Differences

This shows you the differences between two versions of the page.

--- bridged_openvpn_server_setup [2015/05/05 14:02] – [Introduction] nucar
+++ bridged_openvpn_server_setup [2023/05/28 14:14] (current) – nucar
@@ Line 1: / Line 1: @@
 ====== Bridged OpenVPN Server Setup ======
-<html>
+(Last updated May 28, 2023.  The forum thread is [[https://www.emaculation.com/forum/viewtopic.php?f=3&t=8336|here]].)
-<span style="color:red;font-size:150%;">THIS GUIDE IS UNDER RENOVATION FOR USE WITH DEBIAN 8 AND UBUNTU 15.04.  DON'T USE IT UNTIL THIS NOTICE HAS BEEN REMOVED!</span>
-</html>
-(Last updated May 5, 2015.  The forum thread is [[http://www.emaculation.com/forum/viewtopic.php?f=3&t=8336|here]].)
 ===== Introduction =====
-This guide describes how to set up a bridge-mode [[http://openvpn.net/index.php/open-source.html|OpenVPN]] server in a VirtualBox Linux virtual machine (VM).  These instructions are intended for home users who wish to run the VM on a Mac or Windows PC.  We'll use only free and open-source software, but other virtualization software such as Parallels or VMware can be used instead.  This guide may look long and intimidating, but that's only because many of the steps are spelled out in detail so that it can be as beginner-friendly as possible.  A lot just involves copying and pasting.  You don't need to read the appendices unless you're interested in their specific topics.
+This guide describes how to set up a bridge-mode [[https://openvpn.net/community/|OpenVPN]] server in a Linux virtual machine (VM).  These instructions are intended for home users who wish to run the VM on a Mac or Windows PC.  The focus is on using VMware Fusion on a Mac host, but the instructions can easily be adapted for use with VirtualBox or VMware Workstation on other platforms.  VMware Fusion Player (for macOS) and VMware Workstation Player (for Windows) are free for non-commercial use, and VirtualBox is free, open-source software.
-An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network.  It allows people you trust to make a virtual Ethernet connection to your LAN from over the Internet.  Therefore, people that connect, called clients, are able to send and receive all the same data that they could if they were physically connected to your LAN by Ethernet, while still maintaining their own normal LAN and Internet connections.  Traffic going to and from the clients is tunneled over a single UDP port.  This means that local traffic of any protocol (TCP, UDP, AppleTalk, IPX, etc.), including broadcasts, will be sent over that UDP port.  All data over the VPN connection is encrypted and compressed.
+An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network.  It allows people you trust to make a virtual Ethernet connection to your LAN from over the Internet.  Therefore, people that connect, called clients, are able to send and receive all the same data that they could if they were physically connected to your LAN by Ethernet, while still maintaining their own normal LAN and Internet connections.  Local traffic of any protocol (TCP, UDP, AppleTalk, IPX, etc.) going to and from the clients, including broadcasts, will be tunneled over a single UDP port.  All data over the VPN connection is encrypted.
 Possible uses of this VPN include:\\
   * Accessing typical LAN services such as file sharing and printers
-  * Accessing services that rely on broadcasts or mulitcasts such as Apple's Bonjour
+  * Accessing services that rely on broadcasts or multicasts such as Apple's Bonjour
   * Playing LAN games over the Internet
   * Easily sharing the VPN connection with virtual machines and emulators
   * Using non-IP protocols such as [[wireless_appletalk_ss_bii_osx|AppleTalk]] or IPX over wireless or over the Internet
-  * Networking virtual machines and emulators with old computers that use such non-IP protocols natively
+  * Networking virtual machines and emulators with old computers that use such non-IP protocols
 We refer to the LAN on which the OpenVPN server is running as the "server side" of the VPN.  We refer to wherever the client connects from as the "client side" of the VPN.  Only the individual clients connecting via VPN will be connected to the server side.  No other machines on the client side will be connected to the server side.
 The computer on which you want to run the OpenVPN server **//must be wired to your router by Ethernet//**, and you must have the ability to forward a UDP port.  The IANA port number for OpenVPN is port 1194, but you can use any free port you want.  Clients can use wireless or Ethernet and do not need to forward any ports.
 ===== Using a Unique Subnet =====
-If you're going to run a VPN server on your home network, I highly recommend that you change your private IP subnet to some uncommon numbering, i.e., not 0 or 1 in the third octet. The third octet is x.x.this.x number of the IP address. Your router software should be able to accomplish this. With my Apple AirPort Extreme, using AirPort Utility, I can change the number of the third octet, and the AirPort simply reassigns the DHCP-given addresses and changes the existing DHCP reservations and port mappings (forwardings) appropriately. Machines using static IP addresses will have to be changed manually on the respective machines. I can also change between 10.0.x.x, 172.16.x.x and 192.168.x.x numbering schemes. Using a unique subnet is important because many services require that clients enter the IP address of the host. If there are conflicting (identical) private IP addresses on both the server side and client sides, then things can't be expected to work. So, for example, a numbering such as 10.0.149.x or 192.168.37.x should be fine.
+If you're going to run a VPN server on your home network, it's a good idea to change your private IP subnet to some uncommon numbering, i.e., not 0 or 1 in the third octet. The third octet is x.x.this.x number of the IP address. Your router software should be able to accomplish this. Machines using static IP addresses will have to be changed manually on the respective machines. Using a unique subnet is important because many services require that clients enter the IP address of the host. If there are conflicting (identical) private IP addresses on both the server side and client sides, then things can't be expected to work. So, for example, a numbering such as 10.0.149.x or 192.168.37.x should be fine.
 To be clear, only the server's network has to worry about having a different subnet numbering than the numberings of each of the clients.  The clients can't see each other's LANs, so their comparative numberings don't matter.  Clients can see only each other's OpenVPN-assigned private IP addresses in addition to the machines on the server side.
