Tag Archives: bridging

How to setup OpenVPN with bridging on Ubuntu 12.04

https://help.ubuntu.com/12.04/serverguide/openvpn.html
http://ubuntuguide.org/wiki/OpenVPN_server

# Setup your router to forward port 1194 to OpenVPN server or place server in DMZ (all incoming traffic is forwaded to OpenVPN server)

# install OpenVPN and bridge utilities
apt-get -y install openvpn bridge-utils

# setup bridge br0 interface and modify primary interface eth0 (assign eth0 IP address to br0 interface)
/etc/network/interfaces

auto eth0
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

auto br0
iface br0 inet static
bridge_ports eth0 tap0
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.138
dns-nameservers 8.8.8.8 8.8.4.4

Restart networking:
service networking restart

# Allow NAT using ufw as firewall
http://blog.philippklaus.de/2010/09/openvpn/
/etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

In /etc/ufw/sysctl.conf uncomment

net.ipv4.ip_forward=1

Restart the firewall:
ufw disable && sudo ufw enable

# Create certificates

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

/etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="CZ"
export KEY_PROVINCE=""
export KEY_CITY="Praha"
export KEY_ORG="Company name"
export KEY_EMAIL="my@email.cz"
export KEY_CN=openvpn-server
export KEY_NAME="OpenVPN Seerver"
export KEY_OU=""
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# CA

cd /etc/openvpn/easy-rsa/

# whichopensslcnf was broken so I had to hard code:
# export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"
# or cp openssl-1.0.0.cnf openssl.cnf
source vars
./clean-all
./build-ca

# server certs

./build-key-server server
./build-dh
cd keys/
cp server.crt server.key ca.crt dh1024.pem /etc/openvpn/

# client certs

cd /etc/openvpn/easy-rsa/
source vars
./build-key client1

# copy the following files to the client using a secure method:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

# server config

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

/etc/openvpn/server.conf
local 10.0.0.100
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
# router ip, netmask, first assigned IP, last assigned IP to client
server-bridge 10.0.0.138 255.255.255.0 10.0.0.90 10.0.0.99
push "route 10.0.0.0 255.255.255.0"
up "/etc/openvpn/up.sh br0 eth0"
keepalive 10 120
comp-lzo
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
mute 20
script-security 2

/etc/openvpn/up.sh

#!/bin/sh

BR=$1
ETHDEV=$2
TAPDEV=$3

/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV

chmod 755 /etc/openvpn/up.sh

# client config
# install OpenVPN client on Linux/Windows/OSX
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/user/openvpn/client.conf
/home/user/openvpn/client.conf

client
dev tap
proto udp
remote YOUR.SERVER.IP 1194
# if needed, adjust path to following certificates
ca ca.crt
cert client1.crt
key client1.key
;tls-auth ta.key 1
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;ns-cert-type server
comp-lzo
verb 3

# install and configure ufw

apt-get -y install ufw
ufw allow 1194

Don’t forget to allow ssh port 22 if you need it!

# start openvpn on the server
service openvpn start

# Check bridge status
Both interfaces eth0 and tap0 should be part of the br0.
brctl show

bridge name  bridge id    STP enabled  interfaces
br0    8000.000e2eac3d6a  no    eth0
              tap0

# install the client.conf and keys on the client, and connect!