-start\r\ndown bridge-stop\r\nkeepalive 10 600\r\ncomp-lzo\r\npersist-key\r\npersist-tun\r\nverb 3\r\nmute 20\r\nstatus openvpn-status.log\r\nscript-security 2\r\n\r\n# The server doesn't need privileges\r\nuser openvpn\r\ngroup openvpn\r\n<\/pre>\n
For a full list of options have a look at the OpenVPN manpage<\/a>.<\/p>\n
To start and stop the bridge device, the OpenVPN package supplies two simple scripts. Copy them into the OpenVPN config directory<\/p>\n
\r\n# cp \/usr\/share\/doc\/openvpn\/sample\/sample-scripts\/bridge-start \/etc\/openvpn\/\r\n# cp \/usr\/share\/doc\/openvpn\/sample\/sample-scripts\/bridge-stop \/etc\/openvpn\/\r\n<\/pre>\n
You have to alter both scripts slightly to match your configuration<\/p>\n
\r\n#!\/bin\/sh\r\n\r\n#################################\r\n# Set up Ethernet bridge on Linux\r\n# Requires: bridge-utils\r\n#################################\r\n\r\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:$PATH\r\n\r\n# Define Bridge Interface\r\nbr="br0"\r\n\r\n# Define list of TAP interfaces to be bridged,\r\n# for example tap="tap0 tap1 tap2".\r\ntap="tap0 tap1"\r\n\r\n# Define physical ethernet interface to be bridged\r\n# with TAP interface(s) above.\r\neth="eth0"\r\neth_ip="192.168.8.10"\r\neth_netmask="255.255.255.0"\r\neth_broadcast="192.168.8.255"\r\neth_gateway="192.168.8.254"\r\n\r\nfor t in $tap; do\r\n    openvpn --mktun --dev $t\r\ndone\r\n\r\nbrctl addbr $br\r\nbrctl addif $br $eth\r\n\r\nfor t in $tap; do\r\n    brctl addif $br $t\r\ndone\r\n\r\nfor t in $tap; do\r\n    ifconfig $t 0.0.0.0 promisc up\r\ndone\r\n\r\nifconfig $eth 0.0.0.0 promisc up\r\n\r\nifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast\r\nsleep 1\r\nroute add default gw $eth_gateway\r\n<\/pre>\n
\r\n#!\/bin\/sh\r\n\r\n####################################\r\n# Tear Down Ethernet bridge on Linux\r\n####################################\r\n\r\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:$PATH\r\n\r\n# Define Bridge Interface\r\nbr="br0"\r\n\r\n# Define list of TAP interfaces to be bridged together\r\ntap="tap0 tap1"\r\n\r\nifconfig $br down\r\nbrctl delbr $br\r\n\r\nfor t in $tap; do\r\n    openvpn --rmtun --dev $t\r\ndone\r\n<\/pre>\n
Note that you have to change the PATH<\/tt> variable<\/strong> in order for the script to work with Fedora 20. You’ll also need to add a single tap<\/tt> device for every client<\/strong> and might want to add a default route<\/strong> after enabling the bridge.<\/p>\n
The fact that OpenVPN supports multiple servers and every deamon requires a single configuration file collides with the systemd<\/code> way of doing things. This is simply something that is not supported by systemd<\/code> out of the box. To enable and start the OpenVPN service, run<\/p>\n
\r\n# ln -s \/lib\/systemd\/system\/openvpn\\@.service \/etc\/systemd\/system\/multi-user.target.wants\/openvpn\\@server.service \r\n# systemctl -f enable openvpn@server.service \r\n# systemctl start openvpn@server.service \r\n<\/pre>\n
Note that the name of the service (“openvpn@server.service”) corresponds with the name of the configuration file in \/etc\/openvpn<\/code><\/p>\n
Watching the status log<\/h2>\n
You can see who is currently connected to your OpenVPN server, by observing the openvpn-status.log<\/code> file.<\/p>\n
\r\n# watch -n 1 cat \/etc\/openvpn\/openvpn-status.log\r\n<\/pre>\n
Resources:
\nhttps:\/\/fedoraproject.org\/wiki\/Openvpn<\/a>
\nhttps:\/\/wiki.archlinux.org\/index.php\/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Beside the official OpenVPN documentation there’s a vast number of howtos and guides out there, that’ll tell you how to set up an OpenVPN server. Unfortunately, most of these use a tunneling setup including some sort of router and packet filter. If you want to transport non-IP based traffic and can accept the increased broadcast overhead and poor scalability, you… Read more »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[7,66],"class_list":["post-1758","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-fedora","tag-openvpn"],"_links":{"self":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/1758","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1758"}],"version-history":[{"count":16,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/1758\/revisions"}],"predecessor-version":[{"id":2193,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/1758\/revisions\/2193"}],"wp:attachment":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}