-===== Linux VM Setup =====
+===== Linux VM Setup and Usage =====
-This section provides a procedure for setting up a simple Debian 8 "Jessie" VM for beginners.  If you already have your Linux machine set up, then proceed to the [[bridged_openvpn_server_setup#openvpn_server_setup|OpenVPN Server Setup]] section.  Note that, to run an OpenVPN server, a virtual machine's virtual network adapter must be in a //bridged// configuration.
+This guide will assume that you're running a [[https://www.debian.org|Debian]] 11 "Bullseye" VM.  Guides on installing Debian in a VM can be found on the Web and YouTube.  This section covers only some of the steps, mainly those important to this particular application and the rest of this guide.  If you already have your Linux machine set up, you should note the requirements below regarding the VM's virtual network adapter settings before proceeding to the [[bridged_openvpn_server_setup#openvpn_server_setup|OpenVPN Server Setup]] section.
 ==== VM Settings ====
-Download the Debian network installer disc image from the upper right of the [[https://www.debian.org|Debian home page]].
+The VM software's defaults for the memory and storage space allocated to the VM should be sufficient.
-Download and install [[https://www.virtualbox.org/wiki/Downloads|VirtualBox]].  In VirtualBox, create a new VM with the following settings:
+The VM's virtual network adapter must be //bridged// to the host's Ethernet connection.  It must also be allowed to enter promiscuous mode to monitor all network traffic.  In VirtualBox, in the VM's network settings, under Advanced, set Promiscuous Mode: Allow All.  In VMware Fusion, if starting the VM using the GUI, you have to wait for the guest OS to boot and then enter your administrator password every time you start the VM (except during an administrator password timeout).  To avoid this, use the following Terminal command (not now, but after you've finished setting up OpenVPN):
-Name and operating system:\\
+<code>sudo vmrun start "/Users/username/Virtual Machines.localized/Debian 11.x 64-bit.vmwarevm/Debian 11.x 64-bit.vmx" nogui</code>
-Name:  Debian (or whatever you want)\\
-Type:  Linux\\
-Version:  Debian (64 bit) if you have a 64-bit host, (32 bit) otherwise
-Allocate at least 768 MB of memory, and choose the default hard drive settings.  In the newly created VM's settings, set:
+This will start the VM in "headless" mode, i.e., as a background process.  The VM can be shut down gracefully using the command
-General > Advanced:\\
+<code>sudo vmrun stop "/Users/username/Virtual Machines.localized/Debian 11.x 64-bit.vmwarevm/Debian 11.x 64-bit.vmx" soft</code>
-Shared Clipboard:  Bidirectional\\
-Drag'n'Drop:  Bidirectional
-Network > Adapter 1:\\
+In both commands, edit the path to the .vmx file, mainly replacing "username" with your username and both instances "Debian 11.x 64-bit" with whatever you named the VM.  Save these commands in shell scripts or .command files for quick usage.
-Attached to:  Bridged Adapter\\
-Name:  select your Ethernet interface/adapter\\
-Under Advanced, Promiscuous Mode:  Allow All
-Shared Folders:\\
+Record the VM's MAC address for use later, which is found in the VM's network settings.
-Add a shared folder to the host OS, and check Auto-mount. This setup assumes that you added a shared folder named "linuxshared".
-All other settings can be left as their defaults.
+Add a folder to the VM's list of shared folders. This setup assumes that you added a shared folder named "vmshared".
 ==== Debian Installation ====
-Start the VM, point the window that pops up to your Debian disc image, and hit Start.  Use the arrow keys to select “Install” on a 32-bit host, or "64 bit install" on a 64-bit host.
+You may find it easier to use "Install" rather than "Graphical install" since, in a VM, the mouse pointer may not work well until the VM's support software is installed.
-Select your language, location and keyboard configuration.
+The hostname doesn't matter unless you're planning to use it (I just use IP addresses).  The domain name can be left blank if your ISP's domain name wasn't detected automatically.
-For the hostname, the default "debian" is okay.  For the domain name, you can enter anything if your ISP's domain name wasn't detected automatically.
+At the software selection screen, the default choices are fine, but the SSH server software is useful for accessing the Linux terminal remotely or when the VM is run in "headless" mode (see the [[bridged_openvpn_server_setup#ssh_server|SSH Server]] appendix).  If changing your selections, use the **space bar**.  Pressing return will proceed to the next screen.
-Enter and verity a **root password**.
+After the installation is complete, and Debian has booted to the login screen, log in and set up a shortcut to the Terminal application.  If using the default GNOME desktop environment, press the command key on a Mac, or the Windows key in Windows, search for "terminal", and drag the Terminal icon to the dock for quick access in the future.
-Enter the user's name.  This is not the username.
+==== VM Support Software ====
-Enter a username.
+In a VMware VM, Open VM Tools should have been installed automatically in Debian when following the default installation, so you should be able to copy and paste into the VM.  The keyboard shortcut for pasting into the Linux terminal is shift+control+V, as seen in the terminal's Edit menu.
-Enter and verify a **user password**.  For the purposes of this VM, it's simplest to make this the same as the **root password**.
+Open Terminal, and **become root** by entering
-Select your time zone.
+<code>su -</code>
-Select the default choice on the "Partition disks" screens.  Hit tab and enter to select "Yes" when it asks whether to write changes to disk.
+Create a mount point for shared folders:
-Select your country for the Debian archive mirror, and the default choice for the archive mirror URL.  Leave the HTTP proxy information blank.
+<code>sudo mkdir -p /mnt/hgfs</code>
-Choose whether you want to participate in the package usage survey.
+We'll use the text editor "nano" throughout this guide to edit text files.  To make shared folders mount automatically, enter
-Use the **space bar** to select only "SSH server" and "standard system utilities," then hit enter.
+<code>nano /etc/fstab</code>
-Select "Yes" to install the GRUB boot loader, and choose the /dev/sda device.
+and add to the file the line
-When the installation is complete, ensure that the Debian disc image is no longer connected to the VM (no check mark) under the VM's Devices > CD/DVD Devices menu, then select "Continue." The VM will reboot into the newly installed Debian.
