You are here: Fladi.at>Main Web>OpenvpnBridge (07 May 2009, FladischerMichael)EditAttach

OpenvpnBridge

Bridging OpenVPN? with a physical network device in GNU/Debian.

Assumptions

We will assume that our network and server has the following setup:
Interface IP Netmask Purpose
eth1     Pyhsical device that connects us to the rest of our LAN.
tap0     OpenVPN? device that is connected to our VPN.
br0 192.168.254.1 255.255.255.0 Bridge that merges borth eth1 and tap0 into one network segment.

Packages

Some packages are mandatory for this kind of setup: 
aptitude install openvpn bridge-utils

Bridge

Configure the Bridge in /etc/network/interfaces: 
auto br0
iface br0 inet static
  bridge_ports eth1 tap0
  address 192.168.254.1
  netmask 255.255.255.0
  network 192.168.254.0
  broadcast 192.168.254.255
  pre-up openvpn --mktun --dev tap0
Neither eth1 nor tap0 have a bit of configuration in this file as they do not need an IP adress or anything else on their own. A vital part is where the openvpn binary gets called before the bridge starts. This command will make sure that we actually have a running tap0 device.

Bind Name Server 

$ORIGIN .
$TTL 86400      ; 1 day
vpn.fladi.at            IN SOA  uni.fladi.at. michael.fladi.at. (
                                2009042502 ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                10800      ; minimum (3 hours)
                                )
                        NS      uni.fladi.at.
                        A       193.170.104.5
$ORIGIN vpn.fladi.at.
uni                     A       192.168.254.1
home                    A       192.168.254.32
backup                  A       192.168.254.3
endor                   A       192.168.254.33
corellia                A       192.168.254.34
ossus                   A       192.168.254.35

OpenVPN?

TAP-Device

Set the device for the OpenVPN? server to tap0 and user the server-bridge directive instead of server. The format is as follows: 
server-bridge <server-ip> <netmask> <start-ip> <stop-ip>
Which results in this configuration for the file /etc/openvpn/server.conf: 
port 1194
proto tcp
dev tap0
ca /etc/ssl/certs/Fladi.at.pem
cert /etc/ssl/private/vpn-server.pem
key /etc/ssl/private/vpn-server.key  # This file should be kept secret
dh /etc/ssl/private/vpn-server.dh
server-bridge 192.168.254.1 255.255.255.0 192.168.254.32 192.168.254.254
client-config-dir ccd
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
verb 1
mute 20

Client Configuration Directory

In the directory /etc/openvpn/ccd/ each client gets his own configuration file which has to have the same name as the CN in the client certificate. For client ossus.vpn.fladi.at the file has the following content: 
ifconfig-push ossus.vpn.fladi.at 255.255.255.0
Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | More topic actions
Topic revision: r2 - 07 May 2009 - 15:46:04 - FladischerMichael
 
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Fladi.at? Send feedback