Just a copy of How to Install OpenVPN with bridge mode - XiZi's Blog

Just a copy of How to Install OpenVPN with bridge mode

Xizi posted @ 2009年8月07日 12:35 in Server , 3230 阅读

 

How to Install Openvpn

Background:

When I first decided to create my own server I ran down a list of elements I wanted. The first were obvious, web-server, and e-mail server. However I also realized that I have many games that I would enjoy playing with friends. These are older games that only allow multiplayer over local networks. A very secure and novel solution is to use OpenVPN to make the remote computers appear as though they are on the same local network. So I set out to implement this on my second computer. I used Ubuntu Dapper Drake server edition and then began the painstaking task of configuring all the components. However when I tried to configure OpenVPN the documentation on their web-site was lacking. It has been updated and is very good now (this was in March of 2006) but I wrote a guide to installing and configuring OpenVPN on Ubuntu Dapper Drake. I hope you find this interesting and beneficial.

Purpose:

The purpose of this document is to describe how to install OpenVPN server on an Ubuntu Linux system and have it utilize an Ethernet bridge to access your local network. Ethernet bridges essentially allow the operating system to treat multiple network interfaces as one combined port. When used with OpenVPN a bridge will allow you to easily connect external users to your internal network and have them receive all traffic as though they were locally connected. The alternative is to use OpenVPN with a route but that will not allow some forms of traffic through (such as multicast), multicast traffic is important to me as many games require multicast data.

What is needed:

  1. Linux System running Ubuntu (tutorial will work with any Linux install with a few modifications)
  2. Root access to the server
  3. External computer to test with

Scope:

This tutorial aims to instruct how to install and configure an OpenVPN server with internal network access via an Ethernet bridge. This tutorial does not explain how to install Linux and get the OS environment configured. There are many good tutorials out there that you can use, once you have your Linux server ready simply follow this document.

If you are interested in a tutorial to configure your system I recommend this easy to follow guide:

http://www.howtoforge.com/perfect_setup_ubuntu_6.06

Tutorial:

1. The first thing you should do when installing OpenVPN is to read some of the documentation on the OpenVPN web-site. This seems like a simple step to skip but if you do not know exactly how OpenVPN works then you risk opening your internal network to security problems. Additionally there is a lot of good documentation on the OpenVPN site that will help you understand networking terms and methods. Such as exactly what an Ethernet Bridge is and how it differs from a route.

			# Link to OpenVPN Homepage         
			http://openvpn.net/          
			# Link to Explanation of bridging         
			http://openvpn.net/bridge.html	 
			

2. Now that you have taken some time to understand OpenVPN and Bridges we can begin to implement these technologies into a server on your local network. The first step is to collect information about your network, this tutorial is designed for a network that meets the following:

			Linux Server Internal IP: 173.23.1.5 	
			Internet Gateway: 173.23.1.1 	
			Gateway's IP Address: 139.142.227.155  	
			Network Layout: 	Internet ----- Router/Firewall ----- OpenVPN Server (eth1) 
			

3. To simplify setup for users you should register your IP address with an Internet Domain service. If you are cheap like me simply use "no-ip.com". Create an account then download their dynamic dns update tool and follow their installation instructions. This will give you a free dynamic domain. Additionally the IP address for your server needs to be static, this is due to the fact that the bridge will not update on a DHCP IP address change. You can configure this in your /etc/network/interfaces file. My server has an entry for my network card that looks like this:

			# The primary network interface
			# connects to insecure router
			auto eth0
			iface eth0 inet static
			address 173.23.1.5
			netmask 255.255.255.0
			network 173.23.1.0
			broadcast 173.23.1.255
			gateway 173.23.1.1
			# dns-* options are implemented by the resolvconf package, if installed
			dns-nameservers 142.165.200.5
			

4. Now that the information is collected you can begin by installing OpenVPN and the utilities to manage a bridge, to do this simply type:

			sudo apt-get install openvpn bridge-utils 
			

5. With OpenVPN installed we can now begin to configure, the first step is to move the apt-get directory into /etc/openvpn for easy access, and to preserve the original data (in case you mess up and need to revert).

			 cp -R /usr/share/doc/openvpn/examples/ /etc/openvpn/
			

6. Now we want to load the vars file with our own defaults. Open the file in your favorite editor and change KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL to match your information.

			cd /etc/openvpn/examples/easy-rsa/ 	
			vi ./vars 	 
			

My vars file looks like this: (key components only)

			#this is to ensure secure data
			export KEY_SIZE=2048
			# These are the default values for fields
			# which will be placed in the certificate.
			# Don't leave any of these fields blank.
			export KEY_COUNTRY=CA
			export KEY_PROVINCE=SK
			export KEY_CITY=Martensville
			export KEY_ORG="TheBakershome"
			export KEY_EMAIL="geoff@thebakershome.net"
			

7. Now we to begin the configuration of the server.

			. ./vars 	
			./clean-all 	
			./build-ca 
			

The purpose of these command are as follows, the first one will clear any old keys or configuration elements, there should not be any there but it does not hurt to be sure. The last command will setup OpenVPN configuration items, be sure to follow the prompt and make sure you fill in using elements to match your situation. Since we loaded the vars file with your settings prior to these steps the default values should work on almost all elements, but the Common Name will need to be specified.

8. Now you need to create the server keys, these are private files that you should keep secure.

			./build-key-server server 
			
I found that if I did not use the same information that I used in the build-ca step above that the "Sign Certificate" and "commit" did not work. If you experience this problem just repeat this step with the same values, it should work at that point. This should not occur for you as we have loaded the default values into the vars file, but just in case be aware of the cause.

9. Now you are ready to generate keys for users, first decide if you wish to password protect the keys or not. I recommend building with passwords if you are not going to implement authentication in OpenVPN, if you are then simply generate without. This tutorial will assume that you are going to implement authentication in OpenVPN, since it is the most trusted method. Make sure that you specify the correct Common Name when prompted.

			#Generate with password 	  
			./build-key-pass username  	
			#Generate without password 	  
			./build-key username 
			

10. Now you need to build the Diffie Hellman parameters, for details on what these are simply check the OpenVPN homepage. The simple answer is that they provide a method to negotiate a secure connection over an insecure channel. This process will take a bit of time so you may want to take a break, just relax we are almost there.

			./build-dh 
			#generate server id key
			openvpn --genkey --secret ta.key
			

11. As an aside I found a very interesting table on the OpenVPN web-page. It provides some information on what to do with the various files we just generated. For the purposes of this tutorial I have "borrowed" their table and pasted it here, to view the original visit the OpenVPN installation guide on their homepage.

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
ta.key server+ all clients Server TLS Auth Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES
 

12. Now we need to configure the server.conf file to setup the operation. Here is my configuration file:

			# Which local IP address should OpenVPN 
			# listen on? (optional) 
			local 173.23.1.5 
			port 1194
			# TCP or UDP server? 
			proto udp 
			#This is key to configuring our bridge 
			dev tap0 
			#direct these to your generated files 
			ca /etc/openvpn/openvpn/examples/easy-rsa/keys/ca.crt 
			cert /etc/openvpn/openvpn/examples/easy-rsa/keys/server.crt 
			key /etc/openvpn/openvpn/examples/easy-rsa/keys/server.key   
			dh /etc/openvpn/openvpn/examples/easy-rsa/keys/dh2048.pem 
			ifconfig-pool-persist ipp.txt 
			#ensure the range of ip addresses you use in the last  two arguments 
			# of this statement are not in use by  either the DHCP server or any other
			# device on your  internal network. 
			server-bridge 173.23.1.5 255.255.255.0 173.23.1.60 173.23.1.70 
			#needed to allow communication to internal network 
			client-to-client 
			keepalive 10 120 
			#encryption - very important ;) 
			#AES encryption is backed by many security firms
			#however if you are concerned about speed use blowfish: "BF-CB"
			cipher AES-128-CBC  
			#if you have another subnet you need to provide the route
			push "route 173.23.2.0 255.255.255.0"
			#server id protection
			tls-auth ta.key 0
			#compression for network speed 
			comp-lzo 
			# if packets are too large fragment them (only really useful if you have an old router) 
			#fragment 1400 
			#limit the number of connections
			max-clients 5
			#some secuurity settings 
			# do not use if running server on Windows
			user nobody 
			group nogroup 
			persist-key 
			persist-tun 
			#log file settings 
			status openvpn-status.log 
			verb 3 
			# authentication plugin
			#forces client to have a linux acount in order to connect
			plugin /usr/lib/openvpn/openvpn-auth-pam.so login 
			

13. Now that the server is configured we need to create the bridge interface. The bridge is managed by Linux and is only used by OpenVPN so setup is a little different. I did it using a script to start/stop the interface. Place this script in "/etc/init.d/bridge" and then run the following:

			update-rc.d bridge defaults 15 
			

Here is the script, before using you will need to edit it for your network and server settings.

			#!/bin/bash  
			# Create global variables   
			# Define Bridge Interface 
			br="br0" 
			# Define list of TAP interfaces to be bridged, 
			# for example tap="tap0 tap1 tap2". 
			tap="tap0" 
			# Define physical ethernet interface to be bridged 
			# with TAP interface(s) above. 
			eth="eth0" 
			eth_ip="173.23.1.5" 
			eth_netmask="255.255.255.0" 
			eth_broadcast="173.23.1.255" 
			gw="173.23.1.1"   
			start_bridge () {   
			#################################   
			# Set up Ethernet bridge on Linux   
			# Requires: bridge-utils   
			#################################    
			for t in $tap; do
			openvpn --mktun --dev $t   
			done    
			for t in $tap; do
			ifconfig $t 0.0.0.0 promisc up   
			done
			ifconfig $eth 0.0.0.0 promisc up
			brctl addbr $br 
			brctl addif $br $eth
			for t in $tap; do
			brctl addif $br $t   
			done    
			ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
			route add default gw $gw $br
			} 
			stop_bridge () {   
			####################################   
			# Tear Down Ethernet bridge on Linux   
			####################################    
			ifconfig $br down
			brctl delbr $br    
			for t in $tap; do
			openvpn --rmtun --dev $t   
			done   
			ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
			route add default gw $gw $eth
			}  
			case "$1" in 
			start)   
			echo -n "Starting Bridge"   
			start_bridge   
			;; 
			stop)   
			echo -n "Stopping Bridge"   
			stop_bridge   
			;; 
			restart)   
			stop_bridge   
			sleep 2   
			start_bridge   
			;; 
			*)   
			echo "Usage: $0 {start|stop|restart}" >&2   
			exit 1   
			;; 
			esac  
			

14. Now you need to edit your client configuration script, client.conf. This will be given to your clients and will be the script they invoke (via openvpn) to connect to your server. In the same way you modified the server.conf file edit the network information to match your internal network. Here is an example of one of my scripts:

			client 
			dev tap 
			proto udp 
			# change this to your server's address 
			remote thebakers.no-ip.org 1194 
			resolv-retry infinite 
			nobind
			persist-key 
			persist-tun 
			# Point the key and crt files to  
			# the ones for this user 
			tls-client
			ca ca.crt 
			cert geoff.crt 
			key geoff.key 
			#ensure that we are talking to a server 
			ns-cert-type server
			#confirm we are talking to the correct server 
			tls-auth ta.key 1
			# Select a cryptographic cipher. 
			# If the cipher option is used on the server 
			# then you must also specify it here. 
			cipher AES-128-CBC 
			# Enable compression on the VPN link. 
			comp-lzo 
			#fragment large packets 
			# I found I needed this for some games but it is 
			# not required
			#fragment 1400  
			# enable user/pass authentication
			auth-user-pass
			

15. Now you are ready to test your server, to do this load the server from the command line:

			sudo /etc/init.d/bridge start 	
			sudo openvpn /etc/openvpn/server.conf 
			

##Look for any errors that may be reported while OpenVPN parses the server.conf file. If it gets to the "Succeeded" state then switch computers to a PC on an external network (I used my PC at work) and open the OpenVPN connection. If everything is working here reboot your server and attempt to open the connection again, this will ensure that everything is booting correctly.

###Once the connection is established by the client test it by pinging devices on your internal network. Assuming everything is connected correctly you should be able to contact them.

16. If you have any troubles with step 16, the first place to look is at firewalls. If your server has firewall restrictions they may be blocking the bridge from operating, check your config and adjust as necessary. At this point your server should be running, good luck and have fun.

Post-Install

I ended up having some difficulty configuring shorewall on my openvpn server. It is a little tricky since you have to tell shorewall to differentiate between a physical input (eth0) and the virtual input (tap0). To do this open "/etc/shorewall/hosts" and add:

			net     br0:eth0
			vpn     br0:tap0
			

This will tell shorewall to differentiate between the vpn and the insecure traffic. Once you have this data you need to add the following to your policy file. This will tell shorewall that the traffic from the vpn is trusted so just let it all through.

				vpn     all     ACCEPT
				

You will also need to mention the vpn in the zones file by adding

				vpn     ipv4
				

Lastly you will need to tell shorewall that a tunnel is coming through by opening the tunnels file and adding:

				openvpn        net     0.0.0.0/0       vpn
				

Conclusion:

I hope your server is working good and that you can now play your old classic games with friends. The other benefit of this network is that you can access your data on your home PC from anywhere and you will be certain that your connection if free from intrusion.

Avatar_small
abc 说:
2019年5月17日 00:43

Engineering as a subject combines mathematics, logic and science to find solutions to our daily life problems. Over the last few decades, engineering as a profession has seen vast expansion.
top engineering college in chandigarh
best engineering college in punjab
online cgc
agriculture college in Punjab
MBA college in chandigarh

Avatar_small
Mark 说:
2019年5月30日 01:15

Our academic pursuits, along with a range of extracurricular activities, help in honing a child's skills and ensuring that he/she grows to be a mature and responsible citizen.
top cbse school in greater noida
best Secure school in greater noida

Avatar_small
ab 说:
2019年6月27日 00:47

Apple products are revered for its quality, precision and great design. SRSG started its operations as Apple technology partners in the year 1997.
apple reseller ahmedabad
ipad service center in delhi
system integration service providers in india
newsroom automation
macbook pro reseller in mumbai
ipad reseller kolkata

Avatar_small
abc 说:
2019年11月18日 00:42

Provides multiple learning environment of International standard with holistic system of education at an affordable cost for the successful life of young generation.
top paramedical college north india
The goal of the society is to create professionally well skilled students To achieve the said goal, arrangements have been made with the pioneers and front runners both in India and abroad.
best school in dehradun

Avatar_small
abc 说:
2019年11月18日 00:42

Welcome to the world of gaming, where life is fast paced and interesting. There is always an adventure waiting for you online.
buy csgo smurf accounts

Avatar_small
abc 说:
2019年11月18日 00:42

Our approach brings together best-in-class virtualized compute, storage, and networking infrastructure.
mobility partner in uae
Fortinet Partner in uae
azure partner in uae
BI as a service in uae

Avatar_small
Harry 说:
2022年1月08日 03:21

This really which means delightful not to mention original. I just absolutely adore typically the styles not to mention anyone who will become it again in your mailing could be cheerful. 클레오카지노

Avatar_small
Harry 说:
2022年1月13日 23:48

Interesting and interesting information can be found on this topic here profile worth to see it. instagram photo downloader

Avatar_small
dark web/deep web/d 说:
2022年8月21日 00:57

You should also avoid looking for links on dark web sites. It's a lot harder to trace a link back to its owner if you do so, and you run the risk of your identity being stolen. dark web links

Avatar_small
dark web/deep web/d 说:
2022年8月21日 01:51

Look for reputable, verified sites that offer a money back guarantee. That way, if you don't get your money's worth, you can get your money back without losing any time at all.  deep web

Avatar_small
dark web/deep web/d 说:
2022年8月21日 02:15

Linking is just another way of saying that if you write or have some information on a particular website and if you have a link to that website, then you can help bring people to the website. dark web sites

Avatar_small
dark web/deep web/d 说:
2022年8月21日 02:36

In fact, if you look at the statistics of those who have been successful in making money through links, then you would probably notice that most of them did it using manual methods.  dark web links

Avatar_small
dark web/deep web/d 说:
2022年8月21日 02:55

There are many scam artists on the Internet today who are only interested in stealing your money. It is therefore essential that you do a thorough research and look around before signing up with any particular company or individual. dark web

Avatar_small
dark web/deep web/d 说:
2022年8月21日 03:14

After you determine which companies you would like to promote, check into the affiliate program itself. There are a couple of ways to do this.  work from home jobs

Avatar_small
dark web/deep web/d 说:
2022年8月21日 03:30

It is best if the information provided on your site relates to the product or service you are promoting. If you provide information that is irrelevant to the product you are promoting, the odds are good that you will not have many visitors to your site.  affiliate marketing success

Avatar_small
Kar PUC Political Sc 说:
2022年9月18日 23:35

PUC Question Paper 2023 for Karnataka 1st & 2nd PUC Political Science Model Paper 2023 Pdf with IMP Question for Kannada medium & English medium Paper-1, Paper-2 theory, objective type multiple choice questions with Answer solutions…Pre University Education Board, Karnataka 1st and 2nd Year student can download PUC Model Paper 2023 with mock test question bank suggested by subject experts of PUE, Kar PUC Political Science Question Paper every year the KAR PUE is provided practice question bank with guess important question for Kannada medium and English medium students for theory, objective and multiple choice questions and this year also announced KAR 1st & 2nd PUC Political Science Study material 2023.

Avatar_small
charlly 说:
2023年1月17日 17:34

Bridge mode is a networking mode that allows two or more Layer 2 Ethernet networks to connect and pass traffic between them. OpenVPN can operate in either a bridged mode or a routed mode. In routed mode, each client has a dedicated IP address and all traffic is routed through the VPN. This is the most common mode of operation. In bridged mode, each client is assigned a DHCP-provided IP address most popular engagement ring styles and all traffic passes between the client and the server without passing through the VPN.


登录 *


loading captcha image...
(输入验证码)
or Ctrl+Enter
Host by is-Programmer.com | Power by Chito 1.3.3 beta | © 2007 LinuxGem | Design by Matthew "Agent Spork" McGee