+<code>.host:/ /mnt/hgfs fuse.vmhgfs-fuse auto,allow_other 0 0</code>
-At the "debian login:" prompt, enter
+Press control+X, then Y to accept changes, and return to save the file.  Reboot the VM by entering
-<code>root</code>
-followed by the root password.  Enter
-<code>apt-get install gnome-core xorg</code>
-to install a basic graphical user interface (GUI).  Enter Y to continue.
-When the prompt returns, reboot the VM by entering
 <code>reboot</code>
-The VM will reboot into the newly installed GUI.  Select the user.  Click on the small gear icon next to the "Sign In" button and select "GNOME Classic."  Enter the **user password**.
+Open Terminal and enter
-Go to Applications > Utilities, and scroll down to select Terminal.  You will not yet be able to copy and paste into the VM since Guest Additions are not yet installed.  **Become root** by entering
+<code>ls /mnt/hgfs</code>
-<code>su</code>
+The shared folder "vmshared" should now be visible.
-followed by the **root password**.  Enter
+If using VirtualBox, you'll have to install Guest Additions before being able to copy and paste into the VM and access shared folders.  Again, consult a separate guide.  Shared folders will appear in /media, and will have "sf_" prepended to their names if using auto-mount.
-<code>apt-get install gcc make linux-headers-$(uname -r)</code>
+==== Other Terminal Commands ====
-Select "Insert Guest Additions CD image..." in the VM's Devices menu.  Select Cancel on the window that pops up.  Open Terminal, **become root**, and enter
+The command to shut down the VM **as root** is
-<code>umount /media/cdrom</code>
+<code>shutdown -h now</code>
-<code>mount -o exec /media/cdrom</code>
+You can also run **as root**
-<code>/media/cdrom/VBoxLinuxAdditions.run</code>
+<code>apt update</code>
-Reboot the VM by entering
+followed by
-<code>reboot</code>
+<code>apt upgrade</code>
-Open Terminal and enter
+once in a while to update the operating system and its software packages.
-<code>ls /media</code>
-The shared folder "linuxshared" should now be visible as "sf_linuxshared". Also, you will now have the ability to copy and paste into the VM. The keyboard command for pasting into the Linux terminal is shift+control+V, as seen in the terminal's Edit menu.
-Note that the command to shut down the VM **as root** is
-<code>shutdown -h now</code>
 ===== OpenVPN Server Setup =====
-The instructions in this section can be used for running OpenVPN 2.3 in Debian 8 (proceeding from the VM setup above) or Ubuntu 15.04 (uses systemd).
+The instructions in this section can be used for running OpenVPN 2.5 in Debian 11 (proceeding from the VM setup above) or some similar Linux distribution.
 ==== Authentication Setup with Easy-RSA ====
-Open Terminal, and become root.  Install OpenVPN, Easy-RSA and the Linux Ethernet bridge utilities:
+Open Terminal, and **become root**.  You should **always become root** before running the commands below.  Install OpenVPN, Easy-RSA and the Linux Ethernet bridge utilities:
-<code>apt-get install openvpn easy-rsa bridge-utils</code>
+<code>apt install openvpn easy-rsa bridge-utils</code>
 Copy Easy-RSA to OpenVPN's directory:
@@ Line 151: / Line 121: @@
 <code>cp -r /usr/share/easy-rsa /etc/openvpn</code>
-Now we'll make the credentials (certificates and keys) for OpenVPN authentication.  First, go to Easy-RSA's directory:
+Now we'll make the credentials (certificates and keys) for OpenVPN authentication.  Go to Easy-RSA's directory:
 <code>cd /etc/openvpn/easy-rsa</code>
@@ Line 157: / Line 127: @@
 Enter
-<code>source vars</code>
+<code>./easyrsa init-pki</code>
-followed by
+Create a Certificate Authority (CA) by entering
-<code>./clean-all</code>
+<code>./easyrsa build-ca nopass</code>
-The one important field for the following commands is "Common Name".  If you mess up an entry for the following commands, you can hit control+C and re-enter the command.
+The Common Name will be set to "Easy-RSA CA" by default, so no entry is required.
-First, create a Certificate Authority (CA) by entering
+Create the server credentials by entering
-<code>./build-ca</code>
+<code>./easyrsa gen-req openvpnserver nopass</code>
-For Common Name, enter "OpenVPN-CA".  No entry is required for the other fields.  Hit return to proceed through the entries.  This will look like:
+The Common Name will be set to "openvpnserver" by default, so no entry is required.
-<code>Country Name (2 letter code) [US]:
+Sign the server credentials by entering
-State or Province Name (full name) [CA]:
-Locality Name (eg, city) [SanFrancisco]:
-Organization Name (eg, company) [Fort-Funston]:
-Organizational Unit Name (eg, section) [changeme]:
-Common Name (eg, your name or your server's hostname) [changeme]:OpenVPN-CA
-Name [changeme]:
-Email Address [mail@host.domain]:</code>
-Create the server credentials by entering
+<code>./easyrsa sign-req server openvpnserver</code>
-<code>./build-key-server server</code>
+Enter "yes" (without quotes) as requested.
-The Common Name will be set to "server" by default, so no entries are required.  This will look like:
+Generate Diffie-Hellman parameters by entering
-<code>Country Name (2 letter code) [US]:
+<code>./easyrsa gen-dh</code>
-State or Province Name (full name) [CA]:
-Locality Name (eg, city) [SanFrancisco]:
-Organization Name (eg, company) [Fort-Funston]:
-Organizational Unit Name (eg, section) [changeme]:
-Common Name (eg, your name or your server's hostname) [server]:
-Name [changeme]:
-Email Address [mail@host.domain]:</code>
-Just hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit.
+Now we'll create the client credentials.
