Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
bridged_openvpn_server_setup [2015/11/15 19:18] – nucar | bridged_openvpn_server_setup [2023/05/28 14:14] (current) – nucar | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Bridged OpenVPN Server Setup ====== | ====== Bridged OpenVPN Server Setup ====== | ||
- | (Last updated | + | (Last updated |
===== Introduction ===== | ===== Introduction ===== | ||
- | This guide describes how to set up a bridge-mode [[http:// | + | This guide describes how to set up a bridge-mode [[https:// |
- | An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. | + | An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. |
Possible uses of this VPN include:\\ | Possible uses of this VPN include:\\ | ||
Line 15: | Line 15: | ||
* Easily sharing the VPN connection with virtual machines and emulators | * Easily sharing the VPN connection with virtual machines and emulators | ||
* Using non-IP protocols such as [[wireless_appletalk_ss_bii_osx|AppleTalk]] or IPX over wireless or over the Internet | * Using non-IP protocols such as [[wireless_appletalk_ss_bii_osx|AppleTalk]] or IPX over wireless or over the Internet | ||
- | * Networking virtual machines and emulators with old computers that use such non-IP protocols | + | * Networking virtual machines and emulators with old computers that use such non-IP protocols |
We refer to the LAN on which the OpenVPN server is running as the " | We refer to the LAN on which the OpenVPN server is running as the " | ||
Line 23: | Line 23: | ||
===== Using a Unique Subnet ===== | ===== Using a Unique Subnet ===== | ||
- | If you're going to run a VPN server on your home network, | + | If you're going to run a VPN server on your home network, |
To be clear, only the server' | To be clear, only the server' | ||
- | ===== Linux VM Setup ===== | + | ===== Linux VM Setup and Usage ===== |
- | This section provides | + | This guide will assume that you're running |
==== VM Settings ==== | ==== VM Settings ==== | ||
- | Download | + | The VM software' |
- | Download and install [[https://www.virtualbox.org/wiki/Downloads|VirtualBox]]. In VirtualBox, | + | The VM's virtual network adapter must be //bridged// to the host's Ethernet connection. |
- | Name and operating system:\\ | + | < |
- | Name: | + | |
- | Type: Linux\\ | + | |
- | Version: | + | |
- | Allocate at least 768 MB of memory, and choose | + | This will start the VM in " |
- | General | + | < |
- | Shared Clipboard: | + | |
- | Drag' | + | |
- | Network > Adapter 1:\\ | + | In both commands, edit the path to the .vmx file, mainly replacing " |
- | Attached | + | |
- | Name: select | + | |
- | Under Advanced, Promiscuous Mode: Allow All | + | |
- | Shared Folders: | + | Record |
- | Add a shared folder to the host OS, and check Auto-mount. This setup assumes that you added a shared folder named " | + | |
- | All other settings can be left as their defaults. | + | Add a folder to the VM's list of shared folders. This setup assumes that you added a shared folder named " |
==== Debian Installation ==== | ==== Debian Installation ==== | ||
- | Start the VM, point the window that pops up to your Debian disc image, and hit Start. | + | You may find it easier |
- | Select | + | The hostname doesn' |
- | For the hostname, the default "debian" | + | At the software selection screen, the default |
- | Enter and verity | + | After the installation is complete, |
- | Enter the user's name. This is not the username. | + | ==== VM Support Software ==== |
- | Enter a username. | + | In a VMware VM, Open VM Tools should have been installed automatically in Debian when following the default installation, |
- | Enter and verify a **user password**. | + | Open Terminal, |
- | Select your time zone. | + | < |
- | Select the default choices on the " | + | Create a mount point for shared folders: |
- | Select your country for the Debian archive mirror, and the default choice for the archive mirror URL. Leave the HTTP proxy information blank. | + | < |
- | Choose whether you want to participate in the package usage survey. | + | We'll use the text editor " |
