With the latest release of OpenVPN and wanting to VPN into my home network, I sat down to figure out the ‘Gentoo Way’.
Thanks to Bret Towe (Magnade) on Freenode for some help on the bridging and configuration.
The Gentoo Forums was my starting point; notably this post.
I decided on using OpenVPN’s bridging capabilities instead of the Howto’s route based solution. A bridge allows for multiple interfaces (eth, ppp, etc) to be combined into one network all sharing the same subnet. There are advantages and disadvantages while using any approach. Using a bridge the main ethernet devices are placed into promiscuous mode. The disadvantage is on a large network the CPU would likely burn more cycles trying to figure out if packets are being directed to the server. Since I have only two computers on my home network I don’t see this becoming a problem. I find the setup with bridging a bit easier by not worrying about routes.
h4. Network Layout
My home network is on a typical 192.168.0.x subdomain. I kept this as is, because the networks I typically connect to will normally not be in the same subnet. The OpenVPN manual suggests changing your secured LAN subnet to something a bit more private (172.16.0.0 or 10.0.0.0).
h3. *Server Configuration*
h4. Kernel
I am using the 2.6.11-gentoo-r6 kernel. _make menuconfig_ and search the kernel config menus using the / key for _bridge_. Enable CONFIG_BRIDGE, CONFIG_TUN and CONFIG_BRIDGE_NETFILTER. If you configure these as modules make sure to modprobe them and autoload them at boot.
_emerge bridge-utils_ to get the bridge utilities on your system.
h4. Bridge Configuration the Gentoo Way
My main ethernet card is eth0 and is 192.168.0.4 on the network as a static IP. The gateway is 192.168.0.1. *Don’t try this from a remote shell.* You must be present at the machine.
# /etc/init.d/net.eth0 stop # rc-update del net.eth0 default # cd /etc/init.d/ ; cp net.eth0 net.br0 ; rc-update add net.br0 default
Edit /etc/conf.d/net:
iface_br0="192.168.0.4 broadcast 192.168.0.255 netmask 255.255.255.0" gateway="br0/192.168.0.1"
Edit /etc/conf.d/bridge:
bridge="br0" bridge_br0_devices="eth0 tap0"
The tap0 device will be created by OpenVPN.
Change the depend in /etc/init.d/bridge to depend on OpenVPN:
depend() {
need openvpn
use modules openvpn
}
Change the depend in /etc/init.d/net.br0 to depend on bridge:
depend() {
use hotplug pcmcia bridge
}
Edit /etc/openvpn/home-server/local.conf:
port 1194 # or any other port you want to use dev tap0 tls-server ca ca.crt cert gateway.crt key gateway.key dh dh1024.pem tls-auth ta.key 0 mode server server-bridge 192.168.0.4 255.255.255.0 192.168.0.128 192.168.0.254 comp-lzo status openvpn-status.log verb 5
Follow the instructions from the Howto to generate the TLS keys. The server-bridge line will assign IP addresses to the clients between .128 to .254, so disable this range from the DHCP server.
h3. Client Configuration
The client needs TLS keys to negotiate the session. Refer to the forum Howto on how to do this. TAP must be enabled on the clients for this to work.
Edit /etc/openvpn/home/local.conf:
port 1194 dev tap remote the.remote.server.ip.or.hostname tls-client ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1 verb 3 comp-lzo pull
The _pull_ directive will retrieve the IP and routing information from the server.
Bring up the interfaces (openvpn, bridge, net.br0) on the server. Check your log files! Then try your client. A port may need to be opened on your router/firewall – in this case – port 1194.
Everyone’s network topology is different; use this guide as … well… just a guide. Until next time…