Emaculation.com
 

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
bridged_openvpn_server_setup [2015/11/15 19:18]
nucar
bridged_openvpn_server_setup [2018/08/18 06:05] (current)
nucar
Line 1: Line 1:
 ====== Bridged OpenVPN Server Setup ====== ====== Bridged OpenVPN Server Setup ======
  
-(Last updated ​November 152015.  The forum thread is [[http://​www.emaculation.com/​forum/​viewtopic.php?​f=3&​t=8336|here]].)+(Last updated ​August 182018.  The forum thread is [[https://​www.emaculation.com/​forum/​viewtopic.php?​f=3&​t=8336|here]].)
  
 ===== Introduction ===== ===== Introduction =====
  
-This guide describes how to set up a bridge-mode [[http://​openvpn.net/​index.php/​open-source.html|OpenVPN]] server in a VirtualBox ​Linux virtual machine (VM).  Debian and Ubuntu are the Linux distributions used.  These instructions are intended for home users who wish to run the VM on a Mac or Windows PC.  We'll use only free and open-source software, ​but other virtualization software such as Parallels or VMware can be used instead.  This guide may look long and intimidating,​ but that's only because many of the steps are spelled out in detail so that it can be as beginner-friendly as possible. ​ A lot just involves copying and pasting. ​ You don't need to read the appendices unless you're interested in their specific topics.+This guide describes how to set up a bridge-mode [[https://​openvpn.net/​index.php/​open-source.html|OpenVPN]] server in a Linux virtual machine (VM).  These instructions are intended for home users who wish to run the VM on a Mac or Windows PC.  We'll use only free and open-source software:  DebianVirtualBox, and the required packages for use with OpenVPN.  This guide may look long and intimidating,​ but that's only because many of the steps are spelled out in detail so that it can be as beginner-friendly as possible. ​ A lot just involves copying and pasting. ​ You don't need to read the appendices unless you're interested in their specific topics.
  
 An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. ​ It allows people you trust to make a virtual Ethernet connection to your LAN from over the Internet. ​ Therefore, people that connect, called clients, are able to send and receive all the same data that they could if they were physically connected to your LAN by Ethernet, while still maintaining their own normal LAN and Internet connections. ​ Local traffic of any protocol (TCP, UDP, AppleTalk, IPX, etc.) going to and from the clients, including broadcasts, will be tunneled over a single UDP port.  All data over the VPN connection is encrypted and compressed. An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. ​ It allows people you trust to make a virtual Ethernet connection to your LAN from over the Internet. ​ Therefore, people that connect, called clients, are able to send and receive all the same data that they could if they were physically connected to your LAN by Ethernet, while still maintaining their own normal LAN and Internet connections. ​ Local traffic of any protocol (TCP, UDP, AppleTalk, IPX, etc.) going to and from the clients, including broadcasts, will be tunneled over a single UDP port.  All data over the VPN connection is encrypted and compressed.
Line 15: Line 15:
   * Easily sharing the VPN connection with virtual machines and emulators   * Easily sharing the VPN connection with virtual machines and emulators
   * Using non-IP protocols such as [[wireless_appletalk_ss_bii_osx|AppleTalk]] or IPX over wireless or over the Internet   * Using non-IP protocols such as [[wireless_appletalk_ss_bii_osx|AppleTalk]] or IPX over wireless or over the Internet
-  * Networking virtual machines and emulators with old computers that use such non-IP protocols ​natively+  * Networking virtual machines and emulators with old computers that use such non-IP protocols
  
 We refer to the LAN on which the OpenVPN server is running as the "​server side" of the VPN.  We refer to wherever the client connects from as the "​client side" of the VPN.  Only the individual clients connecting via VPN will be connected to the server side.  No other machines on the client side will be connected to the server side. We refer to the LAN on which the OpenVPN server is running as the "​server side" of the VPN.  We refer to wherever the client connects from as the "​client side" of the VPN.  Only the individual clients connecting via VPN will be connected to the server side.  No other machines on the client side will be connected to the server side.
Line 23: Line 23:
 ===== Using a Unique Subnet ===== ===== Using a Unique Subnet =====
  
-If you're going to run a VPN server on your home network, I highly recommend that you change your private IP subnet to some uncommon numbering, i.e., not 0 or 1 in the third octet. The third octet is x.x.this.x number of the IP address. Your router software should be able to accomplish this. With my Apple AirPort Extreme, using AirPort Utility, I can change the number of the third octet, and the AirPort simply reassigns the DHCP-given addresses and changes the existing DHCP reservations and port mappings (forwardings) appropriately. Machines using static IP addresses will have to be changed manually on the respective machines. I can also change between 10.0.x.x, 172.16.x.x and 192.168.x.x numbering schemes. Using a unique subnet is important because many services require that clients enter the IP address of the host. If there are conflicting (identical) private IP addresses on both the server side and client sides, then things can't be expected to work. So, for example, a numbering such as 10.0.149.x or 192.168.37.x should be fine.+If you're going to run a VPN server on your home network, I highly recommend that you change your private IP subnet to some uncommon numbering, i.e., not 0 or 1 in the third octet. The third octet is x.x.this.x number of the IP address. Your router software should be able to accomplish this. Machines using static IP addresses will have to be changed manually on the respective machines. Using a unique subnet is important because many services require that clients enter the IP address of the host. If there are conflicting (identical) private IP addresses on both the server side and client sides, then things can't be expected to work. So, for example, a numbering such as 10.0.149.x or 192.168.37.x should be fine.
  