-Generate Diffie-Hellman parameters by entering
+To create credentials for a client called "joe", enter
-<code>./build-dh</code>
+<code>./easyrsa gen-req joe nopass</code>
-Now we'll create the client credentials.  Each client must have a unique Common Name.  As long as you build each key using a different word, the Common Name indeed will be unique.
+The Common Name will be set to "joe" by default, so no entry is required.
-To create credentials for a client called "joe", enter
+Sign the credentials of client "joe" by entering
-<code>./build-key joe</code>
+<code>./easyrsa sign-req client joe</code>
-The Common Name will be set to "joe" by default, so no entries are required.  This will look like:
+Enter "yes" (without quotes) as requested.
-<code>Country Name (2 letter code) [US]:
+You can make more client credentials by changing "joe" in the previous two commands.  Each client's Common Name must be unique.
-State or Province Name (full name) [CA]:
-Locality Name (eg, city) [SanFrancisco]:
-Organization Name (eg, company) [Fort-Funston]:
-Organizational Unit Name (eg, section) [changeme]:
-Common Name (eg, your name or your server's hostname) [joe]:
-Name [changeme]:
-Email Address [mail@host.domain]:</code>
-Again, hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit.  You can make more client credentials now, say,
+**IMPORTANT**:  If you ever come back later to /etc/openvpn/easy-rsa to create credentials for additional clients, do **NOT** run "./easyrsa init-pki" again since this would wipe out your existing credentials.
-<code>./build-key jane</code>
+Create the HMAC signature:
-**IMPORTANT**:  If you ever come back later to /etc/openvpn/easy-rsa to create credentials for additional clients, you must enter "source vars" before running "./build-key jane".
+<code>openvpn --genkey secret /etc/openvpn/easy-rsa/pki/private/ta.key</code>
+Certificate and key files will be given to the clients.  Copy these files to the host OS via the shared folder by entering
+<code>mkdir /mnt/hgfs/vmshared/credentials</code>
+followed by
-The CA certificate and client certificates and keys will be given to the clients.  For now, copy the keys folder to the host OS via the shared folder by entering
+<code>cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/pki/issued/*.crt /etc/openvpn/easy-rsa/pki/private/*.key /mnt/hgfs/vmshared/credentials</code>
-<code>cp -r /etc/openvpn/easy-rsa/keys /media/sf_linuxshared</code>
+If using VirtualBox, /mnt/hgfs/vmshared would be replaced by /media/sf_vmshared in the above two commands.
-More information on Easy-RSA, including information on revoking client certificates, can be found at [[http://openvpn.net/index.php/open-source/documentation/howto.html|OpenVPN's HOWTO page]].
+For information on revoking client certificates, see [[https://wiki.archlinux.org/index.php/Easy-RSA|this guide]].
 ==== VPN Setup ====
@@ Line 234: / Line 189: @@
 Now we'll configure the OpenVPN server.  First, you must obtain some information about your network's private IP address numbering.
-On an OS X host, open System Preferences and go to Network.  On the left, select the active interface (Ethernet), click "Advanced..." and select the "TCP/IP" tab.  Look for the values for Subnet Mask (netmask) and Router.  On a Windows host, this information can be obtained by running the command "ipconfig" (without quotes) in the Windows command prompt, cmd.exe.  "Default Gateway" is the router's address.  You will also need to know your broadcast address, which is simply the first three octets of your subnet plus 255.  Finally, decide on a free IP address on your network, which will be assigned to the Linux VM.
+On an macOS host, open System Preferences and go to Network.  On the left, select the active interface (Ethernet), click "Advanced..." and select the "TCP/IP" tab.  Look for the values for Subnet Mask (netmask) and Router.  On a Windows host, this information can be obtained by running the command "ipconfig" (without quotes) in the Windows command prompt, cmd.exe.  "Default Gateway" is the router's address.  You'll also need to know your broadcast address, which is simply the first three octets of your subnet plus 255.  Finally, decide on a free IP address on your network, which will be assigned to the Linux VM.
 This guide will use the following example private IP address numbering (adjust this to your numbering):
 Free IP address for Linux VM:  192.168.5.100\\
-Netmask:  255.255.255.0\\
+Subnet mask (netmask):  255.255.255.0 (/24 following the Free IP address in [[https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks|CIDR notation]])\\
 Broadcast address:  192.168.5.255\\
-Router's IP address:  192.168.5.1
+Router's IP address:  192.168.5.1\\
+VM's MAC address: 08:00:27:e7:0e:0a (found in the VM's network settings)
-We'll use the text editor "nano" to create a script called "openvpn-bridge" that performs the Ethernet bridging.  Enter
+We'll create a script called "openvpn-bridge" that performs the Ethernet bridging.  Enter
 <code>nano /etc/openvpn/openvpn-bridge</code>
@@ Line 260: / Line 216: @@
 # Define physical ethernet interface to be bridged
 # with TAP interface(s) above.
-eth="eth0"
+eth="ens33"
-eth_ip="192.168.5.100"
+eth_ip_netmask="192.168.5.100/24"
-eth_netmask="255.255.255.0"
 eth_broadcast="192.168.5.255"
 eth_gateway="192.168.5.1"
+eth_mac="08:00:27:e7:0e:0a"
 case "$1" in
@@ Line 280: / Line 236: @@
     for t in $tap; do
-        ifconfig $t 0.0.0.0 promisc up
+        ip addr flush dev $t
+        ip link set $t promisc on up
     done
-    sleep 10
+    ip addr flush dev $eth
+    ip link set $eth promisc on up
-    ifconfig $eth 0.0.0.0 promisc up
+    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br
+    ip link set $br address $eth_mac
+    ip link set $br up
-    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
+    ip route add default via $eth_gateway
-    route add default gw $eth_gateway
     ;;
 stop)
-    ifconfig $br down
+    ip link set $br down
     brctl delbr $br
@@ Line 299: / Line 257: @@
     done
-    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
+    ip link set $eth promisc off up
+    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth
-    route add default gw $eth_gateway
+    ip route add default via $eth_gateway
     ;;
 *)
@@ Line 310: / Line 269: @@
 exit 0</code>
-Use the arrow keys to edit the script.  Edit the four lines beginning with eth_ip, eth_netmask, eth_broadcast and eth_gateway.  Those four variables must be set equal to the free IP address for the Linux VM, netmask, broadcast address and router's IP address, respectively, in quotes as shown.  Edit only those four lines.  This script is adapted from the "bridge-start" and "bridge-stop" scripts at OpenVPN's [[http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html|Ethernet bridging page]].  It bridges the Ethernet interface, eth0, and OpenVPN's TAP interface, tap0, as members of the bridge interface, br0.  It also sets the Linux VM's private IP address to the free address that you chose, effectively giving the server a static IP address.
