Prerequisites

You should have basic knowledge of how routing works, what routes are and how to install/configure programms in ubuntu/debian. Also, some understanding about iptables helps

Scope if this Howto
This tutorial describes how network bridging can be done using openvpn to connect protected network to each other. The First part will focus on creating direct connections between the gateways and setting up the routing so that each network can find the others. The purpose is to simulate a trusted internal network which uses the Internet to connect. This setup will only support Layer-3 (IP) and higher routing. The second part will go one step further and support layer-2 (MAC) forwarding. With this, even DHCP-leases, broadcasts and games can be played over the internet by truely joining two network together to become one. However, this setup is very resource intense and should only be used in small environments. Layout of the example network (the terms in Brackets are the shortnames i will be using during the explanation) Network A (nA) 192.168.0.0/24 | Router A (rA) 192.168.0.1, rA.example.net | Internet | Router B (rB) 192.168.1.1, rB.example.net | Network B (nB) 192.168.1.0/24

PART 1
prerequisite
Both routers rA and rB have ip forwarding enabled. If they NAT or not does not matter. Both Network go THROUGH the router to the internet. (it can be done without this, but requires more setup which is beyond the scope of this howto)

1.) Installing openvpn
first off, openvpn needs to be installed. this can be accomplished via the packet Repositories. simple do Code:

sudo apt-get install openvpn
on both routers.

2.) Creating a shared Key
Since the Connection is going to be Point-to-Point from rA to rB we do not need any fancy Certificates or multiple clients. Instead, we will use a static key which both routers will have to know. We will focus on rA for now and set that one up first. change into the /etc/openvpn directroy, and create a key which will be shared. Code:

cd /etc/openvpn sudo openvpn --genkey --secret /etc/openvpn/static.key
Once the key is generated, it is time to configure the openvpn server. I will not use the most simple configuration at the start, since we do need some extra options later on anyway.

3.) Configuring router A
first off, we need to create a new configuration in the /etc/openvpn directory which we can then start the openvpn

This config in short does not following (line by line): * it will create a new network device tun0 * it will connect to the host rB.0. First.1 10. create it and then change it's owner to nobody and group nogroup so the openvpn process can write to it Code: sudo mkdir /var/log/openvpn sudo chown nobody.nogroup /var/log/openvpn 4. anything below the daemon can be ommited (for now) as it is tweaks. even upon reconnect * log status of the connetion to the given file * log messages to the given file * assume the connection to be dead if no ping was recheived for 60 seconds (trigger reconnect) * try to ping the remote host every 20 seconds This was almost it for the openvpn.1 * there is a static key to be used. 1.0. just a few minor things remain.net * tun0 will have the IP address of 10. the directory for the log files does not yet exist.net-status. copy the following configuration: Code: dev tun0 remote rB.) the ports in rport and lport need to be swapped for the same reason the ifconfig has to be swapped. but i would suggest you leave it in anyway. go into the background after the connection is established * locally.) the remote statement has to be changed to hold the fqdn of rA instead of rB 2. Create the file (and open an editor) with this command (i always name the files after what they are connected to. i will name it after the host that the connection it to go to): Code: sudo nano /etc/openvpn/rB. security enhanchement and setting we will need later on.1 .1 secret /etc/openvpn/static.0.i.example. even upon reconnect * keep the tun device open.1.) the ifconfig statement needs to be reversed.example.the remote partner is expected to have the IP addres 10.server on.log log-append /var/log/openvpn/rB. as the local IP of rA is the remote IP of rB and vice versa 3.0.net ifconfig 10.0.e. There are just three changes to the file. openvpn will bind to port 15000 * the remote server is bound to port 1194 * openvpn shall drop its privilegdes to the user nobody * openvpn shall drop its group to nogroup * keep the static key in the memory.) configuring rB This is going to be almost exactly the same as rA for the config file.1.key * openvpn shall run as a daemon . the rest can stay the same for now.conf into this file.key daemon lport 15000 rport 1194 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/rB.example. open file for editing on rB .net. found in /etc/openvpn/static.example. Since this is a static link to one host.0.net.log ping-restart 60 ping 20 The bold bits need to be changed to your acctual setting.example.