 To be clear, only the server'​s network has to worry about having a different subnet numbering than the numberings of each of the clients. ​ The clients can't see each other'​s LANs, so their comparative numberings don't matter. ​ Clients can see only each other'​s OpenVPN-assigned private IP addresses in addition to the machines on the server side. To be clear, only the server'​s network has to worry about having a different subnet numbering than the numberings of each of the clients. ​ The clients can't see each other'​s LANs, so their comparative numberings don't matter. ​ Clients can see only each other'​s OpenVPN-assigned private IP addresses in addition to the machines on the server side.
Line 29: Line 29:
 ===== Linux VM Setup ===== ===== Linux VM Setup =====
  
-This section provides a procedure for setting up a simple Debian ​"Jessie" VM for beginners. ​ If you already have your Linux machine set up, then proceed to the [[bridged_openvpn_server_setup#​openvpn_server_setup|OpenVPN Server Setup]] section. ​ Note that, to run an OpenVPN server, a virtual machine's virtual network adapter must be in a //bridged// configuration.+This section provides a procedure for setting up a simple Debian ​"Stretch" VM for beginners. ​ If you already have your Linux machine set up, then proceed to the [[bridged_openvpn_server_setup#​openvpn_server_setup|OpenVPN Server Setup]] section. ​ Note that, to run an OpenVPN server, a VM's virtual network adapter must be in a //bridged// configuration.
  
 ==== VM Settings ==== ==== VM Settings ====
Line 60: Line 60:
 ==== Debian Installation ==== ==== Debian Installation ====
  
-Start the VM, point the window that pops up to your Debian disc image, and hit Start. ​ Use the arrow keys to select ​“Install” on a 32-bit host, or "64 bit install"​ on a 64-bit host.  The installer program proceeds as follows:+Start the VM, point the window that pops up to your Debian disc image, and hit Start. ​ Use the arrow keys to select "Install." ​ The installer program proceeds as follows:
  
 Select your language, location and keyboard configuration. Select your language, location and keyboard configuration.
  
-For the hostname, the default "​debian"​ is okay.  ​For the domain name, you can enter anything ​if your ISP's domain name wasn't detected automatically.+For the hostname, the default "​debian"​ is okay.  ​The domain name can be left blank if your ISP's domain name wasn't detected automatically.
  
 Enter and verity a **root password**. Enter and verity a **root password**.
Line 76: Line 76:
 Select your time zone. Select your time zone.
  
-Select the default choices ​on the "​Partition disks" screens. ​ Hit tab and return to select "​Yes"​ when it asks whether to write changes to disk.+Select the default choices ​at the "​Partition disks" screens. ​ Hit tab and return to select "​Yes"​ when it asks whether to write changes to disk.
  
 Select your country for the Debian archive mirror, and the default choice for the archive mirror URL.  Leave the HTTP proxy information blank. Select your country for the Debian archive mirror, and the default choice for the archive mirror URL.  Leave the HTTP proxy information blank.
Line 84: Line 84:
 Use the **space bar** and arrow keys to select only "​standard system utilities,"​ then hit return. ​ The SSH server software is useful for accessing the Linux terminal remotely or when the VM is run in "​headless"​ mode (as a background process). ​ These features help to streamline your usage of the OpenVPN server, but aren't covered in this guide. Use the **space bar** and arrow keys to select only "​standard system utilities,"​ then hit return. ​ The SSH server software is useful for accessing the Linux terminal remotely or when the VM is run in "​headless"​ mode (as a background process). ​ These features help to streamline your usage of the OpenVPN server, but aren't covered in this guide.
  
-Select ​Yes” to install the GRUB boot loader, use the down arrow key to choose the /dev/sda device, and hit return.+Select ​"Yes" ​to install the GRUB boot loader, use the down arrow key to choose the /dev/sda device, and hit return.
  
 When the installation is complete, ensure that the Debian disc image is no longer connected to the VM (no check mark) under the VM's Devices > CD/DVD Devices menu, then select "​Continue."​ The VM will reboot into the newly installed Debian. When the installation is complete, ensure that the Debian disc image is no longer connected to the VM (no check mark) under the VM's Devices > CD/DVD Devices menu, then select "​Continue."​ The VM will reboot into the newly installed Debian.
Line 102: Line 102:
 <​code>​reboot</​code>​ <​code>​reboot</​code>​
  
-The VM will reboot into the newly installed GUI.  Select the user.  Click on the small gear icon next to the "Sign In" button and select "GNOME Classic." ​ Enter the **user password** to log in.  Go to Applications > Utilities, and scroll down to select Terminal. ​ You will not yet be able to copy and paste into the VM, and VM's cursor may be sluggish, because Guest Additions are not yet installed.+The VM will reboot into the newly installed GUI.  Select the user.  Click on the small gear icon next to the "Sign In" button and select "GNOME Classic." ​ Enter the **user password** to log in.  Go to Applications > System Tools, and select Terminal. ​ You will not yet be able to copy and paste into the VM, and VM's cursor may be sluggish, because Guest Additions are not yet installed.
  
 **Become root** by entering **Become root** by entering
Line 142: Line 142:
 <​code>​apt-get upgrade</​code>​ <​code>​apt-get upgrade</​code>​
  
-once in a while to update ​your server'​s ​software.+once in a while to update ​the operating system and its software ​packages.
  
 ===== OpenVPN Server Setup ===== ===== OpenVPN Server Setup =====
  
-The instructions in this section can be used for running OpenVPN 2.in Debian ​(proceeding from the VM setup above) or Ubuntu 15.04 (uses systemd).+The instructions in this section can be used for running OpenVPN 2.in Debian ​(proceeding from the VM setup above) or some similar Linux distribution.
  
