Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
bridged_openvpn_server_setup [2015/05/05 13:54] – nucar | bridged_openvpn_server_setup [2023/05/28 14:14] (current) – nucar | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Bridged OpenVPN Server Setup ====== | ====== Bridged OpenVPN Server Setup ====== | ||
- | < | + | (Last updated May 28, 2023. The forum thread is [[https:// |
- | <span style=" | + | |
- | </ | + | |
- | + | ||
- | (Last updated May 5, 2015. The forum thread is [[http:// | + | |
===== Introduction ===== | ===== Introduction ===== | ||
- | This guide describes how to set up a bridge-mode [[http:// | + | This guide describes how to set up a bridge-mode [[https:// |
+ | |||
+ | An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. | ||
- | An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. | + | Possible uses of this VPN include: |
+ | * Accessing typical LAN services such as file sharing and printers | ||
+ | * Accessing services | ||
+ | * Playing | ||
+ | * Easily sharing | ||
+ | * Using non-IP protocols such as [[wireless_appletalk_ss_bii_osx|AppleTalk]] or IPX over wireless or over the Internet | ||
+ | * Networking virtual machines | ||
We refer to the LAN on which the OpenVPN server is running as the " | We refer to the LAN on which the OpenVPN server is running as the " | ||
Line 19: | Line 23: | ||
===== Using a Unique Subnet ===== | ===== Using a Unique Subnet ===== | ||
- | If you're going to run a VPN server on your home network, | + | If you're going to run a VPN server on your home network, |
To be clear, only the server' | To be clear, only the server' | ||
- | ===== Linux VM Setup ===== | + | ===== Linux VM Setup and Usage ===== |
- | This section provides | + | This guide will assume that you're running |
==== VM Settings ==== | ==== VM Settings ==== | ||
- | Download | + | The VM software' |
- | Download and install [[https://www.virtualbox.org/wiki/Downloads|VirtualBox]]. In VirtualBox, | + | The VM's virtual network adapter must be //bridged// to the host's Ethernet connection. |
- | Name and operating system:\\ | + | < |
- | Name: | + | |
- | Type: Linux\\ | + | |
- | Version: | + | |
- | Allocate at least 768 MB of memory, and choose | + | This will start the VM in " |
- | General | + | < |
- | Shared Clipboard: | + | |
- | Drag' | + | |
- | Network > Adapter 1:\\ | + | In both commands, edit the path to the .vmx file, mainly replacing " |
- | Attached | + | |
- | Name: select | + | |
- | Under Advanced, Promiscuous Mode: Allow All | + | |
- | Shared Folders: | + | Record |
- | Add a shared folder to the host OS, and check Auto-mount. This setup assumes that you added a shared folder named " | + | |
- | All other settings can be left as their defaults. | + | Add a folder to the VM's list of shared folders. This setup assumes that you added a shared folder named " |
==== Debian Installation ==== | ==== Debian Installation ==== | ||
- | Start the VM, point the window that pops up to your Debian disc image, and hit Start. | + | You may find it easier |
- | Select | + | The hostname doesn' |
- | For the hostname, the default "debian" | + | At the software selection screen, the default |
- | Enter and verity | + | After the installation is complete, |
- | Enter the user's name. This is not the username. | + | ==== VM Support Software ==== |
- | Enter a username. | + | In a VMware VM, Open VM Tools should have been installed automatically in Debian when following the default installation, |
- | Enter and verify a **user password**. | + | Open Terminal, |
- | Select your time zone. | + | < |
- | Select the default choice on the " | + | Create a mount point for shared folders: |
- | Select your country for the Debian archive mirror, and the default choice for the archive mirror URL. Leave the HTTP proxy information blank. | + | < |
- | Choose whether you want to participate in the package usage survey. | + | We'll use the text editor " |
- | Use the **space bar** to select only "SSH server" | + | < |
- | Select " | + | and add to the file the line |
- | When the installation is complete, ensure that the Debian disc image is no longer connected to the VM (no check mark) under the VM's Devices | + | <code>.host:/ /mnt/hgfs fuse.vmhgfs-fuse auto, |