example.1.net. we need to allow connections to the ports specified in the configuration of the openvpn files. Which means.1 secret /etc/openvpn/static. copy it back and format the usb drive a million times afterwards (ok. copy it to a usb drive.key daemon lport 1194 rport 15000 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/rA. create the logging directory again and all is set for a first testrun. If need be. it has to be the same one. there are two things we need to do.) getting the firewall right If you have your own scripts for the filewall or any programm running that manages your firewall. Since the VPN connection is assumed to be secure.log ping-restart 60 ping 20 remember to change the bold bit to the real name. What does matter is that you cannot.log log-append /var/log/openvpn/rA.example. 5. First off. opening port 15000 (udp) on rA and 1194 (udp) on rB. copy the static.example. the rest can be copied if you want to keep as close to the tutorial as possible now.0. try to understand what i am doing. and configure your script/programm accordingly.key file from rA to rB. Code: sudo mkdir /var/log/openvpn sudo chown nobody. I would suggest you use ssh/sftp to copy this file. Do not use email. it would pose a huge security risk if that key ever go out to anyone with less than honorable intent.or do worse things to it.net-status.0. DO NOT RUN THESE COMMANDS. http. transmit this file over an unprotected line.net ifconfig 10. I cannot take into account any configuration that was made previsouly. ftp. i am overreacting) If anyone ever get their hands onto this key. carry it over to rB. As for plain iptables.conf and put this content in: Code: dev tun0 remote rA.Code: sudo nano /etc/openvpn/rA. by any circumstance ever. but how does not matter.example.1 10.nogroup /var/log/openvpn Lastly.0.net. sample command for this would look like this on rA: Code: sudo su iptables -A INPUT -p udp --sport 1194 --dport 15000 -j ACCEPT iptables -A OUTPUT -p udp --sport 15000 --dport 1194 -j ACCEPT . In that case. they can listen in on anything passing over the protected line . telnet or any other unencryped channel to transfer that file.

x. A sample log (on rA) would look like this after the connection is up: Quote: Thu Apr 10 11:27:35 2008 OpenVPN 2. Also. at the ip 10.d/openvpn start in the logs.1. So make sure you can ping with the internal IP addresses 7.1. You only have to add the routes to the config and they will be .10. from rB.255.)firing up the connection on Both hosts. openvpn brings a nice feature for this.likewise. the command would like the following on rB Code: sudo su iptables -A INPUT -p udp --sport 15000 --dport 1194 -j ACCEPT iptables -A OUTPUT -p udp --sport 1194 --dport 15000 -j ACCEPT With these.x.0.255 UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:167 errors:0 dropped:0 overruns:0 frame:0 TX packets:175 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:100 RX bytes:14740 (14.1.0.0. However. it is essential that this connection is up and running.0.0/24 is now to be found behind the tun0 device.168.1 pointopoint 10.1 Maske:255. but have yet no clue where what network lie behing them. you are able to connect the openvpn processes. the same going the other direction.1 mtu 1500 Thu Apr 10 11:27:35 2008 GID set to nogroup Thu Apr 10 11:27:35 2008 UID set to nobody Thu Apr 10 11:27:35 2008 UDPv4 link local (bound): [undef]:15000 Thu Apr 10 11:27:35 2008 UDPv4 link remote: x.1. telling rA that the network 192.0. 6. Even though the kernel can handle the Openvpn Connection statefull (despite the fact that we utilize udp at the moment) i thought it to be less confusing.0. there should be a device called tun0 now which would look like this Quote: someone@server:# ifconfig tun0 tun0 Protokoll:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet Adresse:10.1.x:1194 Thu Apr 10 11:27:46 2008 Initialization Sequence Completed using ifconfig.0.0.168.) Setting the Routes The Routers can now reach each other.0/24 network is also found on tun0 but at the ip 10.1.1 P-z-P:10.1 forteunatly.4 KiB) also. we need to tell rB that the 192.0. So we need to supply some more information. Anything that follows now will need to reachability over this connection now.x. issue this command to start the openvpn connection Code: sudo /etc/init.255. it does not yet allow any connections to utilize this link from the attached networks.x.x:1194 Thu Apr 10 11:27:45 2008 Peer Connection Initiated with x. NOTE: i have chosen the stateless approach as they are easier to understand.0.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] bui lt on Sep 20 2007 Thu Apr 10 11:27:35 2008 TUN/TAP device tun0 opened Thu Apr 10 11:27:35 2008 ifconfig tun0 10. you should now see how the connection is being established.3 KiB) TX bytes:10705 (10.0. This means. from rA you should now be able to ping rB by it's internal ip address .1.

