Difference between revisions of "OpenVPN VPN Bridging"

From Amahi Wiki
Jump to: navigation, search
(Created page with '== VPN Bridging == Here's the procedure you need to follow in order to have your VPN clients get IP addresses in the same subnet as your HDA. For example, if you HDA's IP is 19…')
 
Line 6: Line 6:
 
The following procedure will change this so that your client will receive an IP address like 192.168.0.x.
 
The following procedure will change this so that your client will receive an IP address like 192.168.0.x.
  
=== This is a work in progess... It doesn't work yet! ===
+
* sudo yum install bridge-utils
 +
 
 +
* sudo nano /etc/openvpn/bridge-start
 +
<pre><nowiki>
 +
#!/bin/bash
 +
 
 +
#################################
 +
# Set up Ethernet bridge on Linux
 +
# Requires: bridge-utils
 +
#################################
 +
 
 +
br="br0"
 +
tap="tap0"
 +
 
 +
eth="eth0"
 +
eth_ip=`ifconfig | grep -A 1 eth0 | tail -1 | awk -F':' '{printf $2}' | awk '{print $1}'`
 +
eth_netmask=`ifconfig | grep -A 1 eth0 | tail -1 | awk -F':' '{printf $4}' | awk '{print $1}'`
 +
eth_broadcast=`ifconfig | grep -A 1 eth0 | tail -1 | awk -F':' '{printf $3}' | awk '{print $1}'`
 +
 
 +
openvpn --mktun --dev $tap
 +
 
 +
brctl addbr $br
 +
brctl addif $br $eth
 +
brctl addif $br $tap
 +
 
 +
ifconfig $tap 0.0.0.0 promisc up
 +
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
 +
ifconfig $eth 0.0.0.0 promisc up
 +
</nowiki></pre>
 +
 
 +
* sudo nano /etc/openvpn/bridge-stop
 +
<pre><nowiki>
 +
#!/bin/bash
 +
 
 +
####################################
 +
# Tear Down Ethernet bridge on Linux
 +
####################################
 +
 
 +
br="br0"
 +
tap="tap0"
 +
eth="eth0"
 +
eth_ip=`ifconfig | grep -A 1 br0 | tail -1 | awk -F':' '{printf $2}' | awk '{print $1}'`
 +
eth_netmask=`ifconfig | grep -A 1 br0 | tail -1 | awk -F':' '{printf $4}' | awk '{print $1}'`
 +
eth_broadcast=`ifconfig | grep -A 1 br0 | tail -1 | awk -F':' '{printf $3}' | awk '{print $1}'`
 +
 
 +
ifconfig $br down
 +
brctl delbr $br
 +
 
 +
for t in $tap; do
 +
    openvpn --rmtun --dev $t
 +
done
  
* sudo yum install bridge-utils
+
if [ "$eth_ip" != "" ]; then
 +
    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
 +
fi
 +
</nowiki></pre>
  
* sudo nano /usr/share/doc/openvpn-2.1-1/sample-scripts/bridge-start
+
* sudo chmod +x /etc/openvpn/bridge-start; sudo chmod +x /etc/openvpn/bridge-stop
Replace the values of eth_ip, eth_netmask and eth_broadcast in this file with the values you get from this command:
 
<pre><nowiki>ifconfig | grep -A 1 eth0 | tail -1 | awk -F':' '{print $2,$3,$4}' | awk '{print $1,$5,$3}'</nowiki></pre>
 
  
Example: <pre><nowiki>
+
* sudo nano /etc/openvpn/openvpn-startup
eth_ip="192.168.0.2"
+
Add one line at the end of the file:
eth_netmask ="255.255.255.0"
+
<pre><nowiki>
eth_ip="192.168.0.255"
+
/etc/openvpn/bridge-start
 
</nowiki></pre>
 
</nowiki></pre>
  
* sudo cp /usr/share/doc/openvpn-2.1.1/sample-scripts/bridge-start /etc/openvpn/; sudo chmod +x /etc/openvpn/bridge-start
+
* sudo nano /etc/openvpn/openvpn-shutdown
 +
<pre><nowiki>
 +
/etc/openvpn/bridge-stop
 +
</nowiki></pre>
  
* sudo /etc/openvpn/bridge-start
+
* sudo chmod +x /etc/openvpn/openvpn-shutdown
  
 
* sudo nano /etc/openvpn/amahi.conf
 
* sudo nano /etc/openvpn/amahi.conf
 
Remove the line that contains: ''dev tun''
 
Remove the line that contains: ''dev tun''
and replace it with those two lines:
+
and replace it with this:
 
<pre><nowiki>
 
<pre><nowiki>
 
mode server
 
mode server
 +
tls-server
 
dev tap0
 
dev tap0
 
</nowiki></pre>
 
</nowiki></pre>
 +
And remove (or comment out) the lines that start with ''server'' and ''ifconfig-pool-persist''.
  
 
* Repeat the last step with /etc/openvpn/amahi-dup-cn.conf
 
* Repeat the last step with /etc/openvpn/amahi-dup-cn.conf
Line 39: Line 95:
  
 
* sudo service openvpn restart
 
* sudo service openvpn restart
 +
 +
* In your OpenVPN client configuration, change ''dev tun'' with ''dev tap''. You'll also need to add a line that will make the client IP static:
 +
<pre><nowiki>
 +
ifconfig 192.168.1.2 255.255.255.0
 +
</nowiki></pre>
  
 
[[Category: VPN]]
 
[[Category: VPN]]

Revision as of 20:48, 31 January 2010

VPN Bridging

Here's the procedure you need to follow in order to have your VPN clients get IP addresses in the same subnet as your HDA.

For example, if you HDA's IP is 192.168.0.2, by default, connecting to it using an OpenVPN client will give your client computer an IP address like 10.8.0.x. The following procedure will change this so that your client will receive an IP address like 192.168.0.x.

  • sudo yum install bridge-utils
  • sudo nano /etc/openvpn/bridge-start
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

br="br0"
tap="tap0"

eth="eth0"
eth_ip=`ifconfig | grep -A 1 eth0 | tail -1 | awk -F':' '{printf $2}' | awk '{print $1}'`
eth_netmask=`ifconfig | grep -A 1 eth0 | tail -1 | awk -F':' '{printf $4}' | awk '{print $1}'`
eth_broadcast=`ifconfig | grep -A 1 eth0 | tail -1 | awk -F':' '{printf $3}' | awk '{print $1}'`

openvpn --mktun --dev $tap

brctl addbr $br
brctl addif $br $eth
brctl addif $br $tap

ifconfig $tap 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ifconfig $eth 0.0.0.0 promisc up
  • sudo nano /etc/openvpn/bridge-stop
#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

br="br0"
tap="tap0"
eth="eth0"
eth_ip=`ifconfig | grep -A 1 br0 | tail -1 | awk -F':' '{printf $2}' | awk '{print $1}'`
eth_netmask=`ifconfig | grep -A 1 br0 | tail -1 | awk -F':' '{printf $4}' | awk '{print $1}'`
eth_broadcast=`ifconfig | grep -A 1 br0 | tail -1 | awk -F':' '{printf $3}' | awk '{print $1}'`

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done

if [ "$eth_ip" != "" ]; then
    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
fi
  • sudo chmod +x /etc/openvpn/bridge-start; sudo chmod +x /etc/openvpn/bridge-stop
  • sudo nano /etc/openvpn/openvpn-startup

Add one line at the end of the file: 

/etc/openvpn/bridge-start
  • sudo nano /etc/openvpn/openvpn-shutdown
/etc/openvpn/bridge-stop
  • sudo chmod +x /etc/openvpn/openvpn-shutdown
  • sudo nano /etc/openvpn/amahi.conf

Remove the line that contains: dev tun and replace it with this: 

mode server
tls-server
dev tap0

And remove (or comment out) the lines that start with server and ifconfig-pool-persist.

  • Repeat the last step with /etc/openvpn/amahi-dup-cn.conf
  • sudo iptables -A INPUT -i tap0 -j ACCEPT
  • sudo iptables -A INPUT -i br0 -j ACCEPT
  • sudo iptables -A FORWARD -i br0 -j ACCEPT
  • sudo service openvpn restart
  • In your OpenVPN client configuration, change dev tun with dev tap. You'll also need to add a line that will make the client IP static:
ifconfig 192.168.1.2 255.255.255.0
Retrieved from "https://wiki.amahi.org/index.php?title=OpenVPN_VPN_Bridging&oldid=7801"