+Use the arrow keys to edit the script.  Edit the four lines beginning with eth_ip_netmask, eth_broadcast, eth_gateway and eth_mac.  Those four variables must be set equal to the free IP address for the Linux VM and its subnet mask, broadcast address, router's IP address, and VM's Mac address, respectively, in quotes as shown.  (Depending on your VM software, you may also have to change the "eth" variable to match the name of your Ethernet interface.  Use the command "ip a" in Terminal to find this name.)  Exit and save.  Entering "ls" should now show the file "openvpn-bridge" in the list of files in the directory.  If you need to edit the script again, enter the same command above used to create it.
-Press control+X, then Y to accept changes, and return to save the file.  Entering "ls" should now show the file "openvpn-bridge" in the list of files in the directory.  If you need to edit the script again, enter the same command above used to create it.
+This script is adapted from the "bridge-start" and "bridge-stop" scripts at OpenVPN's [[https://openvpn.net/community-resources/ethernet-bridging/|Ethernet bridging page]], with the now-deprecated "ifconfig" commands replaced with the equivalent "ip" (iproute2) commands.  It bridges the Ethernet interface (the "eth" variable) and OpenVPN's TAP interface (tap0) as members of the bridge interface (br0).  It also sets the Linux VM's private IP address to the free address that you chose, **effectively giving the server a static IP address**.
-The duration of the "sleep" command may need to be increased for slow hard drives.  If, in the future, there is no Internet connection in the VM after booting (ping google.com from the Linux terminal, for example), then try increasing the sleep command to "sleep 20" or higher.  It's possible that the sleep command isn't even needed for fast flash storage.
 Make the script executable by entering
@@ Line 329: / Line 286: @@
 proto udp
 dev tap0
-ca /etc/openvpn/easy-rsa/keys/ca.crt
+ca /etc/openvpn/easy-rsa/pki/ca.crt
-cert /etc/openvpn/easy-rsa/keys/server.crt
+cert /etc/openvpn/easy-rsa/pki/issued/openvpnserver.crt
-key /etc/openvpn/easy-rsa/keys/server.key
+key /etc/openvpn/easy-rsa/pki/private/openvpnserver.key
-dh /etc/openvpn/easy-rsa/keys/dh2048.pem
+dh /etc/openvpn/easy-rsa/pki/dh.pem
 remote-cert-tls client
 server-bridge 192.168.5.100 255.255.255.0 192.168.5.101 192.168.5.110
 client-to-client
 keepalive 10 120
-comp-lzo
+tls-auth /etc/openvpn/easy-rsa/pki/private/ta.key 0
+cipher AES-256-GCM
 persist-key
 persist-tun
@@ Line 344: / Line 302: @@
 verb 3</code>
-The line around the middle that begins "server-bridge" must be changed to match your private IP addresses.  Set the first and second addresses of that line to the free IP address for the Linux VM and your netmask, respectively.  The third and fourth addresses of that line denote the private IP address range to be allocated to clients.  This must be set to an unused address range on your network.  This range ideally should be outside your router's DHCP range, but it doesn't need to be.  As can be seen, in this example, ten addresses are allocated, ending with 101 through 110.  More information on the server configuration file can be found at [[https://openvpn.net/index.php/open-source/documentation/howto.html|OpenVPN's HOWTO page]] and [[https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage|the OpenVPN 2.3 manual]].
+The line beginning with "server-bridge" must be changed to match your private IP addresses.  Set the first and second addresses of that line to the free IP address for the Linux VM and your subnet mask, respectively.  The third and fourth addresses of that line denote the private IP address range to be allocated to clients.  This must be set to an unused address range on your network.  This range ideally should be outside your router's DHCP range, but it doesn't need to be.  As can be seen, in this example, ten addresses are allocated, ending with 101 through 110.
 ==== Port Forwarding =====
@@ Line 352: / Line 310: @@
 ==== Final Settings in the VM ====
-We need to tell OpenVPN to make use of our "openvpn-bridge" script.  First, copy the following two lines:
+We need to tell OpenVPN to make use of our "openvpn-bridge" script.  Enter
-<code>ExecStartPre=/etc/openvpn/openvpn-bridge start
-ExecStopPost=/etc/openvpn/openvpn-bridge stop</code>
-Enter
 <code>nano /lib/systemd/system/openvpn@.service</code>
-Paste the two lines at the bottom of the [Service] section so that its last three lines look like
+Copy these two lines:
-<code>WorkingDirectory=/etc/openvpn
+<code>ExecStartPre=/etc/openvpn/openvpn-bridge start
-ExecStartPre=/etc/openvpn/openvpn-bridge start
 ExecStopPost=/etc/openvpn/openvpn-bridge stop</code>
+and paste them at the bottom of the [Service] section.
 Exit and save.  Reboot the VM by entering
@@ Line 375: / Line 329: @@
 ==== Basic Testing ====
-Verify that the br0 and tap0 interfaces are up by entering
+Verify that the br0 and tap0 interfaces are up by entering in Terminal
-<code>ifconfig</code>
+<code>ip a</code>
 When the OpenVPN server is running, the br0 interface will have the IP address that you chose for the Linux VM.
@@ Line 383: / Line 337: @@
 Check the OpenVPN server status by entering
-<code>service openvpn status</code>
+<code>systemctl status openvpn@server.service</code>
+Press Q to exit.
