{"id":3,"date":"2005-05-13T18:23:48","date_gmt":"2005-05-13T16:42:43","guid":{"rendered":""},"modified":"2017-03-07T20:17:44","modified_gmt":"2017-03-07T20:17:44","slug":"openvpn_setup","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/rphillips\/2005\/05\/13\/openvpn_setup\/","title":{"rendered":"OpenVPN 2.0 Bridge Setup"},"content":{"rendered":"<p>With the latest release of <a href=\"http:\/\/www.openvpn.org\/\">OpenVPN<\/a> and wanting to VPN into my home network, I sat down to figure out the &#8216;Gentoo Way&#8217;.<\/p>\n<p>Thanks to Bret Towe (Magnade) on Freenode for some help on the bridging and configuration.<\/p>\n<p>The <a href=\"http:\/\/forums.gentoo.org\/\">Gentoo Forums<\/a> was my starting point; notably <a href=\"http:\/\/forums.gentoo.org\/viewtopic-t-233080-highlight-openvpn.html\">this<\/a> post.<\/p>\n<p>I decided on using OpenVPN&#8217;s <a href=\"http:\/\/openvpn.net\/bridge.html\">bridging<\/a> capabilities instead of the Howto&#8217;s route based solution.  A bridge allows for multiple interfaces (eth, ppp, etc) to be combined into one network all sharing the same subnet.  There are advantages and disadvantages while using any approach.  Using a bridge the main ethernet devices are placed into promiscuous mode.  The disadvantage is on a large network the CPU would likely burn more cycles trying to figure out if packets are being directed to the server.  Since I have only two computers on my home network I don&#8217;t see this becoming a problem.  I find the setup with bridging a bit easier by not worrying about routes.<\/p>\n<p>h4. Network Layout<\/p>\n<p>My home network is on a typical 192.168.0.x subdomain.  I kept this as is, because the networks I typically connect to will normally not be in the same subnet.  The OpenVPN manual suggests changing your secured LAN subnet to something a bit more private (172.16.0.0 or 10.0.0.0).<\/p>\n<p>h3. *Server Configuration*<\/p>\n<p>h4. Kernel <\/p>\n<p>I am using the 2.6.11-gentoo-r6 kernel.  _make menuconfig_ and search the kernel config menus using the \/ key for _bridge_.  Enable CONFIG_BRIDGE, CONFIG_TUN and CONFIG_BRIDGE_NETFILTER.  If you configure these as modules make sure to modprobe them and autoload them at boot.<\/p>\n<p>_emerge bridge-utils_ to get the bridge utilities on your system.<\/p>\n<p>h4. Bridge Configuration the Gentoo Way<\/p>\n<p>My main ethernet card is eth0 and is 192.168.0.4 on the network as a static IP.  The gateway is 192.168.0.1.  *Don&#8217;t try this from a remote shell.*  You must be present at the machine.<\/p>\n<pre>\r\n  # \/etc\/init.d\/net.eth0 stop\r\n  # rc-update del net.eth0 default\r\n  # cd \/etc\/init.d\/ ; cp net.eth0 net.br0 ; rc-update add net.br0 default\r\n<\/pre>\n<p>Edit \/etc\/conf.d\/net:<\/p>\n<pre>\r\niface_br0=\"192.168.0.4 broadcast 192.168.0.255 netmask 255.255.255.0\"\r\ngateway=\"br0\/192.168.0.1\"\r\n<\/pre>\n<p>Edit \/etc\/conf.d\/bridge:<\/p>\n<pre>\r\nbridge=\"br0\"\r\nbridge_br0_devices=\"eth0 tap0\"\r\n<\/pre>\n<p>The tap0 device will be created by OpenVPN.<\/p>\n<p>Change the depend in \/etc\/init.d\/bridge to depend on OpenVPN:<\/p>\n<pre>\r\ndepend() {\r\n    need openvpn\r\n    use modules openvpn\r\n}\r\n<\/pre>\n<p>Change the depend in \/etc\/init.d\/net.br0 to depend on bridge:<\/p>\n<pre>\r\ndepend() {\r\n    use hotplug pcmcia bridge\r\n}\r\n<\/pre>\n<p>Edit \/etc\/openvpn\/home-server\/local.conf:<\/p>\n<pre>\r\nport 1194 # or any other port you want to use\r\ndev tap0\r\ntls-server\r\nca ca.crt\r\ncert gateway.crt\r\nkey gateway.key\r\ndh dh1024.pem\r\ntls-auth ta.key 0\r\nmode server\r\nserver-bridge 192.168.0.4 255.255.255.0 192.168.0.128 192.168.0.254\r\ncomp-lzo\r\nstatus openvpn-status.log\r\nverb 5\r\n<\/pre>\n<p>Follow the instructions from the Howto to generate the TLS keys.  The server-bridge line will assign IP addresses to the clients between .128 to .254, so disable this range from the DHCP server.<\/p>\n<p>h3. Client Configuration<\/p>\n<p>The client needs TLS keys to negotiate the session. Refer to the forum Howto on how to do this. TAP must be enabled on the clients for this to work.<\/p>\n<p>Edit \/etc\/openvpn\/home\/local.conf:<\/p>\n<pre>\r\nport 1194\r\ndev tap\r\nremote the.remote.server.ip.or.hostname\r\ntls-client\r\nca ca.crt\r\ncert client1.crt\r\nkey client1.key\r\ntls-auth ta.key 1\r\nverb 3\r\ncomp-lzo\r\npull\r\n<\/pre>\n<p>The _pull_ directive will retrieve the IP and routing information from the server.<\/p>\n<p>Bring up the interfaces (openvpn, bridge, net.br0) on the server.  Check your log files!  Then try your client.  A port may need to be opened on your router\/firewall &#8211; in this case &#8211; port 1194.<\/p>\n<p>Everyone&#8217;s network topology is different; use this guide as &#8230; well&#8230; just a guide.  Until next time&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With the latest release of OpenVPN and wanting to VPN into my home network, I sat down to figure out the &#8216;Gentoo Way&#8217;. Thanks to Bret Towe (Magnade) on Freenode for some help on the bridging and configuration. The Gentoo Forums was my starting point; notably this post. I decided on using OpenVPN&#8217;s bridging capabilities &hellip; <a href=\"https:\/\/blogs.gentoo.org\/rphillips\/2005\/05\/13\/openvpn_setup\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">OpenVPN 2.0 Bridge Setup<\/span><\/a><\/p>\n","protected":false},"author":21,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/posts\/3"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/comments?post=3"}],"version-history":[{"count":1,"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/posts\/3\/revisions"}],"predecessor-version":[{"id":18,"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/posts\/3\/revisions\/18"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/media?parent=3"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/categories?post=3"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/rphillips\/wp-json\/wp\/v2\/tags?post=3"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}