 ==== Authentication Setup with Easy-RSA ====  ==== Authentication Setup with Easy-RSA ==== 
Line 169: Line 169:
  
 <​code>​./​clean-all</​code>​ <​code>​./​clean-all</​code>​
 +
 +A quirk in the easy-rsa package requires us to create the following symbolic link:
 +
 +<​code>​ln -s openssl-1.0.0.cnf openssl.cnf</​code>​
  
 The one important field for the following commands is "​Common Name"​. ​ If you mess up an entry for the following commands, you can hit control+C and re-enter the command. The one important field for the following commands is "​Common Name"​. ​ If you mess up an entry for the following commands, you can hit control+C and re-enter the command.
Line 182: Line 186:
 Locality Name (eg, city) [SanFrancisco]:​ Locality Name (eg, city) [SanFrancisco]:​
 Organization Name (eg, company) [Fort-Funston]:​ Organization Name (eg, company) [Fort-Funston]:​
-Organizational Unit Name (eg, section) [changeme]: +Organizational Unit Name (eg, section) [MyOrganizationalUnit]: 
-Common Name (eg, your name or your server'​s hostname) [changeme]:​OpenVPN-CA +Common Name (eg, your name or your server'​s hostname) [Fort-Funston CA]:​OpenVPN-CA 
-Name [changeme]: +Name [EasyRSA]: 
-Email Address [mail@host.domain]:</​code>​+Email Address [me@myhost.mydomain]:</​code>​
  
 Create the server credentials by entering Create the server credentials by entering
Line 197: Line 201:
 Locality Name (eg, city) [SanFrancisco]:​ Locality Name (eg, city) [SanFrancisco]:​
 Organization Name (eg, company) [Fort-Funston]:​ Organization Name (eg, company) [Fort-Funston]:​
-Organizational Unit Name (eg, section) [changeme]:+Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
 Common Name (eg, your name or your server'​s hostname) [server]: Common Name (eg, your name or your server'​s hostname) [server]:
-Name [changeme]: +Name [EasyRSA]: 
-Email Address [mail@host.domain]:</​code>​+Email Address [me@myhost.mydomain]:</​code>​
  
 Just hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. Just hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit.
Line 220: Line 224:
 Locality Name (eg, city) [SanFrancisco]:​ Locality Name (eg, city) [SanFrancisco]:​
 Organization Name (eg, company) [Fort-Funston]:​ Organization Name (eg, company) [Fort-Funston]:​
-Organizational Unit Name (eg, section) [changeme]:+Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
 Common Name (eg, your name or your server'​s hostname) [joe]: Common Name (eg, your name or your server'​s hostname) [joe]:
-Name [changeme]: +Name [EasyRSA]: 
-Email Address [mail@host.domain]:</​code>​+Email Address [me@myhost.mydomain]:</​code>​
  
 Again, hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. ​ You can make more client credentials now, say, Again, hit return to skip the challenge password and company name, and enter Y to sign the certificate and commit. ​ You can make more client credentials now, say,
Line 231: Line 235:
 **IMPORTANT**: ​ If you ever come back later to /​etc/​openvpn/​easy-rsa to create credentials for additional clients, you must enter "​source vars" before running "​./​build-key jane"​. ​ Do **NOT** run "​./​clean-all"​ again since this would wipe out your existing credentials. **IMPORTANT**: ​ If you ever come back later to /​etc/​openvpn/​easy-rsa to create credentials for additional clients, you must enter "​source vars" before running "​./​build-key jane"​. ​ Do **NOT** run "​./​clean-all"​ again since this would wipe out your existing credentials.
  
-The CA certificate ​and client certificates and keys will be given to the clients. ​ For now, copy the keys folder to the host OS via the shared folder by entering+Create the following key to use for the "HMAC firewall:"​ 
 + 
 +<​code>​openvpn --genkey --secret /​etc/​openvpn/​easy-rsa/​keys/​ta.key</​code>​ 
 + 
 +Certificate ​and key files will be given to the clients. ​ For now, copy the keys folder to the host OS via the shared folder by entering
  
 <​code>​cp -r /​etc/​openvpn/​easy-rsa/​keys /​media/​sf_linuxshared</​code>​ <​code>​cp -r /​etc/​openvpn/​easy-rsa/​keys /​media/​sf_linuxshared</​code>​
  
-More information on Easy-RSA, including information on revoking client certificates,​ can be found at [[http://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|OpenVPN'​s HOWTO page]].+More information on OpenVPN security, including information on revoking client certificates,​ can be found at [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|OpenVPN'​s HOWTO page]].
  
 ==== VPN Setup ==== ==== VPN Setup ====
Line 241: Line 249:
 Now we'll configure the OpenVPN server. ​ First, you must obtain some information about your network'​s private IP address numbering. Now we'll configure the OpenVPN server. ​ First, you must obtain some information about your network'​s private IP address numbering.
  