- | Use the **space bar** and arrow keys to select only " | + | < |
- | Select “Yes” | + | and add to the file the line |
- | When the installation is complete, ensure that the Debian disc image is no longer connected to the VM (no check mark) under the VM's Devices | + | <code>.host:/ /mnt/hgfs fuse.vmhgfs-fuse auto, |
- | At the login prompt, enter | + | Press control+X, then Y to accept changes, and return to save the file. |
- | + | ||
- | < | + | |
- | + | ||
- | followed by the **root password**. | + | |
- | + | ||
- | < | + | |
- | + | ||
- | to install a basic graphical user interface (GUI). | + | |
- | + | ||
- | When the prompt returns, reboot | + | |
< | < | ||
- | The VM will reboot into the newly installed GUI. Select the user. Click on the small gear icon next to the "Sign In" button and select "GNOME Classic." | + | Open Terminal and enter |
- | **Become root** by entering | + | < |
- | < | + | The shared folder " |
- | followed by the **root password**. | + | If using VirtualBox, you'll have to install Guest Additions before being able to copy and paste into the VM and access shared folders. |
- | < | + | ==== Other Terminal Commands ==== |
- | In the VM's Devices menu, select " | + | The command to shut down the VM **as root** is |
- | + | ||
- | < | + | |
- | + | ||
- | < | + | |
- | + | ||
- | < | + | |
- | + | ||
- | Reboot the VM by entering | + | |
- | + | ||
- | < | + | |
- | + | ||
- | Open Terminal and enter | + | |
- | + | ||
- | < | + | |
- | + | ||
- | The shared folder " | + | |
- | + | ||
- | Note that the command to shut down the VM **as root** is | + | |
< | < | ||
Line 136: | Line 99: | ||
You can also run **as root** | You can also run **as root** | ||
- | < | + | < |
followed by | followed by | ||
- | < | + | < |
- | once in a while to update | + | once in a while to update |
===== OpenVPN Server Setup ===== | ===== OpenVPN Server Setup ===== | ||
- | The instructions in this section can be used for running OpenVPN 2.3 in Debian | + | The instructions in this section can be used for running OpenVPN 2.5 in Debian |
==== Authentication Setup with Easy-RSA ==== | ==== Authentication Setup with Easy-RSA ==== | ||
Line 152: | Line 115: | ||
Open Terminal, and **become root**. | Open Terminal, and **become root**. | ||
- | < | + | < |
Copy Easy-RSA to OpenVPN' | Copy Easy-RSA to OpenVPN' | ||
Line 164: | Line 127: | ||
Enter | Enter | ||
- | < | + | < |
- | + | ||
- | followed by | + | |
- | + | ||
- | < | + | |
- | + | ||
- | The one important field for the following commands is " | + | |
Create a Certificate Authority (CA) by entering | Create a Certificate Authority (CA) by entering | ||
- | < | + | < |
- | For Common Name, enter "OpenVPN-CA". No entry is required | + | The Common Name will be set to "Easy-RSA CA" |
- | + | ||
- | < | + | |
- | State or Province Name (full name) [CA]: | + | |
- | Locality Name (eg, city) [SanFrancisco]: | + | |
- | Organization Name (eg, company) [Fort-Funston]: | + | |
- | Organizational Unit Name (eg, section) [changeme]: | + | |
- | Common Name (eg, your name or your server' | + | |
- | Name [changeme]: | + | |
- | Email Address [mail@host.domain]:</ | + | |
Create the server credentials by entering | Create the server credentials by entering | ||
- | < | + | < |
- | The Common Name will be set to "server" by default, so no entries are required. | + | The Common Name will be set to "openvpnserver" by default, so no entry is required. |
- | < | + | Sign the server |
- | State or Province Name (full name) [CA]: | + | |
- | Locality Name (eg, city) [SanFrancisco]: | + | |
- | Organization Name (eg, company) [Fort-Funston]: | + | |
- | Organizational Unit Name (eg, section) [changeme]: | + | |
- | Common Name (eg, your name or your server's hostname) [server]: | + | |
- | Name [changeme]: | + | |
- | Email Address [mail@host.domain]:</ | + | |
- | Just hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. | + | < |
+ | |||
+ | Enter " | ||
Generate Diffie-Hellman parameters by entering | Generate Diffie-Hellman parameters by entering | ||
- | < | + | < |
- | Now we'll create the client credentials. | + | Now we'll create the client credentials. |
To create credentials for a client called " | To create credentials for a client called " | ||
- | < | + | < |
- | The Common Name will be set to " | + | The Common Name will be set to " |
- | < | + | Sign the credentials of client "joe" by entering |
- | State or Province Name (full name) [CA]: | + | |
- | Locality Name (eg, city) [SanFrancisco]: | + | |
- | Organization Name (eg, company) [Fort-Funston]: | + | |
- | Organizational Unit Name (eg, section) [changeme]: | + | |
- | Common Name (eg, your name or your server' | + | |
- | Name [changeme]: | + | |
- | Email Address [mail@host.domain]:</ | + | |
- | Again, hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. You can make more client | + | < |
- | < | + | Enter " |
- | **IMPORTANT**: | + | You can make more client credentials by changing " |
+ | |||
+ | **IMPORTANT**: | ||
+ | |||
+ | Create the HMAC signature: | ||
+ | |||
+ | < | ||
+ | |||
+ | Certificate and key files will be given to the clients. | ||
+ | |||
+ | < | ||
+ | |||
+ | followed by | ||
- | The CA certificate and client certificates and keys will be given to the clients. For now, copy the keys folder to the host OS via the shared folder by entering | + | < |
- | < | + | If using VirtualBox, |
- | More information on Easy-RSA, including | + | For information on revoking client certificates, |
==== VPN Setup ==== | ==== VPN Setup ==== | ||
Line 241: | Line 189: | ||
Now we'll configure the OpenVPN server. | Now we'll configure the OpenVPN server. | ||
- | On an OS X host, open System Preferences and go to Network. | + | On an macOS host, open System Preferences and go to Network. |
This guide will use the following example private IP address numbering (adjust this to your numbering): | This guide will use the following example private IP address numbering (adjust this to your numbering): | ||
Free IP address for Linux VM: 192.168.5.100\\ | Free IP address for Linux VM: 192.168.5.100\\ | ||
- | Netmask: 255.255.255.0\\ | + | Subnet mask (netmask): 255.255.255.0 |
Broadcast address: | Broadcast address: | ||
- | Router' | + | Router' |
+ | VM's MAC address: 08: | ||
- | We' | + | We'll create a script called " |
< | < | ||
Line 267: | Line 216: | ||
# Define physical ethernet interface to be bridged | # Define physical ethernet interface to be bridged | ||
# with TAP interface(s) above. | # with TAP interface(s) above. | ||
- | eth="eth0" | + | eth="ens33" |
- | eth_ip=" | + | eth_ip_netmask=" |
- | eth_netmask=" | + | |
eth_broadcast=" | eth_broadcast=" | ||
eth_gateway=" | eth_gateway=" | ||
+ | eth_mac=" | ||
case " | case " | ||
Line 287: | Line 236: | ||
for t in $tap; do | for t in $tap; do | ||
- | | + | |
+ | ip link set $t promisc | ||
done | done | ||
- | # sleep ? | + | ip addr flush dev $eth |
+ | ip link set $eth promisc on up | ||
- | | + | |
+ | ip link set $br address $eth_mac | ||
+ | ip link set $br up | ||
- | # sleep ? | + | ip route add default |
- | + | ||
- | ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast | + | |
- | + | ||
- | sleep 1 | + | |
- | + | ||
- | | + | |
;; | ;; | ||
stop) | stop) | ||
- | | + | |
brctl delbr $br | brctl delbr $br | ||
Line 310: | Line 257: | ||
done | done | ||
- | | + | |
+ | ip addr add $eth_ip_netmask | ||
- | route add default | + | |
;; | ;; | ||
*) | *) | ||
Line 321: | Line 269: | ||
exit 0</ | exit 0</ | ||
- | Use the arrow keys to edit the script. | + | Use the arrow keys to edit the script. |
- | The duration of one or more of the " | + | This script is adapted from the " |
- | + | ||
- | This script is adapted from the " | + | |
Make the script executable by entering | Make the script executable by entering | ||
Line 340: | Line 286: | ||
proto udp | proto udp | ||
dev tap0 | dev tap0 | ||
- | ca / | + | ca / |
- | cert / | + | cert / |
- | key / | + | key / |
- | dh / | + | dh / |
remote-cert-tls client | remote-cert-tls client | ||
server-bridge 192.168.5.100 255.255.255.0 192.168.5.101 192.168.5.110 | server-bridge 192.168.5.100 255.255.255.0 192.168.5.101 192.168.5.110 | ||
client-to-client | client-to-client | ||
keepalive 10 120 | keepalive 10 120 | ||
- | comp-lzo | + | tls-auth / |
+ | cipher AES-256-GCM | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
Line 355: | Line 302: | ||
verb 3</ | verb 3</ | ||
- | The line around the middle that begins | + | The line beginning with " |
==== Port Forwarding ===== | ==== Port Forwarding ===== | ||
Line 372: | Line 319: | ||
ExecStopPost=/ | ExecStopPost=/ | ||
- | Paste the two lines at the bottom of the [Service] section | + | and paste them at the bottom of the [Service] section. |
- | + | ||
- | < | + | |
- | ExecStartPre=/ | + | |
- | ExecStopPost=/ | + | |
Exit and save. Reboot the VM by entering | Exit and save. Reboot the VM by entering | ||
Line 383: | Line 326: | ||
The OpenVPN server will be running at boot, i.e., no user login is required. | The OpenVPN server will be running at boot, i.e., no user login is required. | ||
+ | |||
==== Basic Testing ==== | ==== Basic Testing ==== | ||
- | Verify that the br0 and tap0 interfaces are up by entering | + | Verify that the br0 and tap0 interfaces are up by entering |
- | < | + | < |
When the OpenVPN server is running, the br0 interface will have the IP address that you chose for the Linux VM. | When the OpenVPN server is running, the br0 interface will have the IP address that you chose for the Linux VM. | ||
Line 395: | Line 339: | ||
< | < | ||
- | Stop the OpenVPN server by entering | + | Press Q to exit. |
- | < | + | Stop the OpenVPN server by entering, as root, |
- | Entering " | + | < |
- | Start or restart the OpenVPN server by using " | + | Entering "ip a" again should show the network interfaces back to normal (no br0 or tap0), with the eth0 interface now having the IP address. |
+ | |||
+ | Start or restart the OpenVPN server by using " | ||
===== OpenVPN Client Setup ===== | ===== OpenVPN Client Setup ===== | ||
Line 407: | Line 353: | ||
==== Client Configuration ==== | ==== Client Configuration ==== | ||
- | Create a plain text file in a program such as TextEdit in OS X or Notepad in Windows. | + | Create a plain text file in a program such as TextEdit in macOS or Notepad in Windows. |
< | < | ||
Line 419: | Line 365: | ||
key joe.key | key joe.key | ||
remote-cert-tls server | remote-cert-tls server | ||
- | comp-lzo | + | tls-auth ta.key 1 |
+ | cipher AES-256-GCM | ||
verb 3</ | verb 3</ | ||
- | PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "what' | + | PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "my ip" on the server side to get this address. |
- | + | ||
- | The " | + | |
- | More information on the client configuration | + | The lines beginning with " |
==== Mac Client Software: | ==== Mac Client Software: | ||
- | For OS X clients, use [[https://code.google.com/ | + | For macOS clients, use [[https://tunnelblick.net|Tunnelblick]]. |
- | To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents." | + | To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents." |
- | ==== Windows Client Software: | + | ==== Windows Client Software: |
- | For Windows clients, the Windows version of OpenVPN can be used, but I recommend | + | For Windows clients, the Windows version of OpenVPN can be used, but here we'll go over using the [[https:// |
- | The program runs in German when not run with the shortcut. | + | If you ever accidentally delete the desktop shortcut, |
- | -manage | + | -manage |
- | to enable management, saving user credentials, | + | at the end of the shortcut' |
=== Broadcasts in Windows === | === Broadcasts in Windows === | ||
- | In Windows, broadcasts may not work by default | + | In Windows, broadcasts may not work by default |
- | Open Network | + | Open Network |
- | Uninstall unused TAP adapters under Device Manager > Network adapters. | + | Uninstall unused TAP adapters under Device Manager > Network adapters. You also can manage TAP adapters using the gear icon > Client settings > " |
===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
Line 458: | Line 403: | ||
