Saturday, July 07, 2012

Quick and dirty OpenVPN bridge configuration

Quick and dirty configuration to bridge two ethernet segments using OpenVPN. With this setup you need two ethernet interfaces per host or alternatively one ethernet and wireless access to Internet.



Examples below have required commands for CentOS5 and Ubuntu. If you put either end on VMware make sure promiscous mode is allowed, "chmod a+rw /dev/vmnet*" for VMware Workstation on Linux.
# Following assumes networkdamager has been uninstalled and /etc/network/interfaces
# does NOT configure eth1. On CentOS delete /etc/sysconfig/network-scripts/ifcfg-eth1
# Install openvpn and bridge-utils

# Ubuntu
apt-get -y install openvpn bridge-utils

# CentOS 5
wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm -Uvh epel-release-5-4.noarch.rpm
yum -y install openvpn bridge-utils

# Protect OpenVPN configuration
chmod 0700 /etc/openvpn

# Configure PKI
# Skip this on client
# On Ubuntu
cp -avf /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
cp -avf /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
ln -s /etc/openvpn/easy-rsa/keys /etc/openvpn/keys

# On newer Ubuntu versions
apt-get install easy-rsa
cp -avf /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
cp -avf /usr/share/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
ln -s /etc/openvpn/easy-rsa/keys /etc/openvpn/keys
# New ubuntu versions may use dh2048.pem instead of dh1024.pem - adjust rest accordingly
# On CentOS
cp -avf /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa

# Generate certificates
# Skip this on client
cd /etc/openvpn/easy-rsa
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server # create server sert
# Ubuntu default config is too picky, quick fix:
sed -e 's/unique_subject = yes/unique_subject = no/g' -i.bak keys/index.txt.attr
./pkitool client # create client cert, run again with different name for more than one client

# Create server side configuration /etc/openvpn/openvpn.conf
# Skip this on client
tls-server
port 1194
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
keepalive 5 15
#cipher none
#auth none
#comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 4
tun-mtu 1500
fragment 1372
mssfix 1282
passtos

# Create client side configuration /etc/openvpn/openvpn.conf
# Skip this on server
tls-client
remote 100.200.10.20 # your server ip
nobind
port 1194
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
dh /etc/openvpn/keys/dh1024.pem
keepalive 5 15
#cipher none
#auth none
#comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 4
tun-mtu 1500
fragment 1372
mssfix 1282
passtos

# Copy ca.crt, client.crt, client.key and dh1024.pem
# from server to /etc/openvpn/keys on client

# Disable init controller OpenVPN startup
update-rc.d openvpn disable # Ubuntu
chkconfig --disable openvpn # CentOS

# Add following lines to /etc/rc.local (/etc/rc.d/rc.local on CentOS) on both server and client
/etc/init.d/openvpn stop
/usr/sbin/openvpn --mktun --dev tap0
ifconfig tap0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 tap0
brctl stp br0 off
ifconfig br0 0.0.0.0 up
/etc/init.d/openvpn start

# On ubuntu you need to fix syslog config to see anything useful on logs
echo '$SystemLogRateLimitInterval 2'>/etc/rsyslog.d/10-ratelimit.conf
echo '$SystemLogRateLimitBurst 5000'>>/etc/rsyslog.d/10-ratelimit.conf

# Reboot system. Done.

1 comment:

  1. With ubuntu its not needed to use openvpn stop/aka a initscript to set a static atadper

    just make an entry in interfaces like that

    auto tun0
    iface tun0 inet static
    address 10.0.0.5
    netmask 255.255.255.255
    network 10.0.0.6
    pre-up openvpn --mktun --dev tun0

    done....

    However do you have anyidea todo the same in centos?
    i really dont wanna du this by rcinit scripts
    i need a solution to execute the mktun in cent :))

    ReplyDelete

Got something to say?!