-On an OS X host, open System Preferences and go to Network. ​ On the left, select the active interface (Ethernet), click "​Advanced..."​ and select the "​TCP/​IP"​ tab.  Look for the values for Subnet Mask (netmask) and Router. ​ On a Windows host, this information can be obtained by running the command "​ipconfig"​ (without quotes) in the Windows command prompt, cmd.exe. ​ "​Default Gateway"​ is the router'​s address. ​ You will also need to know your broadcast address, which is simply the first three octets of your subnet plus 255.  Finally, decide on a free IP address on your network, which will be assigned to the Linux VM.+On an macOS host, open System Preferences and go to Network. ​ On the left, select the active interface (Ethernet), click "​Advanced..."​ and select the "​TCP/​IP"​ tab.  Look for the values for Subnet Mask (netmask) and Router. ​ On a Windows host, this information can be obtained by running the command "​ipconfig"​ (without quotes) in the Windows command prompt, cmd.exe. ​ "​Default Gateway"​ is the router'​s address. ​ You will also need to know your broadcast address, which is simply the first three octets of your subnet plus 255.  Finally, decide on a free IP address on your network, which will be assigned to the Linux VM.
  
 This guide will use the following example private IP address numbering (adjust this to your numbering): This guide will use the following example private IP address numbering (adjust this to your numbering):
  
 Free IP address for Linux VM:  192.168.5.100\\ Free IP address for Linux VM:  192.168.5.100\\
-Netmask:  255.255.255.0\\+Subnet mask (netmask):  255.255.255.0 ​(/24 following the Free IP address in [[https://​en.wikipedia.org/​wiki/​Classless_Inter-Domain_Routing#​IPv4_CIDR_blocks|CIDR notation]])\\
 Broadcast address: ​ 192.168.5.255\\ Broadcast address: ​ 192.168.5.255\\
 Router'​s IP address: ​ 192.168.5.1 Router'​s IP address: ​ 192.168.5.1
Line 267: Line 275:
 # Define physical ethernet interface to be bridged # Define physical ethernet interface to be bridged
 # with TAP interface(s) above. # with TAP interface(s) above.
-eth="eth0+eth="enp0s3
-eth_ip="​192.168.5.100+eth_ip_netmask="​192.168.5.100/24"
-eth_netmask="​255.255.255.0"+
 eth_broadcast="​192.168.5.255"​ eth_broadcast="​192.168.5.255"​
 eth_gateway="​192.168.5.1"​ eth_gateway="​192.168.5.1"​
Line 287: Line 294:
  
     for t in $tap; do     for t in $tap; do
-        ​ifconfig ​$t 0.0.0.0 ​promisc up+        ​ip addr flush dev $t 
 +        ip link set $t promisc ​on up
     done     done
  
-   sleep ?+    ip addr flush dev $eth 
 +    ip link set $eth promisc on up
  
-    ​ifconfig ​$eth 0.0.0.0 promisc ​up+    ​ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br 
 +    ip link set $br up
  
-#    sleep ? +    ip route add default ​via $eth_gateway
- +
-    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast +
- +
-    sleep 1 +
- +
-    ​route add default ​gw $eth_gateway+
     ;;     ;;
 stop) stop)
-    ​ifconfig ​$br down+    ​ip link set $br down
     brctl delbr $br     brctl delbr $br
  
Line 310: Line 314:
     done     done
  
-    ​ifconfig ​$eth $eth_ip netmask $eth_netmask ​broadcast $eth_broadcast+    ​ip link set $eth promisc off 
 +    ip addr add $eth_ip_netmask ​broadcast $eth_broadcast ​dev $eth
  
-    route add default ​gw $eth_gateway+    ​ip route add default ​via $eth_gateway
     ;;     ;;
 *) *)
Line 321: Line 326:
 exit 0</​code>​ exit 0</​code>​
  
-Use the arrow keys to edit the script. ​ Edit the four lines beginning with eth_ip, eth_netmask, eth_broadcast and eth_gateway. ​ Those four variables must be set equal to the free IP address for the Linux VM, netmask, broadcast address and router'​s IP address, respectively,​ in quotes as shown.  ​Edit only those four lines.  Press control+X, then Y to accept changes, and return to save the file.  Entering "​ls"​ should now show the file "​openvpn-bridge"​ in the list of files in the directory. ​ If you need to edit the script again, enter the same command above used to create it.+Use the arrow keys to edit the script. ​ Edit the three lines beginning with eth_ip_netmask, eth_broadcast and eth_gateway. ​ Those three variables must be set equal to the free IP address for the Linux VM and its subnet mask, broadcast addressand router'​s IP address, respectively,​ in quotes as shown.  ​(If not using VirtualBox, you also might have to change the "​eth"​ variable to match the name of your Ethernet interface. ​ Use the command "ip a" in Terminal to find this name. Press control+X, then Y to accept changes, and return to save the file.  Entering "​ls"​ should now show the file "​openvpn-bridge"​ in the list of files in the directory. ​ If you need to edit the script again, enter the same command above used to create it.
  
-The duration of one or more of the "​sleep"​ commands may need to be changed depending or your version of Linux and hard drive speed. ​ The working value is usually around 1 to 10, but could be greater. ​ If (after this setup is complete) there is no Internet connection in the VM after booting (ping google.com from the Linux terminal, for example), then try increasing or decreasing the sleep command. ​ (Advanced users can also use the command "​netstat -nr"​.) ​ How Linux behaves for the commands following these "​sleep"​ commands seems to depend largely on the version of Linux and how busy the hard drive is.  The behavior can change even between minor-version updates for the same major release of Debian. ​ What appears in the script above is what currently works for me. +This script is adapted from the "​bridge-start"​ and "​bridge-stop"​ scripts at OpenVPN'​s [[https://​openvpn.net/​index.php/​open-source/​documentation/​miscellaneous/​76-ethernet-bridging.html|Ethernet bridging page]], with the now-deprecated "​ifconfig"​ commands replaced with the equivalent "​ip"​ (iproute2) commands.  It bridges the Ethernet interface, eth0, and OpenVPN'​s TAP interface, tap0, as members of the bridge interface, br0.  It also sets the Linux VM's private IP address to the free address that you chose, **effectively giving the server a static IP address**.
- +
-This script is adapted from the "​bridge-start"​ and "​bridge-stop"​ scripts at OpenVPN'​s [[http://​openvpn.net/​index.php/​open-source/​documentation/​miscellaneous/​76-ethernet-bridging.html|Ethernet bridging page]]. ​ It bridges the Ethernet interface, eth0, and OpenVPN'​s TAP interface, tap0, as members of the bridge interface, br0.  It also sets the Linux VM's private IP address to the free address that you chose, **effectively giving the server a static IP address**.+
  
