Difference between revisions of "OpenVPN VPN Bridging"
From Amahi Wiki
| (7 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| + | {{MessageBox|backgroundcolor = #FBB| | ||
| + | image =Warning.png| | ||
| + | heading =WARNING| | ||
| + | message = This procedure could break networking, proceed with extreme caution! | ||
| + | Do not do this remotely, only do it from your HDA itself!}} | ||
| + | |||
| + | '''NOTE:''' It is recommended that you shut down your current VPN before modifying configs and then restarting it after you finish configuring it. | ||
| + | |||
| + | Here's the procedure you need to follow in order to have your VPN clients get IP addresses in the same subnet as your HDA. This will enable certain traffic like broadcast traffic used in autodetection of protocols like [[DLNA]] and DHCP, cross your VPN bridge. | ||
| + | |||
| + | For example, if you HDA's IP is 192.168.0.2, by default, connecting to it using an OpenVPN client will give your client computer an IP address like 10.8.0.x. | ||
| + | The following procedure will change this so that your client will receive an IP address like 192.168.0.x. | ||
| + | |||
| + | These steps need to be done as '''root''' user: | ||
| + | yum -y install bridge-utils | ||
| + | nano /etc/openvpn/openvpn-startup | ||
| + | Add this at the end of the file: | ||
| + | <pre> | ||
| + | <nowiki>#################################</nowiki> | ||
| + | <nowiki># Set up Ethernet bridge on Linux</nowiki> | ||
| + | <nowiki># Requires: bridge-utils</nowiki> | ||
| + | <nowiki>#################################</nowiki> | ||
| + | |||
| + | br<nowiki>=</nowiki>"br0" | ||
| + | tap<nowiki>=</nowiki>"tap0" | ||
| + | |||
| + | eth<nowiki>=</nowiki>"eth0" | ||
| + | eth_ip=`ifconfig <nowiki>|</nowiki> grep -A 1 $eth <nowiki>|</nowiki> tail -1 <nowiki>|</nowiki> awk -F':' '{printf $2}' <nowiki>|</nowiki> awk '{print $1}'` | ||
| + | eth_netmask=`ifconfig <nowiki>|</nowiki> grep -A 1 $eth <nowiki>|</nowiki> tail -1 <nowiki>|</nowiki> awk -F':' '{printf $4}' <nowiki>|</nowiki> awk '{print $1}'` | ||
| + | eth_broadcast<nowiki>=</nowiki>`ifconfig <nowiki>|</nowiki> grep -A 1 $eth <nowiki>|</nowiki> tail -1 <nowiki>|</nowiki> awk -F':' '{printf $3}' <nowiki>|</nowiki> awk '{print $1}'` | ||
| + | |||
| + | openvpn --mktun --dev $tap | ||
| + | |||
| + | brctl addbr $br | ||
| + | brctl addif $br $eth | ||
| + | brctl addif $br $tap | ||
| + | |||
| + | ifconfig $tap 0.0.0.0 promisc up | ||
| + | ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast | ||
| + | ifconfig $eth 0.0.0.0 promisc up</pre> | ||
| + | |||
| + | |||
| + | nano /etc/openvpn/openvpn-shutdown | ||
| + | Add this text to the file: | ||
| + | <pre>#!/bin/sh | ||
| + | |||
| + | <nowiki>####################################</nowiki> | ||
| + | <nowiki># Tear Down Ethernet bridge on Linux</nowiki> | ||
| + | <nowiki>####################################</nowiki> | ||
| + | |||
| + | br<nowiki>=</nowiki>"br0" | ||
| + | tap<nowiki>=</nowiki>"tap0" | ||
| + | eth<nowiki>=</nowiki>"eth0" | ||
| + | eth_ip<nowiki>=</nowiki>`ifconfig <nowiki>|</nowiki> grep -A 1 $br <nowiki>|</nowiki> tail -1 <nowiki>|</nowiki> awk -F':' '{printf $2}' <nowiki>|</nowiki> awk '{print $1}'` | ||
| + | eth_netmask<nowiki>=</nowiki>`ifconfig <nowiki>|</nowiki> grep -A 1 $br <nowiki>|</nowiki> tail -1 <nowiki>|</nowiki> awk -F':' '{printf $4}' <nowiki>|</nowiki> awk '{print $1}'` | ||
| + | eth_broadcast<nowiki>=</nowiki>`ifconfig <nowiki>|</nowiki> grep -A 1 $br <nowiki>|</nowiki> tail -1 <nowiki>|</nowiki> awk -F':' '{printf $3}' <nowiki>|</nowiki> awk '{print $1}'` | ||
| + | |||
| + | ifconfig $br down | ||
| + | brctl delbr $br | ||
| + | |||
| + | openvpn --rmtun --dev $tap | ||
| + | |||
| + | if [ "$eth_ip" !<nowiki>=</nowiki> "" ]; then | ||
| + | ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast | ||
| + | fi</pre> | ||
| + | |||
| + | |||
| + | chmod +x /etc/openvpn/openvpn-shutdown | ||
| + | nano /etc/openvpn/amahi.conf | ||
| + | Remove the line that contains: ''dev tun'' | ||
| + | and replace it with this: | ||
| + | <pre>mode server | ||
| + | tls-server | ||
| + | dev tap0}} | ||
| + | And remove (or comment out) the lines that start with ''server'' and ''ifconfig-pool-persist''. | ||
| + | |||
| + | iptables -A INPUT -i tap0 -j ACCEPT | ||
| + | iptables -A INPUT -i br0 -j ACCEPT | ||
| + | iptables -A FORWARD -i br0 -j ACCEPT | ||
| + | service openvpn restart</pre> | ||
| + | * In your OpenVPN client (such as Amahi HDAConnect for Windows users) configuration, change ''dev tun'' with ''dev tap''. You'll also need to add a line that will make the client IP static: | ||
| + | <pre>ifconfig 192.168.0.x 255.255.255.0</pre> | ||
| + | Replace "x" in the IP address above with address you want your client to use. | ||
| + | |||
| + | [[Category: VPN]] | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | <!--UNFORMATTED VERSION | ||
{{MessageBox|backgroundcolor = #FBB| | {{MessageBox|backgroundcolor = #FBB| | ||
image =Warning.png| | image =Warning.png| | ||
heading =WARNING| | heading =WARNING| | ||
message = This procedure could break networking, proceed with extreme caution!}} | message = This procedure could break networking, proceed with extreme caution!}} | ||
| + | |||
| + | NOTE: It is recommended that you shut down your current VPN before modifying configs and then restarting it after you finish configuring it. | ||
Here's the procedure you need to follow in order to have your VPN clients get IP addresses in the same subnet as your HDA. This will enable certain traffic like broadcast traffic used in autodetection of protocols like [[DLNA]] and DHCP, cross your VPN bridge. | Here's the procedure you need to follow in order to have your VPN clients get IP addresses in the same subnet as your HDA. This will enable certain traffic like broadcast traffic used in autodetection of protocols like [[DLNA]] and DHCP, cross your VPN bridge. | ||
| Line 49: | Line 144: | ||
tap="tap0" | tap="tap0" | ||
eth="eth0" | eth="eth0" | ||
| − | eth_ip=`ifconfig | grep -A 1 | + | eth_ip=`ifconfig | grep -A 1 $br | tail -1 | awk -F':' '{printf $2}' | awk '{print $1}'` |
| − | eth_netmask=`ifconfig | grep -A 1 | + | eth_netmask=`ifconfig | grep -A 1 $br | tail -1 | awk -F':' '{printf $4}' | awk '{print $1}'` |
| − | eth_broadcast=`ifconfig | grep -A 1 | + | eth_broadcast=`ifconfig | grep -A 1 $br | tail -1 | awk -F':' '{printf $3}' | awk '{print $1}'` |
ifconfig $br down | ifconfig $br down | ||
| Line 87: | Line 182: | ||
Replace "x" in the IP address above with address you want your client to use. | Replace "x" in the IP address above with address you want your client to use. | ||
| − | [[Category: VPN]] | + | [[Category: VPN]]--> |
Latest revision as of 02:22, 20 February 2019
|
WARNING |
|---|---|
| This procedure could break networking, proceed with extreme caution!
Do not do this remotely, only do it from your HDA itself! |
NOTE: It is recommended that you shut down your current VPN before modifying configs and then restarting it after you finish configuring it.
Here's the procedure you need to follow in order to have your VPN clients get IP addresses in the same subnet as your HDA. This will enable certain traffic like broadcast traffic used in autodetection of protocols like DLNA and DHCP, cross your VPN bridge.
For example, if you HDA's IP is 192.168.0.2, by default, connecting to it using an OpenVPN client will give your client computer an IP address like 10.8.0.x. The following procedure will change this so that your client will receive an IP address like 192.168.0.x.
These steps need to be done as root user:
yum -y install bridge-utils nano /etc/openvpn/openvpn-startup
Add this at the end of the file:
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
br="br0"
tap="tap0"
eth="eth0"
eth_ip=`ifconfig | grep -A 1 $eth | tail -1 | awk -F':' '{printf $2}' | awk '{print $1}'`
eth_netmask=`ifconfig | grep -A 1 $eth | tail -1 | awk -F':' '{printf $4}' | awk '{print $1}'`
eth_broadcast=`ifconfig | grep -A 1 $eth | tail -1 | awk -F':' '{printf $3}' | awk '{print $1}'`
openvpn --mktun --dev $tap
brctl addbr $br
brctl addif $br $eth
brctl addif $br $tap
ifconfig $tap 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ifconfig $eth 0.0.0.0 promisc up
nano /etc/openvpn/openvpn-shutdown
Add this text to the file:
#!/bin/sh
####################################
# Tear Down Ethernet bridge on Linux
####################################
br="br0"
tap="tap0"
eth="eth0"
eth_ip=`ifconfig | grep -A 1 $br | tail -1 | awk -F':' '{printf $2}' | awk '{print $1}'`
eth_netmask=`ifconfig | grep -A 1 $br | tail -1 | awk -F':' '{printf $4}' | awk '{print $1}'`
eth_broadcast=`ifconfig | grep -A 1 $br | tail -1 | awk -F':' '{printf $3}' | awk '{print $1}'`
ifconfig $br down
brctl delbr $br
openvpn --rmtun --dev $tap
if [ "$eth_ip" != "" ]; then
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
fi
chmod +x /etc/openvpn/openvpn-shutdown nano /etc/openvpn/amahi.conf
Remove the line that contains: dev tun and replace it with this:
mode server tls-server dev tap0}} And remove (or comment out) the lines that start with ''server'' and ''ifconfig-pool-persist''. iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT service openvpn restart
- In your OpenVPN client (such as Amahi HDAConnect for Windows users) configuration, change dev tun with dev tap. You'll also need to add a line that will make the client IP static:
ifconfig 192.168.0.x 255.255.255.0
Replace "x" in the IP address above with address you want your client to use.