-Stop the OpenVPN server by entering
+Stop the OpenVPN server by entering, as root,
-<code>service openvpn stop</code>
+<code>systemctl stop openvpn@server.service</code>
-Entering "ifconfig" again should show the network interfaces back to normal (no br0 or tap0), with the eth0 interface now having the IP address.
+Entering "ip a" again should show the network interfaces back to normal (no br0 or tap0), with the eth0 interface now having the IP address.
-Start or restart the OpenVPN server by using "start" or "restart" instead of "stop" in the command above.  Note that the startup process will take approximately as long as the duration of the "sleep" command in the "openvpn-bridge" script.  Again, the OpenVPN server will always start at boot.
+Start or restart the OpenVPN server by using "start" or "restart" instead of "stop" in the command above.  The OpenVPN server will always start at boot.
 ===== OpenVPN Client Setup =====
@@ Line 397: / Line 353: @@
 ==== Client Configuration ====
-Create a plain text file in a program such as TextEdit in OS X or Notepad in Windows.  For the client “joe”, copy and paste into that file the following text:
+Create a plain text file in a program such as TextEdit in macOS or Notepad in Windows.  For the client "joe", copy and paste into that file the following text:
 <code>client
@@ Line 409: / Line 365: @@
 key joe.key
 remote-cert-tls server
-comp-lzo
+tls-auth ta.key 1
+cipher AES-256-GCM
 verb 3</code>
-PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "what's my ip" on the server side to get this address.  A client already on the server side could use the private IP address of the Linux VM instead of the public IP address.  Tunneling [[bridged_openvpn_server_setup#lan_gaming|non-IP protocols]], such as AppleTalk and IPX, over wireless is one reason to do this. Clients over the Internet must use the public IP address.
+PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "my ip" on the server side to get this address.  A client already on the server side could use the private IP address of the Linux VM instead of the public IP address.  Tunneling [[bridged_openvpn_server_setup#lan_gaming|non-IP protocols]], such as AppleTalk and IPX, over wireless is one reason to do this.  Clients over the Internet must use the public IP address.
-The "cert" and "key" lines must be changed to match the file names of the .crt and .key files for any given client.  Save the file as "joe.conf", and give ca.crt, joe.crt, joe.key and joe.conf to the client. Zipping them together is easiest.
+The lines beginning with "cert" and "key" must be changed to match the file names of the .crt and .key files for the given client.  Save the file as "joe.conf", and give ca.crt, joe.crt, joe.key, ta.key and joe.conf to the client.
-More information on the client configuration file can be found at [[https://openvpn.net/index.php/open-source/documentation/howto.html|OpenVPN's HOWTO page]] and [[https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage|the OpenVPN 2.3 manual]].
 ==== Mac Client Software:  Tunnelblick ====
-For OS X clients, use [[https://code.google.com/p/tunnelblick/|Tunnelblick]].  Be sure to get the correct version for your version of OS X, which could be the beta release.  When it asks for configuration files after you install it, just quit.  Tunnelblick uses files with a ".tblk" extension.  For the client "joe", place the files ca.crt, joe.crt, joe.key and joe.conf into a folder called whatever you want to call that VPN connection, say, "Home VPN.tblk".  Double-click that file to add it to Tunnelblick's list of connections.  Tunnelblick appears at the right side of the menu bar as a tunnel icon.  Go to "VPN Details...", select the connection on the left, and set "Set DNS/WINS" to "Do not set nameserver".  Select "Advanced...", and under "Connecting & Disconnecting," uncheck "Check if the apparent public IP address changed after connecting," since this is unnecessary for this type of setup (the public IP address will not change).  Exit the menus.  With the OpenVPN server running, click the tunnel icon, and connect.
+For macOS clients, use [[https://tunnelblick.net|Tunnelblick]].  Be sure to get the correct version for your version of macOS, which could be the beta release.  When it asks for configuration files after you install it, just quit.  Tunnelblick uses files with a ".tblk" extension.  For the client "joe", place the files ca.crt, joe.crt, joe.key, ta.key and joe.conf into a new folder called whatever you want to call that VPN connection, say, "Home VPN.tblk".  Double-click that file to add it to Tunnelblick's list of connections.  Tunnelblick appears at the right side of the menu bar as a tunnel icon.  Go to "VPN Details...", select the connection on the left, and under the "Settings" tab, set "Set DNS/WINS" to "Do not set nameserver".  Also uncheck "Check if the apparent public IP address changed after connecting," since this is unnecessary for this type of VPN setup (the client's public IP address will not change).  Exit the menus.  With the OpenVPN server running, click the tunnel icon, and connect.  A message about the DNS server address not being routed through the VPN may pop up, which can be ignored since this isn't the intent of this VPN setup.
-To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents."  If you want to change any of the client files, you must reload (double-click) the .tblk file again after making the changes.  However, to quickly change the client configuration file without having to reload, go to "VPN Details...", highlight the connection in the list on the left, click the gear icon below the list and select "Edit OpenVPN Configuration File."  The client doesn't need to keep the client files after the configuration is created.
+To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents."  If you want to change any of the client files, you must reload (double-click) the .tblk file again after making the changes.  However, to quickly change the client configuration file without having to reload, go to "VPN Details...", highlight the connection in the list on the left, click the gear icon below the list and select "Edit OpenVPN Configuration File."  The client doesn't need to keep the original client files after the configuration is created, since they get copied to the folder ~/Library/Application Support/Tunnelblick/Configurations.