Naturally.that this setup is only to be used with caution as it can produce a lot of unneccessary traffic between the networks. We will join the two Networks. we only needed openvpn.0 255.0.255. The Bridge us up and running. Only apply these settings if there is no other way and you understand what it means to join two networks on MAC layer! Consider yourself warned Also i must warn you .255. skip point 2 and work my my way from three onwards. so. it is assumed that your internal network is attached to eth0. i will start at point 1.255. resulting in ALL traffic going over the VPN from one to the network.net.) Allowing traffic to pass from an internal network to the other Depending on your firewall configuration. However. 1. Again. Code: sudo /etc/init.example.again .168. adapt these commands to your need. add this line to the rB. only one default gateway can be set in this scenario. In Part 1. it will be in the way and confuse the routing.d/openvpn restart 8. i'd like to point out the iptables rules needed to explicitly allow traffic to pass between the two network over the vpn connection.conf on rB Quote: route 192.generated upon creating the device.0 Now. Code: sudo apt-get install openvpn bridge-utils iproute .0 255. tell the openvpn processes on Both routers to restart. the networks have been joined via a virtual direct link between the routers. nA and nB together to use a single IP Range. if you have self written scripts of a programm running manageing this for you. we also need the bridge-utils as well as iproute for configuring the network cards during boot. All other steps have changed or they do something completly different now. If you have already done Part 1. but must turn off the bridge setup done in part 1. there are a few packets which need to be installed.. you can ommit step two.255.example. Openvpn will worry about the rest and set it up correctly.. on rA. add this line to the rA. similarly. and do not run them.168. this step might not even be neccesassry. These commands are run on rA and rB. Clients on either network will not be able to distinguish anymore if the remote computer is on their physical Network or on the other side of the VPN. in both cases. Only Step 2 can be taken from Part 1.) Installing the neccessary tools In order to get everything working smoothly.net Quote: route 192.0 it tells openvpn that this connection holds connectivity to the specified network. adapt this if needed Code: sudo su iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT you should now be able to ping and access any host on nB from nA and vice versa. This time.1. Part 2 Most of what has been done in Part One is unsuable in the setting we are after now.

After that is done. lets do exactly that.1. your network card (eth1) should have the IP address 192.0. So.1. you also need to tell the bridge that it should contain the device eth1 . so. step 2 3.) Bridgeing the Interfaces NOTE: doing this step can break your entire internet connecton ! Be sure you know what you are doing and you know how to UNDO the changes if neccessary.255.168.255 network 192.168.168. first check your network devices with ifconfig . when you are done with changeing the entries.your output should now look like this .1.) Creating the Shared Key see Part 1. your full entry for br0 should look like this Quote: auto br0 iface br0 inet static address 192.1. If your internal network is not bount to eth1.0. we will use the bridge control to create a device container (br0) to join a physical network card (eth1) with the the tap device of your openvpn connection (tap0). change where you see the eth1 into a br0.0 now. Thus.1.1 netmask 255.0 bridge_ports eth1 make sure you have chosen the right interface.255 network 192. right after configuration of br0 we will define a new block for eth1.168.168.0 broadcast 192.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down the network configuration should be done now.this can be done with the line Quote: bridge_ports eth1 so. This will case a bridge to come up at boot time with the configruation of your previous configuration of eth1.1 netmask 255.255. it should look like something similar to this Quote: auto eth1 iface eth1 inet static address 192.168. So.1. In order to get this bridge setup working.255.255. To really check if these settings worked you will need to reboot your machine. but to use promisc mode and to come up so we can see/hear anything that comes in on that device. Also i would strongly suggest you test them in a non-critical environment first!!! for now. i will assume that your internal network is bound to the network card eth1.1.0 broadcast 192.1. open then file /etc/network/interfaces and search for a configuration of the device eth1. Once the reboot is done.2.168. looking like this: Quote: auto eth1 iface eth1 inet manual up ifconfig $IFACE 0. change any apperance of eth1 into the appropriate device The last thing to do is to also configure eth1 upon boot to not have any ip.

1.255. and fill it with the following script Code: #! /bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV . check your iptables/firestarter configuration if it is still expecting pakets on eth1 and change those rules to br0 as this is now your internal network card.the output should look like the following: Code: test:~# brctl show br0 bridge name bridge id br0 8000.6 KiB) Interrupt:177 Basisadresse:0x1400 Protokoll:Lokale Schleife inet Adresse:127. Both networkcards should be marked as up.sh which will handle the adding of the created tap device to the bridge.0 b) lo the bold bits mark the crucial settings. unfortenualy openvpn does not bring any automated commands for that (as far as i know. Thanks goes to the original posters When the openvpn connection comes up. 4.1 KiB) eth1 Protokoll:Ethernet Hardware Adresse 00:0C:29:77:B1:6A inet6 Adresse: fe80::20c:29ff:fe77:b16a/64 Gültigkeitsbereich:Verbindung UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:155 errors:0 dropped:0 overruns:0 frame:0 TX packets:134 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:1000 RX bytes:16409 (16. we will create a file called up. first.0.0.0. so. at least).64.0 b) TX bytes:0 (0.0.0 inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:0 (0. I also got my idea on how to make the persistant settings from those pages.255.000c2977b16a STP enabled no interfaces eth0 if all the settings are correct.9 KiB) TX bytes:18581 (18.16. we will need to add the newly created tap device to the bridge.1 Maske:255.Code: test:~# ifconfig br0 Protokoll:Ethernet Hardware Adresse 00:0C:29:77:B1:6A inet Adresse:192. br0 now has your ip address.) needed scripts for openvpn NOTE: part of these scripts have been taken from here and here. i think it goo to place it into the /etc/openvpn folder.168. so we will need to do out own little scripts and make sure they are run when openvpn starts/stops.1 Bcast:172. create the file. and you run into trouble with the network connectivity. The last thing to check is if eth1 really got added to br0.0 KiB) TX bytes:19049 (18.0 inet6 Adresse: fe80::20c:29ff:fe77:b16a/64 Gültigkeitsbereich:Verbindung UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:155 errors:0 dropped:0 overruns:0 frame:0 TX packets:128 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:14239 (13.255 Maske:255. while eth1 is unconfigured (as no ip) and is in promisc mode. This can be checked via brctl show br0 .

log ping-restart 60 ping 20 configuration for rB Quote: dev tap0 remote rA.key daemon .net secret /etc/openvpn/static. make both files exectuable with these commands (adding the +x bit) Code: sudo chmod +x /etc/openvpn/up. Since it was already explain what happened. and it should also be placed into the /etc/openvpn folder.sh br0" down "/etc/openvpn/down.sh. Content of it reads as follows: Code: #! /bin/sh BR=$1 DEV=$2 /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down lastly. i will only paste the config files for the two routes here.sh sudo chmod +x /etc/openvpn/down.sh br0" lport 15000 rport 1194 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/rB.key file and that it is transmitted securly between them: confiuration for rA Quote: dev tap0 remote rB.log log-append /var/log/openvpn/rB.example.sh 5. Again.next is the file which will remove the tap device from the bridge.net.example.) Configuring openvpn This configuration of openvpn is very much similar to steps 3 and 4 of Part 1. There are only a few minor changed to the files.example.net secret /etc/openvpn/static.key daemon up "/etc/openvpn/up.example.net-status. i'll call it down. make sure that both routers have the same static.

you will need to change these commands. (the IP's can of course be freely chosen). Even tho neither rA nor rB know about any 192.log log-append /var/log/openvpn/rA. start the connection with (on rA and rB) Code: sudo /etc/init. note the up and down commands supplied in the config. you can reach it from anywhere as if it were in nA. Otherwise. i would like to point out a few gotchas that you might run into: a) if both. your setup is finished here. Also.example. nA and nB have a working DHCP server which considers itself to be authoritive you must shut down one of . 6. the config files are pretty much the same. your basic setup is complete and the bridge is working normally. the two hosts which are in two seperate networks can ping each other over the bridge.) Gotchas with the bridge In general.2 in nA and then try to ping each other.168.up "/etc/openvpn/up. if you chose a different name than br0 for your bridge. Since we now forward on layer 2. placing a computer with the IP 192. If this works.0/24 network. make sure to change the bold bits to th fqdn of the servers to connect to.2. anything after the daemon can be ommited. Do this with the brctl show br0 command. Check step 6 in Part 1 to see what the log output looks like). However.2. Otherwise. These entires will run the scripts we created in step 4 and make sure that the tap device is added to the bridge properly. Another way of testing it would mean placing a computer with the IP 192. nothing should happen (except the thing loading. 7. leave them untouched.sh br0" down "/etc/openvpn/down. Lastly.000c2977b16a no eth0 tap0 If both bridges look like that your networks are now joined. I have chosen IP's that do not match either network (nA or nB) to show the power of the bridge.2. we don't need explicit ip addresses for the tap devices anymore.example.) starting the connection If you now start the openvpn connection. The otuput should now look like this: Quote: test:~# brctl show br0 bridge name bridge id STP enabled interfaces br0 8000.sh br0" lport 1194 rport 15000 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/rA.d/openvpn start first check (on both routers) if the tap0 device got added to your bridge.net-status. If you place a host in nB with an address of nA .1 in nB .168.168. Again.net.log ping-restart 60 ping 20 note that the main difference is the missing of the ifconfig statement.

possibly not know anymore where one network ends and the other starts. With fast internet connection this might be possible. This means you will have rules for pakets that come in and go out on the br0 device. Otherwise you might run into some very strange results. So.ever b) if you wish to block pakets in uptables. but sooner or later you will run into this problem c) if you have joined the network together. but especially with adsl links this i NOT a desired behaviour. or block any dhcp-request/lease from passing the bridge. . ONLY have one dhcp server per network .them. This may sound silly. be aware that this will put a lot of stress on the other router. and you chose to have one ip-range over both networks. you must now use the br0 device. if you chose that nB should now go into the ip-range of nA. it would mean that any paket to the internet from nB would first travel to rA and then go to the net from there.

Sign up to vote on this title
UsefulNot useful