- | At the " | + | Press control+X, then Y to accept changes, and return to save the file. |
- | + | ||
- | < | + | |
- | + | ||
- | followed by the root password. | + | |
- | + | ||
- | < | + | |
- | + | ||
- | to install a basic graphical user interface (GUI). | + | |
- | + | ||
- | When the prompt returns, reboot | + | |
< | < | ||
- | The VM will reboot into the newly installed GUI. Select the user. Click on the small gear icon next to the "Sign In" button | + | Open Terminal |
- | Go to Applications | + | < |
- | < | + | The shared folder " |
- | followed by the **root password**. | + | If using VirtualBox, you'll have to install Guest Additions before being able to copy and paste into the VM and access shared folders. |
- | < | + | ==== Other Terminal Commands ==== |
- | Select " | + | The command to shut down the VM **as root** |
- | < | + | < |
- | < | + | You can also run **as root** |
- | < | + | < |
- | Reboot the VM by entering | + | followed |
- | < | + | < |
- | Open Terminal and enter | + | once in a while to update |
- | + | ||
- | < | + | |
- | + | ||
- | The shared folder " | + | |
- | + | ||
- | Note that the command to shut down the VM **as root** is | + | |
- | + | ||
- | < | + | |
===== OpenVPN Server Setup ===== | ===== OpenVPN Server Setup ===== | ||
- | The instructions in this section can be used for running OpenVPN 2.3 in Debian | + | The instructions in this section can be used for running OpenVPN 2.5 in Debian |
==== Authentication Setup with Easy-RSA ==== | ==== Authentication Setup with Easy-RSA ==== | ||
- | Open Terminal, and become root. Install OpenVPN, Easy-RSA and the Linux Ethernet bridge utilities: | + | Open Terminal, and **become root**. You should **always become root** before running the commands below. Install OpenVPN, Easy-RSA and the Linux Ethernet bridge utilities: |
- | < | + | < |
Copy Easy-RSA to OpenVPN' | Copy Easy-RSA to OpenVPN' | ||
Line 144: | Line 121: | ||
< | < | ||
- | Now we'll make the credentials (certificates and keys) for OpenVPN authentication. | + | Now we'll make the credentials (certificates and keys) for OpenVPN authentication. |
< | < | ||
Line 150: | Line 127: | ||
Enter | Enter | ||
- | < | + | < |
- | followed | + | Create a Certificate Authority (CA) by entering |
- | < | + | < |
- | The one important field for the following commands is "Common Name". If you mess up an entry for the following commands, you can hit control+C and re-enter the command. | + | The Common Name will be set to "Easy-RSA CA" by default, so no entry is required. |
- | First, create a Certificate Authority (CA) by entering | + | Create the server credentials |
- | < | + | < |
- | For Common Name, enter "OpenVPN-CA". No entry is required | + | The Common Name will be set to "openvpnserver" |
- | < | + | Sign the server |
- | State or Province Name (full name) [CA]: | + | |
- | Locality Name (eg, city) [SanFrancisco]: | + | |
- | Organization Name (eg, company) [Fort-Funston]: | + | |
- | Organizational Unit Name (eg, section) [changeme]: | + | |
- | Common Name (eg, your name or your server's hostname) [changeme]: | + | |
- | Name [changeme]: | + | |
- | Email Address [mail@host.domain]:</ | + | |
- | Create the server | + | < |
- | < | + | Enter " |
- | The Common Name will be set to " | + | Generate Diffie-Hellman parameters |
- | < | + | < |
- | State or Province Name (full name) [CA]: | + | |
- | Locality Name (eg, city) [SanFrancisco]: | + | |
- | Organization Name (eg, company) [Fort-Funston]: | + | |
- | Organizational Unit Name (eg, section) [changeme]: | + | |
- | Common Name (eg, your name or your server' | + | |
- | Name [changeme]: | + | |
- | Email Address [mail@host.domain]:</ | + | |
- | Just hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. | + | Now we'll create |
- | Generate Diffie-Hellman parameters by entering | + | To create credentials for a client called " |
- | < | + | < |
- | Now we'll create the client credentials. | + | The Common Name will be set to " |
- | To create | + | Sign the credentials |
- | < | + | < |
- | The Common Name will be set to "joe" | + | Enter "yes" |
- | < | + | You can make more client credentials by changing " |
- | State or Province Name (full name) [CA]: | + | |
- | Locality Name (eg, city) [SanFrancisco]: | + | |
- | Organization Name (eg, company) [Fort-Funston]: | + | |
- | Organizational Unit Name (eg, section) [changeme]: | + | |
- | Common Name (eg, your name or your server' | + | |
- | Name [changeme]: | + | |
- | Email Address [mail@host.domain]:</ | + | |
- | Again, hit return | + | **IMPORTANT**: |
- | < | + | Create the HMAC signature: |
- | **IMPORTANT**: | + | < |
+ | |||
+ | Certificate and key files will be given to the clients. Copy these files to the host OS via the shared folder by entering | ||
+ | |||
+ | < | ||
+ | |||
+ | followed by | ||
- | The CA certificate and client certificates and keys will be given to the clients. For now, copy the keys folder to the host OS via the shared folder by entering | + | < |
- | < | + | If using VirtualBox, |
- | More information on Easy-RSA, including | + | For information on revoking client certificates, |
==== VPN Setup ==== | ==== VPN Setup ==== | ||
Line 227: | Line 189: | ||
Now we'll configure the OpenVPN server. | Now we'll configure the OpenVPN server. | ||
- | On an OS X host, open System Preferences and go to Network. | + | On an macOS host, open System Preferences and go to Network. |
This guide will use the following example private IP address numbering (adjust this to your numbering): | This guide will use the following example private IP address numbering (adjust this to your numbering): | ||
Free IP address for Linux VM: 192.168.5.100\\ | Free IP address for Linux VM: 192.168.5.100\\ | ||
- | Netmask: 255.255.255.0\\ | + | Subnet mask (netmask): 255.255.255.0 |
Broadcast address: | Broadcast address: | ||
- | Router' | + | Router' |
+ | VM's MAC address: 08: | ||
- | We' | + | We'll create a script called " |
< | < | ||
Line 253: | Line 216: | ||
# Define physical ethernet interface to be bridged | # Define physical ethernet interface to be bridged | ||
# with TAP interface(s) above. | # with TAP interface(s) above. | ||
- | eth="eth0" | + | eth="ens33" |
- | eth_ip=" | + | eth_ip_netmask=" |
- | eth_netmask=" | + | |
eth_broadcast=" | eth_broadcast=" | ||
eth_gateway=" | eth_gateway=" | ||
+ | eth_mac=" | ||
case " | case " | ||
Line 273: | Line 236: | ||
for t in $tap; do | for t in $tap; do | ||
- | | + | |
+ | ip link set $t promisc | ||
done | done | ||
- | | + | |
+ | ip link set $eth promisc on up | ||
- | | + | |
+ | ip link set $br address $eth_mac | ||
+ | ip link set $br up | ||
- | | + | |
- | + | ||
- | | + | |
;; | ;; | ||
stop) | stop) | ||
- | | + | |
brctl delbr $br | brctl delbr $br | ||
Line 292: | Line 257: | ||
done | done | ||
- | | + | |
+ | ip addr add $eth_ip_netmask | ||
- | route add default | + | |
;; | ;; | ||
*) | *) | ||
Line 303: | Line 269: | ||
exit 0</ | exit 0</ | ||
- | Use the arrow keys to edit the script. | + | Use the arrow keys to edit the script. |
- | Press control+X, then Y to accept changes, and return to save the file. Entering | + | This script is adapted from the "bridge-start" |
- | + | ||
- | The duration of the "sleep" | + | |
Make the script executable by entering | Make the script executable by entering | ||
Line 322: | Line 286: | ||
proto udp | proto udp | ||
dev tap0 | dev tap0 | ||
- | ca / | + | ca / |
- | cert / | + | cert / |
- | key / | + | key / |
- | dh / | + | dh / |
remote-cert-tls client | remote-cert-tls client | ||
server-bridge 192.168.5.100 255.255.255.0 192.168.5.101 192.168.5.110 | server-bridge 192.168.5.100 255.255.255.0 192.168.5.101 192.168.5.110 | ||
client-to-client | client-to-client | ||
keepalive 10 120 | keepalive 10 120 | ||
- | comp-lzo | + | tls-auth / |
+ | cipher AES-256-GCM | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
Line 337: | Line 302: | ||
verb 3</ | verb 3</ | ||
- | The line around the middle that begins | + | The line beginning with " |
==== Port Forwarding ===== | ==== Port Forwarding ===== | ||
Line 345: | Line 310: | ||
==== Final Settings in the VM ==== | ==== Final Settings in the VM ==== | ||
- | We need to tell OpenVPN to make use of our " | + | We need to tell OpenVPN to make use of our " |
- | + | ||
- | < | + | |
- | ExecStopPost=/ | + | |
- | + | ||
- | Enter | + | |
< | < | ||
- | Paste the two lines at the bottom of the [Service] section so that its last three lines look like | + | Copy these two lines: |
- | < | + | < |
- | ExecStartPre=/ | + | |
ExecStopPost=/ | ExecStopPost=/ | ||
+ | |||
+ | and paste them at the bottom of the [Service] section. | ||
Exit and save. Reboot the VM by entering | Exit and save. Reboot the VM by entering | ||
Line 368: | Line 329: | ||
==== Basic Testing ==== | ==== Basic Testing ==== | ||
- | Verify that the br0 and tap0 interfaces are up by entering | + | Verify that the br0 and tap0 interfaces are up by entering |
- | < | + | < |
When the OpenVPN server is running, the br0 interface will have the IP address that you chose for the Linux VM. | When the OpenVPN server is running, the br0 interface will have the IP address that you chose for the Linux VM. | ||
Line 376: | Line 337: | ||
Check the OpenVPN server status by entering | Check the OpenVPN server status by entering | ||
- | < | + | < |
+ | |||
+ | Press Q to exit. | ||
- | Stop the OpenVPN server by entering | + | Stop the OpenVPN server by entering, as root, |
- | < | + | < |
- | Entering "ifconfig" again should show the network interfaces back to normal (no br0 or tap0), with the eth0 interface now having the IP address. | + | Entering "ip a" again should show the network interfaces back to normal (no br0 or tap0), with the eth0 interface now having the IP address. |
- | Start or restart the OpenVPN server by using " | + | Start or restart the OpenVPN server by using " |
===== OpenVPN Client Setup ===== | ===== OpenVPN Client Setup ===== | ||
Line 390: | Line 353: | ||
==== Client Configuration ==== | ==== Client Configuration ==== | ||
- | Create a plain text file in a program such as TextEdit in OS X or Notepad in Windows. | + | Create a plain text file in a program such as TextEdit in macOS or Notepad in Windows. |
< | < | ||
Line 402: | Line 365: | ||
key joe.key | key joe.key | ||
remote-cert-tls server | remote-cert-tls server | ||
- | comp-lzo | + | tls-auth ta.key 1 |
+ | cipher AES-256-GCM | ||
verb 3</ | verb 3</ | ||
- | PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "what' | + | PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "my ip" on the server side to get this address. |
- | The " | + | The lines beginning with " |
- | + | ||
- | More information on the client configuration file can be found at [[https:// | + | |
==== Mac Client Software: | ==== Mac Client Software: | ||
- | For OS X clients, use [[https://code.google.com/ | + | For macOS clients, use [[https://tunnelblick.net|Tunnelblick]]. |
- | To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents." | + | To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents." |
- | ==== Windows Client Software: | + | ==== Windows Client Software: |
- | For Windows clients, the Windows version of OpenVPN can be used, but I recommend | + | For Windows clients, the Windows version of OpenVPN can be used, but here we'll go over using the [[https:// |
- | The program runs in German when not run with the shortcut. | + | If you ever accidentally delete the desktop shortcut, |
- | -manage | + | -manage |
- | to enable management, saving user credentials, | + | at the end of the shortcut' |
=== Broadcasts in Windows === | === Broadcasts in Windows === | ||
- | In Windows, broadcasts may not work by default | + | In Windows, broadcasts may not work by default |
- | Open Network | + | Open Network |
- | Uninstall unused TAP adapters under Device Manager > Network adapters. | + | Uninstall unused TAP adapters under Device Manager > Network adapters. You also can manage TAP adapters using the gear icon > Client settings > " |
===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
Line 439: | Line 401: | ||
If a remote client can't connect to the server, try to connect a computer on the server side using the Linux VM's private IP address instead of the public IP address in the client configuration file. If you still can't connect, this probably means that there' | If a remote client can't connect to the server, try to connect a computer on the server side using the Linux VM's private IP address instead of the public IP address in the client configuration file. If you still can't connect, this probably means that there' | ||
- | To test whether the client' | + | To test whether the client' |
- | < | + | < |
To listen, for example, for packets passing through the br0 interface on port 1194 (both TCP and UPD), enter | To listen, for example, for packets passing through the br0 interface on port 1194 (both TCP and UPD), enter | ||
Line 451: | Line 413: | ||
Using software firewalls may cause issues. | Using software firewalls may cause issues. | ||
- | Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[http:// | + | If you have iptables firewall rules set up in Linux, you may need to enter the rules given at OpenVPN' |
+ | |||
+ | Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[https:// | ||
- | Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS. If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM. See [[http:// | + | Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS. If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM. See [[https:// |
===== Appendices ===== | ===== Appendices ===== | ||
Line 478: | Line 442: | ||
< | < | ||
- | into your server.conf file. Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server). | + | into your server.conf file. If sharing port 443 with another service within the VM itself, replace the IP address with " |
+ | |||
+ | ==== SSH Server ==== | ||
+ | |||
+ | The SSH server is useful for managing the VM from the terminal of another machine, such as Terminal in macOS, or [[https://www.putty.org/|PuTTY]] in Windows. | ||
+ | |||
+ | < | ||
+ | |||
+ | To be able to log in as root, edit the configuration file, | ||
+ | |||
+ | < | ||
+ | |||
+ | and uncomment (delete | ||
+ | |||
+ | < | ||
+ | |||
+ | Restart the SSH service (or just reboot): | ||
+ | |||
+ | < | ||
+ | |||
+ | To log in to the server from another Mac or Linux terminal, use the command | ||
+ | |||
+ | < | ||
+ | |||
+ | where the IP address is that chosen | ||
+ | |||
+ | < | ||
==== Client Usage with Virtual Machines ==== | ==== Client Usage with Virtual Machines ==== | ||
- | To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN' | + | To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN' |
Also, on the server side, you should make it a habit to use virtual network adapters for VMs in their bridged configurations, | Also, on the server side, you should make it a habit to use virtual network adapters for VMs in their bridged configurations, | ||
Line 488: | Line 478: | ||
==== LAN Gaming ==== | ==== LAN Gaming ==== | ||
- | The bridged OpenVPN server is ideal for playing LAN games over the Internet. | + | The bridged OpenVPN server is ideal for playing LAN games over the Internet. |
=== Hosting the Game === | === Hosting the Game === | ||
Line 502: | Line 492: | ||
*Virtual machines and emulators that include networking functionality are very useful for running old operating systems, which some old games may require. | *Virtual machines and emulators that include networking functionality are very useful for running old operating systems, which some old games may require. | ||
- | *[[http:// | + | *[[https:// |
- | *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol. | + | *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol. |
- | *[[http:// | + | *[[https:// |
*Many video game console emulators contain netplay functionality. | *Many video game console emulators contain netplay functionality. | ||
*Some LAN-based programs don't specify which ports they use. Unless you can determine the ports, a VPN is necessary for networking these programs over the Internet. | *Some LAN-based programs don't specify which ports they use. Unless you can determine the ports, a VPN is necessary for networking these programs over the Internet. | ||
+ | ===== More References ===== | ||
+ | |||
+ | OpenVPN 2.5 manual:\\ | ||
+ | https:// | ||
+ | |||
+ | OpenVPN HOW-TO page:\\ | ||
+ | https:// | ||
- | *You can play shared-screen and "hot seat" games using remote desktop software. | + | Deprecated Options in OpenVPN: |
+ | https:// |