 Make the script executable by entering Make the script executable by entering
Line 348: Line 351:
 client-to-client client-to-client
 keepalive 10 120 keepalive 10 120
-comp-lzo+tls-auth /​etc/​openvpn/​easy-rsa/​keys/​ta.key 0 
 +cipher AES-256-GCM 
 +compress lz4-v2 
 +push "​compress lz4-v2"​
 persist-key persist-key
 persist-tun persist-tun
Line 355: Line 361:
 verb 3</​code>​ verb 3</​code>​
  
-The line around the middle that begins ​"​server-bridge"​ must be changed to match your private IP addresses. ​ Set the first and second addresses of that line to the free IP address for the Linux VM and your netmask, respectively. ​ The third and fourth addresses of that line denote the private IP address range to be allocated to clients. ​ This must be set to an unused address range on your network. ​ This range ideally should be outside your router'​s DHCP range, but it doesn'​t need to be.  As can be seen, in this example, ten addresses are allocated, ending with 101 through 110.  More information on the server configuration file can be found at [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|OpenVPN'​s HOWTO page]] and [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|the OpenVPN 2.manual]].+The line beginning with "​server-bridge"​ must be changed to match your private IP addresses. ​ Set the first and second addresses of that line to the free IP address for the Linux VM and your subnet mask, respectively. ​ The third and fourth addresses of that line denote the private IP address range to be allocated to clients. ​ This must be set to an unused address range on your network. ​ This range ideally should be outside your router'​s DHCP range, but it doesn'​t need to be.  As can be seen, in this example, ten addresses are allocated, ending with 101 through 110.  More information on the server configuration file can be found at [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|OpenVPN'​s HOWTO page]] and [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn24ManPage|the OpenVPN 2.manual]].
  
 ==== Port Forwarding ===== ==== Port Forwarding =====
Line 372: Line 378:
 ExecStopPost=/​etc/​openvpn/​openvpn-bridge stop</​code>​ ExecStopPost=/​etc/​openvpn/​openvpn-bridge stop</​code>​
  
-Paste the two lines at the bottom of the [Service] section ​so that its last three lines look like +and paste them at the bottom of the [Service] section.
- +
-<​code>​WorkingDirectory=/​etc/​openvpn +
-ExecStartPre=/​etc/​openvpn/​openvpn-bridge start +
-ExecStopPost=/​etc/​openvpn/​openvpn-bridge stop</​code>​+
  
 Exit and save.  Reboot the VM by entering Exit and save.  Reboot the VM by entering
Line 383: Line 385:
  
 The OpenVPN server will be running at boot, i.e., no user login is required. The OpenVPN server will be running at boot, i.e., no user login is required.
 +
 ==== Basic Testing ==== ==== Basic Testing ====
  
-Verify that the br0 and tap0 interfaces are up by entering+Verify that the br0 and tap0 interfaces are up by entering ​in Terminal
  
-<​code>​ifconfig</​code>​+<​code>​ip a</​code>​
  
 When the OpenVPN server is running, the br0 interface will have the IP address that you chose for the Linux VM. When the OpenVPN server is running, the br0 interface will have the IP address that you chose for the Linux VM.
Line 399: Line 402:
 <​code>​service openvpn stop</​code>​ <​code>​service openvpn stop</​code>​
  
-Entering "ifconfig" again should show the network interfaces back to normal (no br0 or tap0), with the eth0 interface now having the IP address.+Entering "ip a" again should show the network interfaces back to normal (no br0 or tap0), with the eth0 interface now having the IP address.
  
-Start or restart the OpenVPN server by using "​start"​ or "​restart"​ instead of "​stop"​ in the command above.  ​Note that the startup process will take approximately as long as the duration of the "​sleep"​ command in the "​openvpn-bridge"​ script. ​ Again, the OpenVPN server will always start at boot.+Start or restart the OpenVPN server by using "​start"​ or "​restart"​ instead of "​stop"​ in the command above.  ​The OpenVPN server will always start at boot.
  
 ===== OpenVPN Client Setup ===== ===== OpenVPN Client Setup =====
Line 407: Line 410:
 ==== Client Configuration ==== ==== Client Configuration ====
  
-Create a plain text file in a program such as TextEdit in OS X or Notepad in Windows. ​ For the client ​joe, copy and paste into that file the following text:+Create a plain text file in a program such as TextEdit in macOS or Notepad in Windows. ​ For the client ​"joe", copy and paste into that file the following text:
  
 <​code>​client <​code>​client
Line 419: Line 422:
 key joe.key key joe.key
 remote-cert-tls server remote-cert-tls server
-comp-lzo+tls-auth ta.key 1 
 +cipher AES-256-GCM 
 +compress lz4-v2
 verb 3</​code>​ verb 3</​code>​
  
-PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "what's my ip" on the server side to get this address. ​ A client already on the server side could use the private IP address of the Linux VM instead of the public IP address. ​ Tunneling [[bridged_openvpn_server_setup#​lan_gaming|non-IP protocols]],​ such as AppleTalk and IPX, over wireless is one reason to do this. Clients over the Internet must use the public IP address.+PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "​ip"​ on the server side to get this address. ​ A client already on the server side could use the private IP address of the Linux VM instead of the public IP address. ​ Tunneling [[bridged_openvpn_server_setup#​lan_gaming|non-IP protocols]],​ such as AppleTalk and IPX, over wireless is one reason to do this.  Clients over the Internet must use the public IP address.
  
