Click on the top button to “open code in new window” to see it in a nice format
OPENVPN – 3 – BRIDGED VPN – STATIC KEY – CLIENT 2 SITE ####################################################### ####################################################### SIMPLEST BRIDGED OPENVPN CONFIG - WITH STATIC KEY ################################################### ################################################### CITATION: http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tap First generate a key. Then write the openvpn bridge script (start it, and might as well always have it start once per boot) Then write the openvpn server config and start the openvpn server Then copy the key to the client and repeat Then start the server openvpn Then start the client openvpn Both should start no problem although we still cant access anything, you must now add an ip address to the client in the same subnet as the server - make sure its unused NOTE @ THE FIREWALL IN THE NETWORK WHERE THE SERVER (THE ONE BEING THE OPENVPN SERVER) IS AT THERE IS A UDP PORT FORWARD OF PORT 50006 FROM FIREWALL FACING INTERNET TO PORT 50006 UDP ON SERVER (THE ONE BEING THE OPENVPN SERVER) THE ONLY FIREWALL CONFIG I NEEDED AT THE CLIENT WAS A PORTFORWARD TO ACCESS SSH ON THE CLIENT, BUT THATS OPTIONAL THATS JUST SO I HAVE ACCESS TO THE LINUX SHELL FROM ANYWHERE, THE MAIN ONE FOR THIS IS ESSENTIALLY ALLOWING OUTBOUND TRAFFIC OUT AT THE CLIENT NETWORK - THATS TYPICAL FIREWALL DEFAULTS THOUGH ALL ALL OUTBOUND TRAFFIC INSTALLATION ################# ON SERVER: apt-get install bridge-utils apt-get install openvpn apt-get install openssl ON CLIENT: apt-get install openvpn apt-get install openssl GENERATE KEY ################ openvpn --genkey --secret /etc/openvpn/openvpn.key TX KEY TO CLIENT: cat openvpn.key | ssh -p 50005 www.client.com "cat - > /etc/openvpn/openvpn.keykey" SIMPLE OPENVPN BRIDGE ######################## touch /etc/openvpn/openvpnbridge.sh; chmod +x /etc/openvpn/openvpnbridge.sh #!/bin/bash # /etc/openvpn/openvpnbridge.sh # Taken from http://openvpn.net/bridge.html insmod tun br="br0" tap="tap0" for t in $tap; do openvpn --mktun --dev $t done for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done OTHER BRIDGE START AND STOP FROM PREVIOUS EXAMPLE WORK, BUT ABOVE LOOKS MORE APPEALING ######################################################################################### Why this one isnt as good? This bridge start stop, enabled the bridge and tap and it switches the ip of eth0 to the bridge/tap where as on the above one it stays on eth... This can happen because they are the same leg, so it doesnt matter especially since they are all promiscous. And the above method doesnt need a stop. OTHER START BRIDGE ====================== At the very bottom/end in OTHER/EXTRA notes section OTHER STOP BRIDGE ==================== At the very bottom/end in OTHER/EXTRA notes section SIMPLE SERVER /etc/openvpn/openvpn.conf ######################################### port 50006 proto udp dev tap0 keepalive 10 120 ;comp-lzo ;persist-key ;persist-tun status openvpn-status.log verb 3 secret /etc/openvpn/openvpn.key SIMPLE CLIENT /etc/openvpn/openvpn.conf ########################################### dev tap0 proto udp remote www.server.com 50006 resolv-retry infinite nobind ;persist-key ;persist-tun # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. mute-replay-warnings secret /etc/openvpn/openvpn.key ;comp-lzo verb 3 START ON SERVER ################### service openvpn start It start no problem if you followed above methods START ON CLIENT ################## service openvpn start EXTRA NEEDED THINGS - GET AN IP TO THE CLIENT IN THE SUBNET ============================================================== Both openvpns at the server and client should start no problem although we still cant access anything, you must now add an ip address to the client in the same subnet as the server - make sure its unused ifconfig tap0 172.18.10.160 netmask 255.255.0.0 broadcast 172.18.255.255 OTHER EXTRA NOTES SECTION ################################## IMPORTANT SIDE NOTE: * NOTE IT WORKED FOR ME AND I USED THE BRIDGE FROM BELOW BECAUSE I WAS TOO LAZY TO SWITCH OVER TO THE BETTER/SIMPLER BRIDGE SCRIPT ABOVE. I DIDNT HAVE TO USE ANY FIREWALL IPTABLES (BECAUSE I ALREADY HAVE ALL OPEN NETWORK :-) ) WHAT FILES DID I HAVE IN THE END AT THE SERVER ================================================ If you followed the instructions with the bridge config from above you should have: /etc/openvpn/openvpnbridge.sh <- even though I didnt test this yet, I know this works as the site is credible and users post great things on the comments (what site? the one in citation from above) /etc/openvpn/openvpn.key /etc/openvpn/openvpn.conf If you followed the same instructions but using the bridge below (in OTHER EXTRA NOTES section) instead, which is actually what I ended up doing during the writing of this article: /etc/openvpn/openvpnbridge.sh /etc/openvpn/openvpn.key /etc/openvpn/openvpn.conf WHAT FILES DID I HAVE IN THE END AT THE SERVER ================================================ /etc/openvpn/openvpn.key <-- this is the same as the file @ the server /etc/openvpn/openvpn.conf HOW TO START SERVER WITH BOOT ================================= #!/bin/sh #/etc/init.d/S46openvpn <-- make this file with this in it /etc/openvpn/openvpnbridge.sh openvpn /etc/openvpn/openvpn.conf & OR if S##openvpn already exists then find the append_param() function and add into it: /etc/openvpn/openvpnbridge.sh ANOTHER WAY TO START CONFIGS ================================ Name them other names and launch like this openvpn [config filename here] ANOTHER BRIDGE AND SOME OTHER THINGS TO CONSIDER ==================================================== cd /etc/openvpn touch start.sh; chmod +x start.sh; touch stop.sh; chmod +x stop.sh; MY /etc/openvpn/start.sh --------------------------- #!/bin/bash br="br0" # Define Bridge Interface tap="tap0" # Define list of TAP example tap="tap0 tap1 tap2" eth="eth0" # * CHANGE FROM HERE DOWN eth_ip="172.18.10.21" eth_netmask="255.255.0.0" eth_broadcast="172.18.255.255" eth_gw="172.18.10.2" # * CHANGE FROM HERE UP AND NOTHING BELOW for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast route add default gw $eth_gw $br echo "* Bridge STARTED `date`" >> /var/log/syslog MY /etc/openvpn/stop.sh ----------------------------- #!/bin/bash br="br0" tap="tap0" # * CHANGE FROM HERE DOWN eth="eth0" eth_ip="172.18.10.21" eth_netmask="255.255.0.0" eth_broadcast="172.18.255.255" eth_gw="172.18.10.2" # * CHANGE FROM HERE UP AND NOTHING BELOW ifconfig $br down brctl delbr $br for t in $tap; do openvpn --rmtun --dev $t done ifconfig eth0 -promisc ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast route add default gw $eth_gw $eth echo "* Bridge STOPPED `date`" >> /var/log/syslog TEST THE BRIDGE ----------------------- The bridge should be able to get started and start a ping, you might get disconnected for a second ./start.sh; ping 8.8.8.8 ./stop.sh; ping 8.8.8.8 You should be able to do the above all day long, note its okay if there is a delay after you start the bridge with start.sh and the pings comeing through, sometimes it took me 10 seconds, and sometimes its instant Note when you start the bridge on the server your ifconfig should look like this: ./start.sh ifconfig And when you stop the bridge on the server your ifconfig should look like this: ./stop.sh ifconfig OUTPUT: br0 Link encap:Ethernet HWaddr 00:50:56:aa:cc:44 inet addr:172.18.10.21 Bcast:172.18.10.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feaa:cc44/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:226268724 errors:0 dropped:40 overruns:0 frame:0 TX packets:72419607 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:128122219579 (119.3 GiB) TX bytes:38122071147 (35.5 GiB) eth0 Link encap:Ethernet HWaddr 00:50:56:aa:cc:44 inet6 addr: fe80::250:56ff:feaa:cc44/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:4785785867 errors:0 dropped:624 overruns:0 frame:0 TX packets:911487819 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3251376854369 (2.9 TiB) TX bytes:967950374803 (901.4 GiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:408 (408.0 B) TX bytes:408 (408.0 B) tap0 Link encap:Ethernet HWaddr a6:0a:c1:be:20:e5 inet6 addr: fe80::a40a:c1ff:febe:20e5/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:14557 errors:0 dropped:0 overruns:0 frame:0 TX packets:69436125 errors:0 dropped:140650466 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1047354 (1022.8 KiB) TX bytes:32999262636 (30.7 GiB) Before continuing start the bridge ./start.sh ifconfig OUTPUT: eth0 Link encap:Ethernet HWaddr 00:50:56:aa:cc:44 inet addr:172.18.10.21 Bcast:172.18.10.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feaa:cc44/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4786738468 errors:0 dropped:624 overruns:0 frame:0 TX packets:911566372 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3251996200507 (2.9 TiB) TX bytes:967991077500 (901.5 GiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:408 (408.0 B) TX bytes:408 (408.0 B) OTHER CONFIGS: ============== 1. If your server is on an ESXi Server make sure to allow that NIC to have Promiscous mode enabled, for more on that look below If you are setting up the server as a virtual machine, in a ESXi server there is a nasty little gotcha on the network card settings that needs to be changed. The setting is in the VMWare ESX Management Client, then in Networking/Properties/Choose The VLAN your server is using/Edit/Security/Promiscous Mode/Check the box and choose Enable. Otherwise the bridge wont work because the ESX is preventing it from going into promiscous mode. vSphere 5.0 -> Home -> Inventory -> Hosts and Clusters -> select HOST 172.18.10.200 -> Configuration Tab -> Networking -> select Properties for vSwitch that has your machine VSWITCH2 PHYSICAL ADDRESS vmnic4 -> From List select vSwitch and hit edit (((notice there are 2 enteries a vSwitch - which has a summary in the tree of "120 Ports" and a Network "Core Lab Network", editing the vSwitch affects the Network called "Core Lab Network" - which has the summary in the tree of "Virtual Machine Port Group"))) -> Security Tab -> Promiscous Mode -> Change to Accept from Reject (((There shouldnt be a checkbox you have to check to change this, unless you selected the Network/"Virtual Machine Port Group" instead of the correct selection which is the vSwitch))) 2. If you have firewall rules setup with IPTABLES other then allow all then allow the correct packets to passthrough Note with no iptables rules, or just the default Allow All, everything should work: iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination But if you have more vigourous security make sure you run these commands to allow br0 and tap0 to communicate: iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT I dont think applies here but maybe this might help, so your troubleshooting you can put this in: echo 1 > /proc/sys/net/ipv4/ip_forward For me it worked with that on "echo 1" and off "echo 0"