https://help.ubuntu.com/12.04/serverguide/openvpn.html
http://ubuntuguide.org/wiki/OpenVPN_server
# Setup your router to forward port 1194 to OpenVPN server or place server in DMZ (all incoming traffic is forwaded to OpenVPN server)
# install OpenVPN and bridge utilities
apt-get -y install openvpn bridge-utils
# setup bridge br0 interface and modify primary interface eth0 (assign eth0 IP address to br0 interface)
/etc/network/interfaces
auto eth0
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
auto br0
iface br0 inet static
bridge_ports eth0 tap0
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.138
dns-nameservers 8.8.8.8 8.8.4.4
Restart networking:
service networking restart
# Allow NAT using ufw as firewall
http://blog.philippklaus.de/2010/09/openvpn/
/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
In /etc/ufw/sysctl.conf uncomment
net.ipv4.ip_forward=1
Restart the firewall:
ufw disable && sudo ufw enable
# Create certificates
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
/etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="CZ"
export KEY_PROVINCE=""
export KEY_CITY="Praha"
export KEY_ORG="Company name"
export KEY_EMAIL="my@email.cz"
export KEY_CN=openvpn-server
export KEY_NAME="OpenVPN Seerver"
export KEY_OU=""
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# CA
cd /etc/openvpn/easy-rsa/
#
whichopensslcnf was broken so I had to hard code:
#
export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"
# or
cp openssl-1.0.0.cnf openssl.cnf
source vars
./clean-all
./build-ca
# server certs
./build-key-server server
./build-dh
cd keys/
cp server.crt server.key ca.crt dh1024.pem /etc/openvpn/
# client certs
cd /etc/openvpn/easy-rsa/
source vars
./build-key client1
# copy the following files to the client using a secure method:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key
# server config
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
/etc/openvpn/server.conf
local 10.0.0.100
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
# router ip, netmask, first assigned IP, last assigned IP to client
server-bridge 10.0.0.138 255.255.255.0 10.0.0.90 10.0.0.99
push "route 10.0.0.0 255.255.255.0"
up "/etc/openvpn/up.sh br0 eth0"
keepalive 10 120
comp-lzo
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
mute 20
script-security 2
/etc/openvpn/up.sh
#!/bin/sh
BR=$1
ETHDEV=$2
TAPDEV=$3
/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV
chmod 755 /etc/openvpn/up.sh
# client config
# install OpenVPN client on Linux/Windows/OSX
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/user/openvpn/client.conf
/home/user/openvpn/client.conf
client
dev tap
proto udp
remote YOUR.SERVER.IP 1194
# if needed, adjust path to following certificates
ca ca.crt
cert client1.crt
key client1.key
;tls-auth ta.key 1
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;ns-cert-type server
comp-lzo
verb 3
# install and configure ufw
apt-get -y install ufw
ufw allow 1194
Don’t forget to allow ssh port 22 if you need it!
# start openvpn on the server
service openvpn start
# Check bridge status
Both interfaces eth0 and tap0 should be part of the br0.
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000e2eac3d6a no eth0
tap0
# install the client.conf and keys on the client, and connect!