-The "​cert"​ and "​key" ​lines must be changed to match the file names of the .crt and .key files for any given client. ​ Save the file as "​joe.conf",​ and give ca.crt, joe.crt, joe.key and joe.conf to the client. Zipping them together is easiest.+The lines beginning with "​cert"​ and "​key"​ must be changed to match the file names of the .crt and .key files for any given client. ​ Save the file as "​joe.conf",​ and give ca.crt, joe.crt, joe.key, ta.key and joe.conf to the client.
  
-More information on the client configuration file can be found at [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|OpenVPN'​s HOWTO page]] and [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|the OpenVPN 2.manual]].+More information on the client configuration file can be found at [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|OpenVPN'​s HOWTO page]] and [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn24ManPage|the OpenVPN 2.manual]].
  
 ==== Mac Client Software: ​ Tunnelblick ==== ==== Mac Client Software: ​ Tunnelblick ====
  
-For OS X clients, use [[https://code.google.com/​p/​tunnelblick/​|Tunnelblick]]. ​ Be sure to get the correct version for your version of OS X, which could be the beta release. ​ When it asks for configuration files after you install it, just quit.  Tunnelblick uses files with a "​.tblk"​ extension. ​ For the client "​joe",​ place the files ca.crt, joe.crt, joe.key and joe.conf into a folder called whatever you want to call that VPN connection, say, "Home VPN.tblk"​. ​ Double-click that file to add it to Tunnelblick'​s list of connections. ​ Tunnelblick appears at the right side of the menu bar as a tunnel icon.  Go to "VPN Details...",​ select the connection on the left, and set "Set DNS/​WINS"​ to "Do not set nameserver"​.  ​Select "​Advanced...",​ and under "​Connecting & Disconnecting," ​uncheck "Check if the apparent public IP address changed after connecting,"​ since this is unnecessary for this type of setup (the public IP address will not change). ​ Exit the menus. ​ With the OpenVPN server running, click the tunnel icon, and connect.+For macOS clients, use [[https://tunnelblick.net|Tunnelblick]]. ​ Be sure to get the correct version for your version of macOS, which could be the beta release. ​ When it asks for configuration files after you install it, just quit.  Tunnelblick uses files with a "​.tblk"​ extension. ​ For the client "​joe",​ place the files ca.crt, joe.crt, joe.key, ta.key and joe.conf into a new folder called whatever you want to call that VPN connection, say, "Home VPN.tblk"​. ​ Double-click that file to add it to Tunnelblick'​s list of connections. ​ Tunnelblick appears at the right side of the menu bar as a tunnel icon.  Go to "VPN Details...",​ select the connection on the left, and under the "​Settings"​ tab, set "Set DNS/​WINS"​ to "Do not set nameserver"​.  ​Also uncheck "Check if the apparent public IP address changed after connecting,"​ since this is unnecessary for this type of VPN setup (the client'​s ​public IP address will not change). ​ Exit the menus. ​ With the OpenVPN server running, click the tunnel icon, and connect.
  
-To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents." ​ If you want to change any of the client files, you must reload (double-click) the .tblk file again after making the changes. ​ However, to quickly change the client configuration file without having to reload, go to "VPN Details...",​ highlight the connection in the list on the left, click the gear icon below the list and select "Edit OpenVPN Configuration File." ​ The client doesn'​t need to keep the client files after the configuration is created.+To get back to the individual client files, right-click on the .tblk file and select "Show Package Contents." ​ If you want to change any of the client files, you must reload (double-click) the .tblk file again after making the changes. ​ However, to quickly change the client configuration file without having to reload, go to "VPN Details...",​ highlight the connection in the list on the left, click the gear icon below the list and select "Edit OpenVPN Configuration File." ​ The client doesn'​t need to keep the original ​client files after the configuration is created, since they get copied to the folder ~/​Library/​Application Support/​Tunnelblick/​Configurations.
  
-==== Windows Client Software: ​ Securepoint ​OpenVPN ​Client ====+==== Windows Client Software: ​ Securepoint ​SSL VPN Client ====
  
