Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
bridged_openvpn_server_setup [2020/05/01 11:44] – nucar | bridged_openvpn_server_setup [2023/05/28 14:14] (current) – nucar | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Bridged OpenVPN Server Setup ====== | ====== Bridged OpenVPN Server Setup ====== | ||
- | (Last updated May 1, 2020. The forum thread is [[https:// | + | (Last updated May 28, 2023. The forum thread is [[https:// |
===== Introduction ===== | ===== Introduction ===== | ||
- | This guide describes how to set up a bridge-mode [[https:// | + | This guide describes how to set up a bridge-mode [[https:// |
- | An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. | + | An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network. |
Possible uses of this VPN include:\\ | Possible uses of this VPN include:\\ | ||
Line 23: | Line 23: | ||
===== Using a Unique Subnet ===== | ===== Using a Unique Subnet ===== | ||
- | If you're going to run a VPN server on your home network, | + | If you're going to run a VPN server on your home network, |
To be clear, only the server' | To be clear, only the server' | ||
- | ===== Linux VM Setup ===== | + | ===== Linux VM Setup and Usage ===== |
- | This section provides | + | This guide will assume that you're running |
==== VM Settings ==== | ==== VM Settings ==== | ||
- | Download | + | The VM software' |
- | Download and install [[https://www.virtualbox.org/wiki/Downloads|VirtualBox]]. In VirtualBox, | + | The VM's virtual network adapter must be //bridged// to the host's Ethernet connection. |
- | Name and operating system:\\ | + | < |
- | Name: | + | |
- | Type: Linux\\ | + | |
- | Version: | + | |
- | Allocate at least the default 1024 MB of memory, and choose the default hard drive settings. | + | This will start the VM in " |
- | General | + | < |
- | Shared Clipboard: | + | |
- | Drag' | + | |
- | Display > Screen:\\ | + | In both commands, edit the path to the .vmx file, mainly replacing " |
- | Graphics Controller: | + | |
- | Network > Adapter 1:\\ | + | Record the VM's MAC address for use later, which is found in the VM's network settings. |
- | Attached to: Bridged Adapter\\ | + | |
- | Name: select your Ethernet interface/ | + | |
- | Under Advanced, Promiscuous Mode: Allow All | + | |
- | Shared Folders: | + | Add a folder to the VM's list of shared folders. This setup assumes that you added a shared folder named " |
- | Add a shared | + | |
- | + | ||
- | All other settings can be left as their defaults. | + | |
==== Debian Installation ==== | ==== Debian Installation ==== | ||
- | Start the VM, point the window that pops up to your Debian disc image, and hit Start. | + | You may find it easier to use " |
- | Select | + | The hostname doesn' |
- | For the hostname, the default "debian" | + | At the software selection screen, the default |
- | Enter and verity | + | After the installation is complete, |
- | Enter the user's name. This is not the username. | + | ==== VM Support Software ==== |
- | Enter a username. | + | In a VMware VM, Open VM Tools should have been installed automatically in Debian when following the default installation, |
- | Enter and verify a **user password**. | + | Open Terminal, |
- | Select your time zone. | + | < |
- | Select the default choices at the " | + | Create a mount point for shared folders: |
- | Select No when asked whether to scan another CD or DVD. | + | < |
- | Select your country for the Debian archive mirror, and the default choice for the archive mirror URL. | + | We'll use the text editor " |
- | Choose whether you want to participate in the package usage survey. | + | < |
- | Use the **space bar** and arrow keys to select only " | + | and add to the file the line |
- | Select " | + | < |
- | When the installation is complete, select Continue. | + | Press control+X, then Y to accept changes, and return to save the file. |
- | + | ||
- | At the login prompt, enter | + | |
- | + | ||
- | < | + | |
- | + | ||
- | followed by the **root password**. | + | |
- | + | ||
- | < | + | |
- | + | ||
- | to install a basic graphical user interface (GUI). | + | |
- | + | ||
- | When the prompt returns, reboot | + | |
< | < | ||
- | The VM will reboot into the newly installed GUI. Select the user. Click on the small gear icon next to the "Sign In" button and select "GNOME Classic." | + | Open Terminal and enter |
- | **Become root** by entering | + | < |
- | < | + | The shared folder |
- | + | ||
- | followed by the **root password**. | + | |
- | + | ||
- | < | + | |
- | + | ||
- | In the VM's Devices menu, select | + | |
- | + | ||
- | < | + | |
- | + | ||
- | < | + | |
- | + | ||
- | < | + | |
- | + | ||
- | Reboot the VM by entering | + | |
- | + | ||
- | < | + | |
- | + | ||
- | Open Terminal and enter | + | |
- | < | + | If using VirtualBox, you'll have to install Guest Additions before being able to copy and paste into the VM and access shared folders. |
- | The shared folder " | + | ==== Other Terminal Commands ==== |
- | Note that the command to shut down the VM **as root** is | + | The command to shut down the VM **as root** is |
< | < | ||
Line 141: | Line 99: | ||
You can also run **as root** | You can also run **as root** | ||
- | < | + | < |
followed by | followed by | ||
- | < | + | < |
once in a while to update the operating system and its software packages. | once in a while to update the operating system and its software packages. | ||
Line 151: | Line 109: | ||
===== OpenVPN Server Setup ===== | ===== OpenVPN Server Setup ===== | ||
- | The instructions in this section can be used for running OpenVPN 2.4 in Debian | + | The instructions in this section can be used for running OpenVPN 2.5 in Debian |
==== Authentication Setup with Easy-RSA ==== | ==== Authentication Setup with Easy-RSA ==== | ||
Line 157: | Line 115: | ||
Open Terminal, and **become root**. | Open Terminal, and **become root**. | ||
- | < | + | < |
Copy Easy-RSA to OpenVPN' | Copy Easy-RSA to OpenVPN' | ||
Line 175: | Line 133: | ||
< | < | ||
- | For Common Name, enter "OpenVPN-CA" | + | The Common Name will be set to "Easy-RSA CA" |
Create the server credentials by entering | Create the server credentials by entering | ||
Line 183: | Line 141: | ||
The Common Name will be set to " | The Common Name will be set to " | ||
- | Sign server credentials by entering | + | Sign the server credentials by entering |
< | < | ||
Line 207: | Line 165: | ||
Enter " | Enter " | ||
- | You can make more client credentials | + | You can make more client credentials |
**IMPORTANT**: | **IMPORTANT**: | ||
Line 213: | Line 171: | ||
Create the HMAC signature: | Create the HMAC signature: | ||
- | < | + | < |
Certificate and key files will be given to the clients. | Certificate and key files will be given to the clients. | ||
- | < | + | < |
- | < | + | followed by |
+ | |||
+ | < | ||
+ | |||
+ | If using VirtualBox, / | ||
- | More information on revoking client certificates, | + | For information on revoking client certificates, |
==== VPN Setup ==== | ==== VPN Setup ==== | ||
Line 227: | Line 189: | ||
Now we'll configure the OpenVPN server. | Now we'll configure the OpenVPN server. | ||
- | On an macOS host, open System Preferences and go to Network. | + | On an macOS host, open System Preferences and go to Network. |
This guide will use the following example private IP address numbering (adjust this to your numbering): | This guide will use the following example private IP address numbering (adjust this to your numbering): | ||
Line 234: | Line 196: | ||
Subnet mask (netmask): | Subnet mask (netmask): | ||
Broadcast address: | Broadcast address: | ||
- | Router' | + | Router' |
+ | VM's MAC address: 08: | ||
- | We' | + | We'll create a script called " |
< | < | ||
Line 253: | Line 216: | ||
# Define physical ethernet interface to be bridged | # Define physical ethernet interface to be bridged | ||
# with TAP interface(s) above. | # with TAP interface(s) above. | ||
- | eth="enp0s3" | + | eth="ens33" |
eth_ip_netmask=" | eth_ip_netmask=" | ||
eth_broadcast=" | eth_broadcast=" | ||
eth_gateway=" | eth_gateway=" | ||
+ | eth_mac=" | ||
case " | case " | ||
Line 280: | Line 244: | ||
ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br | ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br | ||
+ | ip link set $br address $eth_mac | ||
ip link set $br up | ip link set $br up | ||
Line 293: | Line 258: | ||
ip link set $eth promisc off up | ip link set $eth promisc off up | ||
- | ip route add default via $eth_gateway | ||
- | ip addr flush dev $eth | ||
ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth | ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth | ||
+ | |||
+ | ip route add default via $eth_gateway | ||
;; | ;; | ||
*) | *) | ||
Line 304: | Line 269: | ||
exit 0</ | exit 0</ | ||
- | Use the arrow keys to edit the script. | + | Use the arrow keys to edit the script. |
- | This script is adapted from the " | + | This script is adapted from the " |
Make the script executable by entering | Make the script executable by entering | ||
Line 331: | Line 296: | ||
tls-auth / | tls-auth / | ||
cipher AES-256-GCM | cipher AES-256-GCM | ||
- | compress lz4-v2 | ||
- | push " | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
Line 339: | Line 302: | ||
verb 3</ | verb 3</ | ||
- | The line beginning with " | + | The line beginning with " |
==== Port Forwarding ===== | ==== Port Forwarding ===== | ||
Line 376: | Line 339: | ||
< | < | ||
- | Hit Q to finish. | + | Press Q to exit. |
Stop the OpenVPN server by entering, as root, | Stop the OpenVPN server by entering, as root, | ||
Line 404: | Line 367: | ||
tls-auth ta.key 1 | tls-auth ta.key 1 | ||
cipher AES-256-GCM | cipher AES-256-GCM | ||
- | compress lz4-v2 | ||
verb 3</ | verb 3</ | ||
- | PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google " | + | PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "my ip" on the server side to get this address. |
The lines beginning with " | The lines beginning with " | ||
- | |||
- | More information on the client configuration file can be found at [[https:// | ||
==== Mac Client Software: | ==== Mac Client Software: | ||
Line 421: | Line 381: | ||
==== Windows Client Software: | ==== Windows Client Software: | ||
- | For Windows clients, the Windows version of OpenVPN can be used, but here we'll go over using the [[https:// | + | For Windows clients, the Windows version of OpenVPN can be used, but here we'll go over using the [[https:// |
- | If you ever accidentally delete the desktop shortcut, and need to create another one, the executable, SSLVpnClient.exe, | + | If you ever accidentally delete the desktop shortcut, and need to create another one, the executable, SSLVpnClient.exe, |
-manage | -manage | ||
Line 443: | Line 403: | ||
To test whether the client' | To test whether the client' | ||
- | < | + | < |
To listen, for example, for packets passing through the br0 interface on port 1194 (both TCP and UPD), enter | To listen, for example, for packets passing through the br0 interface on port 1194 (both TCP and UPD), enter | ||
Line 482: | Line 442: | ||
< | < | ||
- | into your server.conf file. Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server). | + | into your server.conf file. If sharing port 443 with another service within the VM itself, replace the IP address with " |
+ | |||
+ | ==== SSH Server ==== | ||
+ | |||
+ | The SSH server is useful for managing the VM from the terminal of another machine, such as Terminal in macOS, or [[https://www.putty.org/|PuTTY]] in Windows. | ||
+ | |||
+ | < | ||
+ | |||
+ | To be able to log in as root, edit the configuration file, | ||
+ | |||
+ | < | ||
+ | |||
+ | and uncomment (delete | ||
+ | |||
+ | < | ||
+ | |||
+ | Restart the SSH service (or just reboot): | ||
+ | |||
+ | < | ||
+ | |||
+ | To log in to the server from another Mac or Linux terminal, use the command | ||
+ | |||
+ | < | ||
+ | |||
+ | where the IP address is that chosen | ||
+ | |||
+ | < | ||
==== Client Usage with Virtual Machines ==== | ==== Client Usage with Virtual Machines ==== | ||
Line 515: | Line 501: | ||
*Some LAN-based programs don't specify which ports they use. Unless you can determine the ports, a VPN is necessary for networking these programs over the Internet. | *Some LAN-based programs don't specify which ports they use. Unless you can determine the ports, a VPN is necessary for networking these programs over the Internet. | ||
+ | ===== More References ===== | ||
+ | |||
+ | OpenVPN 2.5 manual:\\ | ||
+ | https:// | ||
+ | |||
+ | OpenVPN HOW-TO page:\\ | ||
+ | https:// | ||
- | *You can play shared-screen and "hot seat" games over the Internet using remote desktop software. | + | Deprecated Options in OpenVPN: |
+ | https:// |