To test whether the client' | To test whether the client' | ||
- | < | + | < |
To listen, for example, for packets passing through the br0 interface on port 1194 (both TCP and UPD), enter | To listen, for example, for packets passing through the br0 interface on port 1194 (both TCP and UPD), enter | ||
Line 468: | Line 413: | ||
Using software firewalls may cause issues. | Using software firewalls may cause issues. | ||
- | If you have iptables firewall rules set up in Linux, you may need to enter the rules given at OpenVPN' | + | If you have iptables firewall rules set up in Linux, you may need to enter the rules given at OpenVPN' |
- | Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[http:// | + | Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[https:// |
- | Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS. If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM. See [[http:// | + | Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS. If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM. See [[https:// |
===== Appendices ===== | ===== Appendices ===== | ||
Line 497: | Line 442: | ||
< | < | ||
- | into your server.conf file. Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server). | + | into your server.conf file. If sharing port 443 with another service within the VM itself, replace the IP address with " |
+ | |||
+ | ==== SSH Server ==== | ||
+ | |||
+ | The SSH server is useful for managing the VM from the terminal of another machine, such as Terminal in macOS, or [[https://www.putty.org/|PuTTY]] in Windows. | ||
+ | |||
+ | < | ||
+ | |||
+ | To be able to log in as root, edit the configuration file, | ||
+ | |||
+ | < | ||
+ | |||
+ | and uncomment (delete | ||
+ | |||
+ | < | ||
+ | |||
+ | Restart the SSH service (or just reboot): | ||
+ | |||
+ | < | ||
+ | |||
+ | To log in to the server from another Mac or Linux terminal, use the command | ||
+ | |||
+ | < | ||
+ | |||
+ | where the IP address is that chosen | ||
+ | |||
+ | < | ||
==== Client Usage with Virtual Machines ==== | ==== Client Usage with Virtual Machines ==== | ||
- | To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN' | + | To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN' |
Also, on the server side, you should make it a habit to use virtual network adapters for VMs in their bridged configurations, | Also, on the server side, you should make it a habit to use virtual network adapters for VMs in their bridged configurations, | ||
Line 507: | Line 478: | ||
==== LAN Gaming ==== | ==== LAN Gaming ==== | ||
- | The bridged OpenVPN server is ideal for playing LAN games over the Internet. | + | The bridged OpenVPN server is ideal for playing LAN games over the Internet. |
=== Hosting the Game === | === Hosting the Game === | ||
Line 521: | Line 492: | ||
*Virtual machines and emulators that include networking functionality are very useful for running old operating systems, which some old games may require. | *Virtual machines and emulators that include networking functionality are very useful for running old operating systems, which some old games may require. | ||
- | *[[http:// | + | *[[https:// |
- | *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol. | + | *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol. |
- | *[[http:// | + | *[[https:// |
*Many video game console emulators contain netplay functionality. | *Many video game console emulators contain netplay functionality. | ||
*Some LAN-based programs don't specify which ports they use. Unless you can determine the ports, a VPN is necessary for networking these programs over the Internet. | *Some LAN-based programs don't specify which ports they use. Unless you can determine the ports, a VPN is necessary for networking these programs over the Internet. | ||
+ | ===== More References ===== | ||
+ | |||
+ | OpenVPN 2.5 manual:\\ | ||
+ | https:// | ||
+ | |||
+ | OpenVPN HOW-TO page:\\ | ||
+ | https:// | ||
- | *You can play shared-screen and "hot seat" games over the Internet using remote desktop software. | + | Deprecated Options in OpenVPN: |
+ | https:// |