-For Windows clients, the Windows version of OpenVPN can be used, but I recommend the [[http://​sourceforge.net/​projects/​securepoint/​|Securepoint ​OpenVPN ​Client]], which is very easy to use. When installing, select "​Mangagement"​ for the starting context. ​Select Yes for saving user credentials. ​Run the desktop shortcut, right-click the shield ​icon in the taskbar and select "​Show ​profiles"​. Click "​New"​ and give the VPN connection a name. Enter the public IP address of the server, ​port (1194) ​and protocol (UDP). For the client "​joe",​ point "Root CA" to ca.crt, "​Certificate"​ to joe.crt, and "​Key"​ to joe.key. Leave "​Server certificate"​ unchecked. Click Next, Next and Finish. Open joe.conf (with WordPad if it was written in OS X or Linux), select all, and copy. In Securepoint,​ right-click on the VPN connection'​s name, select "Quick edit", delete everything, and paste. Now you can connect. ​ The client doesn'​t need to keep the client files after the configuration is created.+For Windows clients, the Windows version of OpenVPN can be used, but I recommend the [[https://​sourceforge.net/​projects/​securepoint/​|Securepoint ​SSL VPN Client]], which is very easy to use.  When installing, select "​Mangagement"​ for the starting context. ​ Run the desktop shortcut, right-click the program'​s padlock ​icon in the taskbarand select "​Show ​window."  ​Click on the gear icon, select ​"​New"​and give the VPN connection a name.  Enter the public IP address of the server, and keep the default ​protocol (UDP) and port (1194).  For the client "​joe",​ point "Root CA" to ca.crt, "​Certificate"​ to joe.crt, and "​Key"​ to joe.key. ​ Leave "​Server certificate"​ unchecked. ​ Click Next, Next and Finish. ​ Copy ta.key to the folder with the VPN connection'​s name, found in the user's "​AppData\Roaming\Securepoint SSL VPN\config"​ folder, the folder to which the other certificate and key files have been copied.  ​Open joe.conf (with WordPad if it was written in macOS or Linux), select all, and copy. In Securepoint,​ right-click on the VPN connection'​s name, select "Quick edit", delete everything, and paste. ​ Now you can connect. ​ The client doesn'​t need to keep the original ​client files after the configuration is created, since they get copied to the folder mentioned above.
  
-The program runs in German when not run with the shortcut.  ​If you ever accidentally delete the desktop shortcut, ​then use the following arguments ​in the Properties > Target field of a shortcut to "Spvpncl.exe"+If you ever accidentally delete the desktop shortcut, ​and need to create another one, the executable, SSLVpnClient.exe,​ is in the user'​s ​"AppData\Local\Apps\Securepoint SSL VPN" ​folder. ​ The shortcut must have
  
--manage ​-enableSaveData -useEnglish+-manage
  
-to enable management, saving user credentials,​ and English, respectively.+at the end of the shortcut'​s Properties > Target field.
  
 === Broadcasts in Windows === === Broadcasts in Windows ===
  
-In Windows, broadcasts may not work by default ​for OpenVPN'​s TAP adapter. ​ To get broadcasts working over the VPN, the metric ​for the TAP adapter must be lowered so that it gets highest priority. ​ [[http://​www.hack-talk.info/​index.php?​topic=517.0|This post]] explains how this works. ​ In short:+In Windows, broadcasts may not work by default ​with OpenVPN'​s TAP adapter. ​ To get broadcasts working over the VPN, the metric ​of the TAP adapter must be lowered so that it gets highest priority. ​ [[https://​web.archive.org/​web/​20150508132600/​http://​www.hack-talk.info/​index.php?​topic=517.0|This post]] explains how this works. ​ In Windows 10, the procedure is:
  
-Open Network ​and Sharing Center ​> Change adapter ​settings ​> right-click on TAP adapter > Properties > select "​Internet Protocol Version 4 (TCP/​IPv4)"​ > Properties > Advanced... > uncheck "​Automatic metric"​ and type "​1"​ (without quotes) for "​Interface metric"​ > OK out of everything+Open Network ​& Internet settings ​> Change adapter ​options ​> right-click on the TAP adapter > Properties > select "​Internet Protocol Version 4 (TCP/​IPv4)"​ > Properties > Advanced... > under the "IP Settings"​ tab, uncheck "​Automatic metric," and type "​1"​ (without quotes) for "​Interface metric"​ > OK out of everything
  
-Uninstall unused TAP adapters under Device Manager > Network adapters.+Uninstall unused TAP adapters under Device Manager > Network adapters.  You also can manage TAP adapters using the gear icon > Client settings > "​General"​ tab in Securepoint.
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 468: Line 473:
 Using software firewalls may cause issues. ​ Firewall exceptions probably will have to be made for the client software and/or the TAP interface/​adapter. ​ A machine on the server side should be able to ping a successfully connected client using the client'​s OpenVPN-assigned IP address. ​ If the client is connected but the ping is unsuccessful,​ then chances are that something on the client'​s machine is interfering. ​ For example, Windows security settings or antivirus software that provides networking security can cause the TAP adapter to be classified as an "​unidentified network." ​ You may have to set the Windows Firewall state to "​Off"​ under "​Public Profile"​ of Windows Firewall'​s "​Advanced settings."​ Using software firewalls may cause issues. ​ Firewall exceptions probably will have to be made for the client software and/or the TAP interface/​adapter. ​ A machine on the server side should be able to ping a successfully connected client using the client'​s OpenVPN-assigned IP address. ​ If the client is connected but the ping is unsuccessful,​ then chances are that something on the client'​s machine is interfering. ​ For example, Windows security settings or antivirus software that provides networking security can cause the TAP adapter to be classified as an "​unidentified network." ​ You may have to set the Windows Firewall state to "​Off"​ under "​Public Profile"​ of Windows Firewall'​s "​Advanced settings."​
  
-If you have iptables firewall rules set up in Linux, you may need to enter the rules given at OpenVPN'​s [[http://​openvpn.net/​index.php/​open-source/​documentation/​miscellaneous/​76-ethernet-bridging.html|Ethernet bridging page]]. ​ If you followed the Linux VM setup above, this is not necessary.+If you have iptables firewall rules set up in Linux, you may need to enter the rules given at OpenVPN'​s [[https://​openvpn.net/​index.php/​open-source/​documentation/​miscellaneous/​76-ethernet-bridging.html|Ethernet bridging page]]. ​ If you followed the Linux VM setup above, this is not necessary.
  
-Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[http://​en.wikipedia.org/​wiki/​OSI_model|OSI model]], not at layer 3 where routing such as IP forwarding is done.+Note that this bridged configuration does //not// require IP forwarding to be enabled since bridging operates at layer 2 of the [[https://​en.wikipedia.org/​wiki/​OSI_model|OSI model]], not at layer 3 where routing such as IP forwarding is done.
  
-Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS.  If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM.  See [[http://​www.emaculation.com/​doku.php/​wireless_appletalk_ss_bii_osx#​connecting_the_emulator_to_the_vpn|this]] for comments on running the Linux VM and networked emulators (that use bridging) in the host OS simultaneously.+Also, the Ethernet interface to which the VM is bridged can't be involved in any bridging in the host OS.  If the Ethernet interface is a member of a bridge interface that's already up in the host OS, then networking won't work in the Linux VM.  See [[https://​www.emaculation.com/​doku.php/​wireless_appletalk_ss_bii_osx#​connecting_the_emulator_to_the_vpn|this]] for comments on running the Linux VM and networked emulators (that use bridging) in the host OS simultaneously.
  
 ===== Appendices ===== ===== Appendices =====
Line 497: Line 502:
 <​code>​port-share 192.168.5.25 443</​code>​ <​code>​port-share 192.168.5.25 443</​code>​
  
-into your server.conf file.  Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server). ​ Non-OpenVPN traffic will be redirected to the other service'​s address. ​ See [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|the OpenVPN 2.manual]] for more details.+into your server.conf file.  Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server). ​ Non-OpenVPN traffic will be redirected to the other service'​s address. ​ See [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn24ManPage|the OpenVPN 2.manual]] for more details.
  
 ==== Client Usage with Virtual Machines ==== ==== Client Usage with Virtual Machines ====
  
-To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN'​s TAP interface. ​ For example, in OS X, open the connection via Tunnelblick in the host, then bridge the VM to tap0.  Note that, in this configuration,​ the VM's public IP address will be that of the server side, and the VM will no longer be visible on the client'​s LAN.  The VM's virtual network adapter will receive a private IP address in the server side's //DHCP range//, not in OpenVPN'​s client range. ​ A second bridged virtual network adapter can be used to allow the VM to be bridged to both the client'​s LAN and the VPN.  Usually, just switching to the TAP interface when desired, then switching back, using a single virtual network adapter, is easiest.+To make use of the VPN connection in a virtual machine, the client should first connect to the VPN in the host, then have the virtualization program bridge the VM's virtual network adapter to OpenVPN'​s TAP interface. ​ For example, in macOS, open the connection via Tunnelblick in the host, then bridge the VM to tap0.  Note that, in this configuration,​ the VM's public IP address will be that of the server side, and the VM will no longer be visible on the client'​s LAN.  The VM's virtual network adapter will receive a private IP address in the server side's //DHCP range//, not in OpenVPN'​s client range. ​ A second bridged virtual network adapter can be used to allow the VM to be bridged to both the client'​s LAN and the VPN.  Usually, just switching to the TAP interface when desired, then switching back, using a single virtual network adapter, is easiest.
  
 Also, on the server side, you should make it a habit to use virtual network adapters for VMs in their bridged configurations,​ unless you specifically don't want this. In bridged mode, a VM will receive its own private IP address and be visible to the rest of the LAN and VPN, effectively being treated as a separate computer on the LAN. Also, on the server side, you should make it a habit to use virtual network adapters for VMs in their bridged configurations,​ unless you specifically don't want this. In bridged mode, a VM will receive its own private IP address and be visible to the rest of the LAN and VPN, effectively being treated as a separate computer on the LAN.
Line 521: Line 526:
   *Virtual machines and emulators that include networking functionality are very useful for running old operating systems, which some old games may require.   *Virtual machines and emulators that include networking functionality are very useful for running old operating systems, which some old games may require.
  
-  *[[http://​www.emaculation.com/​doku.php/​wireless_appletalk_ss_bii_osx|AppleTalk games]] can be played over the VPN.+  *[[https://​www.emaculation.com/​doku.php/​wireless_appletalk_ss_bii_osx|AppleTalk games]] can be played over the VPN.
  
-  *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol. ​ For Windows Vista or later, use [[http://​www.solemnwarning.net/​ipxwrapper/​|IPXWrapper]].+  *IPX games for Windows can be played over the VPN as they would normally over a LAN, when using Windows XP or earlier, which include the IPX protocol. ​ For Windows Vista or later, use [[https://​www.solemnwarning.net/​ipxwrapper/​|IPXWrapper]].
  
-  *[[http://​www.dosbox.com|DOSBox]] can be used for playing DOS games. ​ It can emulate IPX, modem, and direct serial connections. ​ I recommend the [[http://​ykhwong.x-y.net|Daum build]], which is packed with features that aren't included in the official build.+  *[[https://​www.dosbox.com|DOSBox]] can be used for playing DOS games. ​ It can emulate IPX, modem, and direct serial connections. ​ I recommend the [[http://​ykhwong.x-y.net|Daum build]], which is packed with features that aren't included in the official build.
  
   *Many video game console emulators contain netplay functionality. ​ The [[http://​emulation.gametechwiki.com/​index.php/​Main_Page|Emulation General wiki]] provides a good overview of these emulators.   *Many video game console emulators contain netplay functionality. ​ The [[http://​emulation.gametechwiki.com/​index.php/​Main_Page|Emulation General wiki]] provides a good overview of these emulators.
bridged_openvpn_server_setup.txt · Last modified: 2018/08/18 06:05 by nucar
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki