Bridged Mode OpenVPN Server on Debian HOWTO
From OpenVPN
| Table of contents |
[edit]
OpenVPN bridged mode(aka road warrior) server on Debian
[edit]
Introduction
These are from notes that I took while setting up a bridged mode OpenVPN server on Debian sarge. For the purposes of this document, I mention configuring a second Debian machine as a client for testing.
[edit]
Start setting up the server:
- http://openvpn.net/howto.html
- > apt-get install openvpn
- > cp /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn
- > cd /etc/openvpn
- > gunzip openssl.cnf.gz
- > vi vars
- set KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL
- > . ./vars
- > ./clean-all
- > ./build-ca
- set the common name to the name of the vpn server
- > ./build-key-server server
- accept defaults except for common name which should be "server"
- > ./build-key client1
- again, accept defaults except for common name which should be "client1'
- > ./build-dh
- > cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
- > gunzip /etc/openvpn/server.conf
- > vi server.conf
- follow the comments to edit the file for bridging (set dev tap0, comment out server subnet set server-bridge to the server private ip and net range)
- Set the ca cert and key directives to point to the full file names
- forward udp port 1194 to through the firewall to the vpn server
[edit]
Set up the client:
- > apt-get install openvpn
- > cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
- copy client1.* from /etc/openvpn/keys/ on the server to /etc/openvpn/keys/ on the client
- copy ca.crt from /etc/openvpn/keys/ on the server to /etc/openvpn/keys/ on the client
- > vi /etc/openvpn/client/conf
- follow the comments to edit the file for bridging
- Set the crt, key and ca locations
[edit]
start the server and client on machines on different sides of the router
- On both client and server
- > vi /etc/group
- Add an account named "nobody", I set the gid equal to the uid of the "nobody" user
- copy my openvpn-bridge script(in this directory) to /usr/local/bin
- > vi /etc/group
- On the server
- > openvpn /etc/openvpn/server.conf
- On the client
- > openvpn /etc/openvpn/client.conf
- test that the vpn initializes on both client and server
[edit]
Configure the server for bridging
- http://openvpn.net/bridge.html#linuxscript
- > apt-get install bridgeutils
- > vi /usr/local/bin/openvpn-bridge
- Set the eth, eth_ip, eth_netmask, eth_broadcast, and gw parameters to those used on the network
- >/usr/local/bin/openvpn-bridge start
- test network connectivity
- >/usr/local/bin/openvpn-bridge stop
- test network connectivity
- copy my openvpn_init-script to /etc/init.d/openvpn
- >/etc/init.d/openvpn start
- test vpn
- >/etc/init.d/openvpn stop
[edit]
Scripts
[edit]
openvpn-bridge
#!/bin/bash
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="10.1.1.31"
eth_netmask="255.0.0.0"
eth_broadcast="10.255.255.255"
gw="10.1.1.1"
case "$1" in
start)
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $gw
;;
stop)
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $gw
;;
*)
echo "usage openvpn-bridge {start|stop}"
exit 1
;;
esac
exit 0
[edit]
openvpn_init-script
#!/bin/sh -e
#
# Original version by Robert Leslie
# <rob@mars.org>, edited by iwj and cs
# Modified for openvpn by Alberto Gonzalez Iniesta <agi@inittab.org>
# Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net>
# Modified to add bridge control by Josh Vickery <vickeryj@freeshell.org>
test $DEBIAN_SCRIPT_DEBUG && set -v -x
DAEMON=/usr/sbin/openvpn
DESC="virtual private network daemon"
CONFIG_DIR=/etc/openvpn
BRIDGE_CTL=/usr/local/bin/openvpn-bridge
test -x $DAEMON || exit 0
test -d $CONFIG_DIR || exit 0
# Source defaults file; edit that file to configure this script.
AUTOSTART="all"
STATUSREFRESH=10
if test -e /etc/default/openvpn ; then
. /etc/default/openvpn
fi
start_vpn () {
if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then
# daemon already given in config file
DAEMONARG=
else
# need to daemonize
DAEMONARG="--daemon ovpn-$NAME"
fi
if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.conf ; then
# status file already given in config file
STATUSARG=""
elif test $STATUSREFRESH -eq 0 ; then
# default status file disabled in /etc/default/openvpn
STATUSARG=""
else
# prepare default status file
STATUSARG="--status /var/run/openvpn.$NAME.status $STATUSREFRESH"
fi
$BRIDGE_CTL start
$DAEMON --writepid /var/run/openvpn.$NAME.pid \
$DAEMONARG $STATUSARG --cd $CONFIG_DIR \
--config $CONFIG_DIR/$NAME.conf || echo -n " FAILED->"
echo -n " $NAME"
}
stop_vpn () {
kill `cat $PIDFILE` || true
rm $PIDFILE
[ -e /var/run/openvpn.$NAME.status ] \
&& rm /var/run/openvpn.$NAME.status
$BRIDGE_CTL stop
}
case "$1" in
start)
echo -n "Starting $DESC:"
# autostart VPNs
if test -z "$2" ; then
# check if automatic startup is disabled by AUTOSTART=none
if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then
echo " Autostart disabled."
exit 0
fi
if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
# all VPNs shall be started automatically
for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
NAME=${CONFIG%%.conf}
start_vpn
done
else
# start only specified VPNs
for NAME in $AUTOSTART ; do
if test -e $CONFIG_DIR/$NAME.conf ; then
start_vpn
else
echo -n " (failure: No such VPN: $NAME)"
fi
done
fi
#start VPNs from command line
else
while shift ; do
[ -z "$1" ] && break
if test -e $CONFIG_DIR/$1.conf ; then
NAME=$1
start_vpn
else
echo -n " (failure: No such VPN: $1)"
fi
done
fi
echo "."
;;
stop)
echo -n "Stopping $DESC:"
if test -z "$2" ; then
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
echo -n " $NAME"
done
else
while shift ; do
[ -z "$1" ] && break
if test -e /var/run/openvpn.$1.pid ; then
PIDFILE=`ls /var/run/openvpn.$1.pid 2> /dev/null`
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
echo -n " $NAME"
else
echo -n " (failure: No such VPN is running: $1)"
fi
done
fi
echo "."
;;
# We only 'reload' for running VPNs. New ones will only start with 'start' or 'restart'.
reload|force-reload)
echo -n "Reloading $DESC:"
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
# If openvpn if running under a different user than root we'll need to restart
if egrep '^( |\t)*user' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then
stop_vpn
sleep 1
start_vpn
echo -n "(restarted)"
else
kill -HUP `cat $PIDFILE` || true
echo -n " $NAME"
fi
done
echo "."
;;
restart)
shift
$0 stop ${@}
sleep 1
$0 start ${@}
;;
cond-restart)
echo -n "Restarting $DESC:"
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
sleep 1
start_vpn
done
echo "."
;;
*)
echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart}" >&2
exit 1
;;
esac
exit 0
# vim:set ai sts=2 sw=2 tw=0:
