Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
bridged_openvpn_server_setup [2015/11/15 19:18] – nucar | bridged_openvpn_server_setup [2018/08/18 06:05] – nucar | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Bridged OpenVPN Server Setup ====== | ====== Bridged OpenVPN Server Setup ====== | ||
- | (Last updated | + | (Last updated |
===== Introduction ===== | ===== Introduction ===== | ||
- | This guide describes how to set up a bridge-mode [[http:// | + | This guide describes how to set up a bridge-mode [[https:// |
An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. | An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. | ||
Line 15: | Line 15: | ||
* Easily sharing the VPN connection with virtual machines and emulators | * Easily sharing the VPN connection with virtual machines and emulators | ||
* Using non-IP protocols such as [[wireless_appletalk_ss_bii_osx|AppleTalk]] or IPX over wireless or over the Internet | * Using non-IP protocols such as [[wireless_appletalk_ss_bii_osx|AppleTalk]] or IPX over wireless or over the Internet | ||
- | * Networking virtual machines and emulators with old computers that use such non-IP protocols | + | * Networking virtual machines and emulators with old computers that use such non-IP protocols |
We refer to the LAN on which the OpenVPN server is running as the " | We refer to the LAN on which the OpenVPN server is running as the " | ||
Line 23: | Line 23: | ||
===== Using a Unique Subnet ===== | ===== Using a Unique Subnet ===== | ||
- | If you're going to run a VPN server on your home network, I highly recommend that you change your private IP subnet to some uncommon numbering, i.e., not 0 or 1 in the third octet. The third octet is x.x.this.x number of the IP address. Your router software should be able to accomplish this. With my Apple AirPort Extreme, using AirPort Utility, I can change the number of the third octet, and the AirPort simply reassigns the DHCP-given addresses and changes the existing DHCP reservations and port mappings (forwardings) appropriately. Machines using static IP addresses will have to be changed manually on the respective machines. I can also change between 10.0.x.x, 172.16.x.x and 192.168.x.x numbering schemes. Using a unique subnet is important because many services require that clients enter the IP address of the host. If there are conflicting (identical) private IP addresses on both the server side and client sides, then things can't be expected to work. So, for example, a numbering such as 10.0.149.x or 192.168.37.x should be fine. | + | If you're going to run a VPN server on your home network, I highly recommend that you change your private IP subnet to some uncommon numbering, i.e., not 0 or 1 in the third octet. The third octet is x.x.this.x number of the IP address. Your router software should be able to accomplish this. Machines using static IP addresses will have to be changed manually on the respective machines. Using a unique subnet is important because many services require that clients enter the IP address of the host. If there are conflicting (identical) private IP addresses on both the server side and client sides, then things can't be expected to work. So, for example, a numbering such as 10.0.149.x or 192.168.37.x should be fine. |
To be clear, only the server' | To be clear, only the server' | ||
Line 29: | Line 29: | ||
===== Linux VM Setup ===== | ===== Linux VM Setup ===== | ||
- | This section provides a procedure for setting up a simple Debian | + | This section provides a procedure for setting up a simple Debian |
==== VM Settings ==== | ==== VM Settings ==== | ||
Line 60: | Line 60: | ||
==== Debian Installation ==== | ==== Debian Installation ==== | ||
- | Start the VM, point the window that pops up to your Debian disc image, and hit Start. | + | Start the VM, point the window that pops up to your Debian disc image, and hit Start. |
Select your language, location and keyboard configuration. | Select your language, location and keyboard configuration. | ||
- | For the hostname, the default " | + | For the hostname, the default " |
Enter and verity a **root password**. | Enter and verity a **root password**. | ||
Line 76: | Line 76: | ||
Select your time zone. | Select your time zone. | ||
- | Select the default choices | + | Select the default choices |
Select your country for the Debian archive mirror, and the default choice for the archive mirror URL. Leave the HTTP proxy information blank. | Select your country for the Debian archive mirror, and the default choice for the archive mirror URL. Leave the HTTP proxy information blank. | ||
Line 84: | Line 84: | ||
Use the **space bar** and arrow keys to select only " | Use the **space bar** and arrow keys to select only " | ||
- | Select | + | Select |
When the installation is complete, ensure that the Debian disc image is no longer connected to the VM (no check mark) under the VM's Devices > CD/DVD Devices menu, then select " | When the installation is complete, ensure that the Debian disc image is no longer connected to the VM (no check mark) under the VM's Devices > CD/DVD Devices menu, then select " | ||
Line 102: | Line 102: | ||
< | < | ||
- | The VM will reboot into the newly installed GUI. Select the user. Click on the small gear icon next to the "Sign In" button and select "GNOME Classic." | + | The VM will reboot into the newly installed GUI. Select the user. Click on the small gear icon next to the "Sign In" button and select "GNOME Classic." |
**Become root** by entering | **Become root** by entering | ||
Line 142: | Line 142: | ||
< | < | ||
- | once in a while to update | + | once in a while to update |
===== OpenVPN Server Setup ===== | ===== OpenVPN Server Setup ===== | ||
- | The instructions in this section can be used for running OpenVPN 2.3 in Debian | + | The instructions in this section can be used for running OpenVPN 2.4 in Debian |
==== Authentication Setup with Easy-RSA ==== | ==== Authentication Setup with Easy-RSA ==== | ||
Line 169: | Line 169: | ||
< | < | ||
+ | |||
+ | A quirk in the easy-rsa package requires us to create the following symbolic link: | ||
+ | |||
+ | < | ||
The one important field for the following commands is " | The one important field for the following commands is " | ||
Line 182: | Line 186: | ||
Locality Name (eg, city) [SanFrancisco]: | Locality Name (eg, city) [SanFrancisco]: | ||
Organization Name (eg, company) [Fort-Funston]: | Organization Name (eg, company) [Fort-Funston]: | ||
- | Organizational Unit Name (eg, section) [changeme]: | + | Organizational Unit Name (eg, section) [MyOrganizationalUnit]: |
- | Common Name (eg, your name or your server' | + | Common Name (eg, your name or your server' |
- | Name [changeme]: | + | Name [EasyRSA]: |
- | Email Address [mail@host.domain]:</ | + | Email Address [me@myhost.mydomain]:</ |
Create the server credentials by entering | Create the server credentials by entering | ||
Line 197: | Line 201: | ||
Locality Name (eg, city) [SanFrancisco]: | Locality Name (eg, city) [SanFrancisco]: | ||
Organization Name (eg, company) [Fort-Funston]: | Organization Name (eg, company) [Fort-Funston]: | ||
- | Organizational Unit Name (eg, section) [changeme]: | + | Organizational Unit Name (eg, section) [MyOrganizationalUnit]: |
Common Name (eg, your name or your server' | Common Name (eg, your name or your server' | ||
- | Name [changeme]: | + | Name [EasyRSA]: |
- | Email Address [mail@host.domain]:</ | + | Email Address [me@myhost.mydomain]:</ |
Just hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. | Just hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. | ||
Line 220: | Line 224: | ||
Locality Name (eg, city) [SanFrancisco]: | Locality Name (eg, city) [SanFrancisco]: | ||
Organization Name (eg, company) [Fort-Funston]: | Organization Name (eg, company) [Fort-Funston]: | ||
- | Organizational Unit Name (eg, section) [changeme]: | + | Organizational Unit Name (eg, section) [MyOrganizationalUnit]: |
Common Name (eg, your name or your server' | Common Name (eg, your name or your server' | ||
- | Name [changeme]: | + | Name [EasyRSA]: |
- | Email Address [mail@host.domain]:</ | + | Email Address [me@myhost.mydomain]:</ |
Again, hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. | Again, hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. | ||
Line 231: | Line 235: | ||
**IMPORTANT**: | **IMPORTANT**: | ||
- | The CA certificate | + | Create the following key to use for the "HMAC firewall:" |
+ | |||
+ | < | ||
+ | |||
+ | Certificate | ||
< | < | ||
- | More information on Easy-RSA, including information on revoking client certificates, | + | More information on OpenVPN security, including information on revoking client certificates, |
==== VPN Setup ==== | ==== VPN Setup ==== | ||
Line 241: | Line 249: | ||
Now we'll configure the OpenVPN server. | Now we'll configure the OpenVPN server. | ||
- | On an OS X host, open System Preferences and go to Network. | + | On an macOS host, open System Preferences and go to Network. |
This guide will use the following example private IP address numbering (adjust this to your numbering): | This guide will use the following example private IP address numbering (adjust this to your numbering): | ||
Free IP address for Linux VM: 192.168.5.100\\ | Free IP address for Linux VM: 192.168.5.100\\ | ||
- | Netmask: 255.255.255.0\\ | + | Subnet mask (netmask): 255.255.255.0 |
Broadcast address: | Broadcast address: | ||
Router' | Router' | ||
Line 267: | Line 275: | ||
# Define physical ethernet interface to be bridged | # Define physical ethernet interface to be bridged | ||
# with TAP interface(s) above. | # with TAP interface(s) above. | ||
- | eth="eth0" | + | eth="enp0s3" |
- | eth_ip=" | + | eth_ip_netmask=" |
- | eth_netmask=" | + | |
eth_broadcast=" | eth_broadcast=" | ||
eth_gateway=" | eth_gateway=" | ||
Line 287: | Line 294: | ||
for t in $tap; do | for t in $tap; do | ||
- | | + | |
+ | ip link set $t promisc | ||
done | done | ||
- | # sleep ? | + | ip addr flush dev $eth |
+ | ip link set $eth promisc on up | ||
- | | + | |
+ | ip link set $br up | ||
- | # sleep ? | + | ip route add default |
- | + | ||
- | ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast | + | |
- | + | ||
- | sleep 1 | + | |
- | + | ||
- | | + | |
;; | ;; | ||
stop) | stop) | ||
- | | + | |
brctl delbr $br | brctl delbr $br | ||
Line 310: | Line 314: | ||
done | done | ||
- | | + | |
+ | ip addr add $eth_ip_netmask | ||
- | route add default | + | |
;; | ;; | ||
*) | *) | ||
Line 321: | Line 326: | ||
exit 0</ | exit 0</ | ||
- | Use the arrow keys to edit the script. | + | Use the arrow keys to edit the script. |
- | The duration of one or more of the " | + | This script is adapted from the " |
- | + | ||
- | This script is adapted from the " | + | |
Make the script executable by entering | Make the script executable by entering | ||
Line 348: | Line 351: | ||
client-to-client | client-to-client | ||
keepalive 10 120 | keepalive 10 120 | ||
- | comp-lzo | + | tls-auth / |
+ | cipher AES-256-GCM | ||
+ | compress lz4-v2 | ||
+ | push " | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
Line 355: | Line 361: | ||
verb 3</ | verb 3</ | ||
- | The line around the middle that begins | + | The line beginning with " |
==== Port Forwarding ===== | ==== Port Forwarding ===== | ||
Line 372: | Line 378: | ||
ExecStopPost=/ | ExecStopPost=/ | ||
- | Paste the two lines at the bottom of the [Service] section | + | and paste them at the bottom of the [Service] section. |
- | + | ||
- | < | + | |
- | ExecStartPre=/ | + | |
- | ExecStopPost=/ | + | |
Exit and save. Reboot the VM by entering | Exit and save. Reboot the VM by entering | ||
Line 383: | Line 385: | ||
The OpenVPN server will be running at boot, i.e., no user login is required. | The OpenVPN server will be running at boot, i.e., no user login is required. | ||
+ | |||
==== Basic Testing ==== | ==== Basic Testing ==== | ||
- | Verify that the br0 and tap0 interfaces are up by entering | + | Verify that the br0 and tap0 interfaces are up by entering |
- | < | + | < |
When the OpenVPN server is running, the br0 interface will have the IP address that you chose for the Linux VM. | When the OpenVPN server is running, the br0 interface will have the IP address that you chose for the Linux VM. | ||
Line 399: | Line 402: | ||
< | < | ||
- | Entering "ifconfig" again should show the network interfaces back to normal (no br0 or tap0), with the eth0 interface now having the IP address. | + | Entering "ip a" again should show the network interfaces back to normal (no br0 or tap0), with the eth0 interface now having the IP address. |
- | Start or restart the OpenVPN server by using " | + | Start or restart the OpenVPN server by using " |
===== OpenVPN Client Setup ===== | ===== OpenVPN Client Setup ===== | ||
Line 407: | Line 410: | ||
==== Client Configuration ==== | ==== Client Configuration ==== | ||
- | Create a plain text file in a program such as TextEdit in OS X or Notepad in Windows. | + | Create a plain text file in a program such as TextEdit in macOS or Notepad in Windows. |
< | < | ||
Line 419: | Line 422: | ||
key joe.key | key joe.key | ||
remote-cert-tls server | remote-cert-tls server | ||
- | comp-lzo | + | tls-auth ta.key 1 |
+ | cipher AES-256-GCM | ||
+ | compress lz4-v2 | ||
verb 3</ | verb 3</ | ||
- | PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "what's my ip" on the server side to get this address. | + | PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google " |
- | The " | + | The lines beginning with " |
- | More information on the client configuration file can be found at [[https:// | + | More information on the client configuration file can be found at [[https:// |
==== Mac Client Software: | ==== Mac Client Software: | ||
- | For OS X clients, use [[https://code.google.com/ | + | For macOS clients, use [[https://tunnelblick.net|Tunnelblick]]. |
- | To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents." | + | To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents." |
- | ==== Windows Client Software: | + | ==== Windows Client Software: |
- | For Windows clients, the Windows version of OpenVPN can be used, but I recommend the [[http:// | + | For Windows clients, the Windows version of OpenVPN can be used, but I recommend the [[https:// |
- | The program runs in German when not run with the shortcut. | + | If you ever accidentally delete the desktop shortcut, |
- | -manage | + | -manage |
- | to enable management, saving user credentials, | + | at the end of the shortcut' |
=== Broadcasts in Windows === | === Broadcasts in Windows === | ||
- | In Windows, broadcasts may not work by default | + | In Windows, broadcasts may not work by default |
- | Open Network | + | Open Network |
- | Uninstall unused TAP adapters under Device Manager > Network adapters. | + | Uninstall unused TAP adapters under Device Manager > Network adapters. You also can manage TAP adapters using the gear icon > Client settings > " |
===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
Line 468: | Line 473: | ||
Using software firewalls may cause issues. | Using software firewalls may cause issues. | ||
- | If you have iptables firewall rules set up in Linux, you may need to enter the rules given at OpenVPN' | + | If you have iptables firewall rules set up in Linux, you may need to enter the rules given at OpenVPN' |
- | Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[http:// | + | Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[https:// |
- | Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS. If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM. See [[http:// | + | Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS. If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM. See [[https:// |
===== Appendices ===== | ===== Appendices ===== | ||
Line 497: | Line 502: | ||
< | < | ||
- | into your server.conf file. Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server). | + | into your server.conf file. Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server). |
==== Client Usage with Virtual Machines ==== | ==== Client Usage with Virtual Machines ==== | ||
- | To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN' | + | To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN' |
Also, on the server side, you should make it a habit to use virtual network adapters for VMs in their bridged configurations, | Also, on the server side, you should make it a habit to use virtual network adapters for VMs in their bridged configurations, | ||
Line 521: | Line 526: | ||
*Virtual machines and emulators that include networking functionality are very useful for running old operating systems, which some old games may require. | *Virtual machines and emulators that include networking functionality are very useful for running old operating systems, which some old games may require. | ||
- | *[[http:// | + | *[[https:// |
- | *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol. | + | *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol. |
- | *[[http:// | + | *[[https:// |
*Many video game console emulators contain netplay functionality. | *Many video game console emulators contain netplay functionality. |