-==== Windows Client Software:  Securepoint OpenVPN Client ====
+==== Windows Client Software:  Securepoint SSL VPN Client ====
-For Windows clients, the Windows version of OpenVPN can be used, but I recommend the [[http://sourceforge.net/projects/securepoint/|Securepoint OpenVPN Client]], which is very easy to use. When installing, select "Mangagement" for the starting context. Select Yes for saving user credentials. Run the desktop shortcut, right-click the shield icon in the taskbar and select "Show profiles". Click "New" and give the VPN connection a name. Enter the public IP address of the server, port (1194) and protocol (UDP). For the client "joe", point "Root CA" to ca.crt, "Certificate" to joe.crt, and "Key" to joe.key. Leave "Server certificate" unchecked. Click Next, Next and Finish. Open joe.conf (with WordPad if it was written in OS X or Linux), select all, and copy. In Securepoint, right-click on the VPN connection's name, select "Quick edit", delete everything, and paste. Now you can connect.  The client doesn't need to keep the client files after the configuration is created.
+For Windows clients, the Windows version of OpenVPN can be used, but here we'll go over using the [[https://sourceforge.net/projects/securepoint/|Securepoint SSL VPN Client]], which is very easy to use.  When installing, select "Mangagement" for the starting context.  Run the desktop shortcut, right-click the program's padlock icon in the taskbar, and select "Show window."  Click on the gear icon, select "New", and give the VPN connection a name.  Enter the public IP address of the server, keep the default protocol (UDP) and port (1194), and click Add and Next.  For the client "joe", point "Root CA" to ca.crt, "Certificate" to joe.crt, and "Key" to joe.key.  Leave "Server certificate" unchecked.  Click Next, Next and Finish.  Copy ta.key to the folder with the VPN connection's name, found in the user's "AppData\Roaming\Securepoint SSL VPN\config" folder, the folder to which the other certificate and key files have been copied.  Open joe.conf (with WordPad if it was written in macOS or Linux), select all, and copy. In Securepoint, right-click on the VPN connection's name, select "Quick edit", delete everything, and paste.  Now you can connect.  The client doesn't need to keep the original client files after the configuration is created, since they get copied to the folder mentioned above.
-The program runs in German when not run with the shortcut.  If you ever accidentally delete the desktop shortcut, then use the following arguments in the Properties > Target field of a shortcut to "Spvpncl.exe"
+If you ever accidentally delete the desktop shortcut, and need to create another one, the executable, SSLVpnClient.exe, may be in the user's "AppData\Local\Apps\Securepoint SSL VPN" folder, depending on how it was installed.  The shortcut must have
--manage -enableSaveData -useEnglish
+-manage
-to enable management, saving user credentials, and English, respectively.
+at the end of the shortcut's Properties > Target field.
 === Broadcasts in Windows ===
-In Windows, broadcasts may not work by default for OpenVPN's TAP adapter.  To get broadcasts working over the VPN, the metric for the TAP adapter must be lowered so that it gets highest priority.  [[http://www.hack-talk.info/index.php?topic=517.0|This post]] explains how this works.  In short:
+In Windows, broadcasts may not work by default with OpenVPN's TAP adapter.  To get broadcasts working over the VPN, the metric of the TAP adapter must be lowered so that it gets highest priority.  [[https://web.archive.org/web/20150508132600/http://www.hack-talk.info/index.php?topic=517.0|This post]] explains how this works.  In Windows 10, the procedure is:
-Open Network and Sharing Center > Change adapter settings > right-click on TAP adapter > Properties > select "Internet Protocol Version 4 (TCP/IPv4)" > Properties > Advanced... > uncheck "Automatic metric" and type "1" (without quotes) for "Interface metric" > OK out of everything
+Open Network & Internet settings > Change adapter options > right-click on the TAP adapter > Properties > select "Internet Protocol Version 4 (TCP/IPv4)" > Properties > Advanced... > under the "IP Settings" tab, uncheck "Automatic metric," and type "1" (without quotes) for "Interface metric" > OK out of everything
-Uninstall unused TAP adapters under Device Manager > Network adapters.
+Uninstall unused TAP adapters under Device Manager > Network adapters.  You also can manage TAP adapters using the gear icon > Client settings > "General" tab in Securepoint.
 ===== Troubleshooting =====
@@ Line 446: / Line 401: @@
 If a remote client can't connect to the server, try to connect a computer on the server side using the Linux VM's private IP address instead of the public IP address in the client configuration file. If you still can't connect, this probably means that there's a problem in the Linux VM since the router's public port forwarding rule is taken out of the equation.
-To test whether the client's request to connect is reaching the VM, use tcpdump in the VM. First, install tcpdump using Root Terminal:
+To test whether the client's request to connect is reaching the VM, use tcpdump in the VM.  Install tcpdump as root in Terminal:
-<code>apt-get install tcpdump</code>
+<code>apt install tcpdump</code>
 To listen, for example, for packets passing through the br0 interface on port 1194 (both TCP and UPD), enter
@@ Line 458: / Line 413: @@
 Using software firewalls may cause issues.  Firewall exceptions probably will have to be made for the client software and/or the TAP interface/adapter.  A machine on the server side should be able to ping a successfully connected client using the client's OpenVPN-assigned IP address.  If the client is connected but the ping is unsuccessful, then chances are that something on the client's machine is interfering.  For example, Windows security settings or antivirus software that provides networking security can cause the TAP adapter to be classified as an "unidentified network."  You may have to set the Windows Firewall state to "Off" under "Public Profile" of Windows Firewall's "Advanced settings."
-Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[http://en.wikipedia.org/wiki/OSI_model|OSI model]], not at layer 3 where routing such as IP forwarding is done.
+If you have iptables firewall rules set up in Linux, you may need to enter the rules given at OpenVPN's [[https://openvpn.net/community-resources/ethernet-bridging/|Ethernet bridging page]].  If you followed the Linux VM setup above, this is not necessary.
+Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[https://en.wikipedia.org/wiki/OSI_model|OSI model]], not at layer 3 where routing such as IP forwarding is done.
-Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS.  If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM.  See [[http://www.emaculation.com/doku.php/wireless_appletalk_ss_bii_osx#connecting_the_emulator_to_the_vpn|this]] for comments on running the Linux VM and networked emulators (that use bridging) in the host OS simultaneously.
+Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS.  If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM.  See [[https://www.emaculation.com/doku.php/wireless_appletalk_ss_bii_osx#connecting_the_emulator_to_the_vpn|this]] for comments on running the Linux VM and networked emulators (that use bridging) in the host OS simultaneously.
 ===== Appendices =====
@@ Line 485: / Line 442: @@
 <code>port-share 192.168.5.25 443</code>
-into your server.conf file.  Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server).  Non-OpenVPN traffic will be redirected to the other service's address.  See [[https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage|the OpenVPN 2.3 manual]] for more details.
+into your server.conf file.  If sharing port 443 with another service within the VM itself, replace the IP address with "localhost".  Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server).  Non-OpenVPN traffic will be redirected to the other service's address.
+==== SSH Server ====
+The SSH server is useful for managing the VM from the terminal of another machine, such as Terminal in macOS, or [[https://www.putty.org/|PuTTY]] in Windows.  If you didn't select "SSH server" in Debian's software selection screen during installation, install it manually (as root):
+<code>apt install openssh-server</code>
+To be able to log in as root, edit the configuration file,
+<code>nano /etc/ssh/sshd_config</code>
+and uncomment (delete the "#") and edit the line with the PermitRootLogin field to be
+<code>PermitRootLogin yes</code>
+Restart the SSH service (or just reboot):
+<code>service ssh restart</code>
+To log in to the server from another Mac or Linux terminal, use the command
+<code>ssh root@192.168.5.100</code>
+where the IP address is that chosen for the Linux VM.  In PuTTY, it's sufficient to enter the IP address into the "Host Name (or IP address)" field, then log in as "root".  If you remake the VM in the future, the macOS terminal will notice that the machine is not the same one as before, and, as a safety precaution, not let you proceed.  If you don't use SSH with any other machines, the quickest remedy to this problem is to delete the SSH known hosts file:
+<code>sudo rm ~/.ssh/known_hosts</code>
 ==== Client Usage with Virtual Machines ====
-To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN's TAP interface.  For example, in OS X, open the connection via Tunnelblick in the host, then bridge the VM to tap0.  Note that, in this configuration, the VM's public IP address will be that of the server side, and the VM will no longer be visible on the client's LAN.  The VM's virtual network adapter will receive a private IP address in the server side's //DHCP range//, not in OpenVPN's client range.  A second bridged virtual network adapter can be used to allow the VM to be bridged to both the client's LAN and the VPN.  Usually, just switching to the TAP interface when desired, then switching back, using a single virtual network adapter, is easiest.
+To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN's TAP interface.  For example, in macOS, open the connection via Tunnelblick in the host, then bridge the VM to tap0.  Note that, in this configuration, the VM's public IP address will be that of the server side, and the VM will no longer be visible on the client's LAN.  The VM's virtual network adapter will receive a private IP address in the server side's //DHCP range//, not in OpenVPN's client range.  A second bridged virtual network adapter can be used to allow the VM to be bridged to both the client's LAN and the VPN.  Usually, just switching to the TAP interface when desired, then switching back, using a single virtual network adapter, is easiest.
 Also, on the server side, you should make it a habit to use virtual network adapters for VMs in their bridged configurations, unless you specifically don't want this. In bridged mode, a VM will receive its own private IP address and be visible to the rest of the LAN and VPN, effectively being treated as a separate computer on the LAN.
@@ Line 495: / Line 478: @@
 ==== LAN Gaming ====
-The bridged OpenVPN server is ideal for playing LAN games over the Internet.  This is primarily because many games require broadcasts (be sure that clients [[bridged_openvpn_server_setup#windows_client_softwaresecurepoint_openvpn_client|configure their TAP adapter]]), and many older games use non-IP protocols, both of which work easily over the virtual Ethernet connection.  Below are some comments regarding LAN games using this VPN.
+The bridged OpenVPN server is ideal for playing LAN games over the Internet.  This is primarily because many games require broadcasts (be sure that clients [[bridged_openvpn_server_setup#windows_client_softwaresecurepoint_ssl_vpn_client|configure their TAP adapter]]), and many older games use non-IP protocols, both of which work easily over the virtual Ethernet connection.  Below are some comments regarding LAN games using this VPN.
 === Hosting the Game ===
@@ Line 509: / Line 492: @@
   *Virtual machines and emulators that include networking functionality are very useful for running old operating systems, which some old games may require.
-  *[[http://www.emaculation.com/doku.php/wireless_appletalk_ss_bii_osx|AppleTalk games]] can be played over the VPN.
+  *[[https://www.emaculation.com/doku.php/wireless_appletalk_ss_bii_osx|AppleTalk games]] can be played over the VPN.
-  *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol.  For Windows Vista or later, use [[http://www.solemnwarning.net/ipxwrapper/|IPXWrapper]].
+  *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol.  For Windows Vista or later, use [[https://www.solemnwarning.net/ipxwrapper/|IPXWrapper]].
-  *[[http://www.dosbox.com|DOSBox]] can be used for playing DOS games.  It can emulate IPX, modem, and direct serial connections.  I recommend the [[http://ykhwong.x-y.net|Daum build]], which is packed with features that aren't included in the official build.
+  *[[https://www.dosbox.com|DOSBox]] can be used for playing DOS games.  It can emulate IPX, modem, and direct serial connections.
   *Many video game console emulators contain netplay functionality.  The [[http://emulation.gametechwiki.com/index.php/Main_Page|Emulation General wiki]] provides a good overview of these emulators.
   *Some LAN-based programs don't specify which ports they use.  Unless you can determine the ports, a VPN is necessary for networking these programs over the Internet.
+===== More References =====
+OpenVPN 2.5 manual:\\
+https://openvpn.net/community-resources/reference-manual-for-openvpn-2-5/
+OpenVPN HOW-TO page:\\
+https://openvpn.net/community-resources/how-to/
-  *You can play shared-screen and "hot seat" games using remote desktop software.
+Deprecated Options in OpenVPN:\\
+https://community.openvpn.net/openvpn/wiki/DeprecatedOptions