Tag Archives: VPN

How to setup OpenVPN with bridging on Ubuntu 12.04

https://help.ubuntu.com/12.04/serverguide/openvpn.html
http://ubuntuguide.org/wiki/OpenVPN_server

# Setup your router to forward port 1194 to OpenVPN server or place server in DMZ (all incoming traffic is forwaded to OpenVPN server)

# install OpenVPN and bridge utilities
apt-get -y install openvpn bridge-utils

# setup bridge br0 interface and modify primary interface eth0 (assign eth0 IP address to br0 interface)
/etc/network/interfaces

auto eth0
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

auto br0
iface br0 inet static
bridge_ports eth0 tap0
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.138
dns-nameservers 8.8.8.8 8.8.4.4

Restart networking:
service networking restart

# Allow NAT using ufw as firewall
http://blog.philippklaus.de/2010/09/openvpn/
/etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

In /etc/ufw/sysctl.conf uncomment

net.ipv4.ip_forward=1

Restart the firewall:
ufw disable && sudo ufw enable

# Create certificates

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

/etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="CZ"
export KEY_PROVINCE=""
export KEY_CITY="Praha"
export KEY_ORG="Company name"
export KEY_EMAIL="my@email.cz"
export KEY_CN=openvpn-server
export KEY_NAME="OpenVPN Seerver"
export KEY_OU=""
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# CA

cd /etc/openvpn/easy-rsa/

# whichopensslcnf was broken so I had to hard code:
# export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"
# or cp openssl-1.0.0.cnf openssl.cnf
source vars
./clean-all
./build-ca

# server certs

./build-key-server server
./build-dh
cd keys/
cp server.crt server.key ca.crt dh1024.pem /etc/openvpn/

# client certs

cd /etc/openvpn/easy-rsa/
source vars
./build-key client1

# copy the following files to the client using a secure method:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

# server config

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

/etc/openvpn/server.conf
local 10.0.0.100
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
# router ip, netmask, first assigned IP, last assigned IP to client
server-bridge 10.0.0.138 255.255.255.0 10.0.0.90 10.0.0.99
push "route 10.0.0.0 255.255.255.0"
up "/etc/openvpn/up.sh br0 eth0"
keepalive 10 120
comp-lzo
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
mute 20
script-security 2

/etc/openvpn/up.sh

#!/bin/sh

BR=$1
ETHDEV=$2
TAPDEV=$3

/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV

chmod 755 /etc/openvpn/up.sh

# client config
# install OpenVPN client on Linux/Windows/OSX
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/user/openvpn/client.conf
/home/user/openvpn/client.conf

client
dev tap
proto udp
remote YOUR.SERVER.IP 1194
# if needed, adjust path to following certificates
ca ca.crt
cert client1.crt
key client1.key
;tls-auth ta.key 1
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;ns-cert-type server
comp-lzo
verb 3

# install and configure ufw

apt-get -y install ufw
ufw allow 1194

Don’t forget to allow ssh port 22 if you need it!

# start openvpn on the server
service openvpn start

# Check bridge status
Both interfaces eth0 and tap0 should be part of the br0.
brctl show

bridge name  bridge id    STP enabled  interfaces
br0    8000.000e2eac3d6a  no    eth0
              tap0

# install the client.conf and keys on the client, and connect!

How to setup OpenVPN with bridging on OpenWRT

http://wiki.openwrt.org/doc/howto/vpn.openvpn

opkg update
opkg install openvpn openvpn-easy-rsa

Or if you prefer configure openvpn via GUI:
opkg install luci-app-openvpn

/etc/easy-rsa/vars

export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CZ"
export KEY_PROVINCE=""
export KEY_CITY="Praha"
export KEY_ORG=""
export KEY_EMAIL="jan.faix@gmail.com"
export KEY_CN=home-router
export KEY_NAME="Jan Faix"
export KEY_OU=""

Build your certificates:

clean-all
build-ca
build-dh

Create the server key:
build-key-server server

Create as many client keys for each person who will connect:
build-key jan

PKCS12 Format (combines the key and ca certificate in one file):
build-key-pkcs12 jan

Copy the important files to the /etc/openvpn directory, so that they are duplicated:

cd /etc/easy-rsa/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

Copy ca.crt and the client crt/key files off the router and onto the machines that will be connecting.

Client Config

client
remote faix.homelinux.net
port 1194
proto udp
dev tap
ns-cert-type server
persist-key
persist-tun
ca ca.crt
cert jan.crt
key jan.key
comp-lzo
verb 4
auth-user-pass

Modify your firewall
/etc/config/firewall

config 'rule'
        option 'target' 'ACCEPT'
        option 'dest_port' '1194'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'family' 'ipv4'
        option '_name' 'openvpn'

/etc/init.d/firewall restart

Restrict your DHCP leases
/etc/config/dhcp

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'start' '11'
        option 'limit' '20'
        option 'leasetime' '12h'
        list 'dhcp_option' '6,8.8.8.8,8.8.4.4'

/etc/init.d/dnsmasq restart

Create the server configuration
/etc/config/openvpn

config 'openvpn' 'lan'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tap0'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'status' '/tmp/openvpn-status.log'
        option 'log_append' '/var/log/openvpn.log'
        option 'verb' '4'
        option 'up' '/etc/openvpn/bridge-start.sh'
        option 'down_pre' '1'
        option 'server_bridge' '192.168.122.30 255.255.255.224 192.168.122.22 192.168.122.29'
        option 'down' '/etc/openvpn/bridge-stop.sh'

Note that addresses 192.168.122.22 to 192.168.122.29 are reserved for your VPN clients.

Bridged VPN Configuration

/etc/config/network

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'netmask' '255.255.255.224'
        option 'dns' '8.8.8.8 8.8.4.4'
        option 'ipaddr' '192.168.122.30'
        option 'ifname' 'eth0.1'
        option 'broadcast' '192.168.122.31'

config 'interface' 'wan'
        option 'ifname' 'eth0.2'
        option 'proto' 'static'
        option 'ipaddr' 'x.x.x.x'
        option 'netmask' '255.255.255.240'
        option 'gateway' 'x.x.x.x'
        option 'broadcast' 'x.x.x.x'
        option 'dns' '8.8.8.8 8.8.4.4'

Configure OpenVPN init script:
/etc/init.d/openvpn

In section start_service() add following:

ARGS="--script-security 2"

Troubleshooting

Show brigde status:
brctl show
bridge name bridge id STP enabled interfaces
br-lan 8000.f8d111adbf84 no eth0.1 wlan0 tap0

Check system log:
logread