OPENVPN - The Easy Tutorial - Ethernet VPN

OpenVPN Ethernet VPN
Last Update: Feb 04 2008


Tool
Install
Ergonomy
Forum



details Что такое OpenVPN?
Снимки экрана
Установка
Руководство по OpenVPN
-----SECURITY MODE-----------
Прозрачный туннель
Статический ключ
SSL & PKI (Сертификаты)
-----CASE STUDY-----------
IP VPN (TUN)
Ethernet VPN (TAP)
VPN Advanced Settings
----------------
Bridging
Routing

Russian translation by Sergiy Uvarov.



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!



Ethernet VPN

In this scenario, we will create an OpenVPN tunnel in Ethernet or bridged mode with the minimum required settings.
A Microsoft Windows machine is used as the OpenVPN client, a Linux system as the OpenVPN server.

The other OpenVPN tunnel mode is called IP or routed mode. See a case study about this mode.

openmaniak openvpn tunnel bridged mode Ethernet mode


1. NO SECURITY 2. PRESHARED KEYS 3. SSL


1. NO SECURITY

Read more information about OpenVPN in transparent mode.
Refer to the OpenVPN tutorial for explanations about the configurations.

WINDOWS VPN BOX - OPENVPN CLIENT:

Configuration file:
The configuration below is stored in the "C:\Program Files\OpenVPN\config\client.txt" file.

# OpenVPN server
remote 100.0.0.2
# Tunnel mode
dev tap
# IP addresses
ifconfig 10.8.0.2 255.255.255.0
# Cipher mode
cipher none
# Authentication mode
auth none
# Log verbosity
verb 2

Lauch OpenVPN

C:\Program Files\OpenVPN\config>openvpn client.txt

Log output:

1



2



5/6
7
8





9
10
11
12
OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
IMPORTANT: OpenVPN's default port number is now 1194, based on an official
   port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the
   default port.
******* WARNING *******: all encryption and authentication features disabled -- all data
   will be tunnelled as cleartext
TAP-WIN32 device [Connexion au rseau local 3] opened: \\.\Global\{928ACEB1-D160-420A-ADD6-A72E816FC022}.tap
TAP-Win32 MTU=1500
Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on
   interface {928ACEB1-D160-420A-ADD6-A72E816FC022} [DHCP-serv: 10.8.0.1,
   lease-time:31536000]
Successful ARP Flush on interface [3] {928ACEB1-D160-420A-ADD6-A72E816FC022}
Data Channel MTU parms [ L:1500 D:1450 EF:0 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '2f636dfc'
Expected Remote Options hash (VER=V4): '2f636dfc'
UDPv4 link local (bound): [undef]:1194
UDPv4 link remote: 100.0.0.2:1194
Peer Connection Initiated with 100.0.0.2:1194
Initialization Sequence Completed
Legend:

1.
2.
3.
4.
OpenVPN version
Security mode
Cipher algorithm
Hash algorithm
5.
6.
7.
8.
TUN/TAP drivers
Tunnel MTU
Tunnel Local IP
Tunnel Remote IP
9.
10.
11.
12
TCP or UDP port
OpenVPN server IP
Remote OpenVPN peer
OpenVPN status

LINUX VPN BOX - OPENVPN SERVER:
The configuration below is stored in the "/etc/openvpn/server.txt" file.

# Tunnel mode
dev tap
# IP addresses
ifconfig 10.8.0.1 255.255.255.0
# Cipher mode
cipher none
# Authentication mode
auth none
# Log verbosity
verb 2

Lauch OpenVPN

/etc/openvpn#openvpn server.txt

Read information about how to use OpenVPN startup scripts.

Log output:

1




5
7/8
6


9

10
12
OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on May 21 2007
IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number
   assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
******* WARNING *******: all encryption and authentication features disabled -- all data
   will be tunnelled as cleartext
TUN/TAP device tap0 opened
ifconfig tap0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Data Channel MTU parms [ L:1500 D:1450 EF:0 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '2f636dfc'
Expected Remote Options hash (VER=V4): '2f636dfc'
UDPv4 link local (bound): [undef]:1194
UDPv4 link remote: [undef]
Peer Connection Initiated with 50.0.0.2:1194
Initialization Sequence Completed
Continue with the network statistics

Top of the page


2. PRESHARED KEYS

Read explanation about OpenVPN in preshared key mode to know how to create static keys or to get more information.
Refer to the OpenVPN tutorial for explanations about the configurations.

WINDOWS VPN BOX - OPENVPN CLIENT:

Configuration file:
The configuration below is stored in the "C:\Program Files\OpenVPN\config\client.txt" file.

# openVPN server
remote 100.0.0.2
# Tunnel mode
dev tap
# Ip addresses
ifconfig 10.8.0.2 255.255.255.0
# shared key
secret "C:\\Program Files\\OpenVPN\\config\\key.txt"
# Log verbosity
verb 2

Lauch OpenVPN

C:\Program Files\OpenVPN\config>openvpn client.txt

Log output:

1


2/3
4


5

6
7
8





9
10

12
OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
IMPORTANT: OpenVPN's default port number is now 1194, based on an official port num.
   assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
TAP-WIN32 device [Local Area Connection 5] opened:
   \\.\Global\{E2D87AAD-28F7-432E-8A00-5E67BE6DD464}.tap
TAP-Win32 MTU=1500
Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on
   interface {E2D87AAD-28F7-432E-8A00-5E67BE6DD464} [DHCP-serv: 10.8.0.1,
   lease-time: 31536000]
Successful ARP Flush on interface [4] {E2D87AAD-28F7-432E-8A00-5E67BE6DD464}
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '62f81101'
Expected Remote Options hash (VER=V4): '62f81101'
UDPv4 link local (bound): [undef]:1194
UDPv4 link remote: 100.0.0.2:1194
Peer Connection Initiated with 100.0.0.2:1194
Initialization Sequence Completed
Legend:

1.
2.
3.
4.
OpenVPN version
Security mode
Cipher algorythm
Hash algorythm
5.
6.
7.
8.
TUN/TAP drivers
Tunnel MTU
Tunnel Local IP
Tunnel Remote IP
9.
10.
11.
12
TCP or UDP port
OpenVPN server IP
Remote OpenVPN peer
OpenVPN status

LINUX VPN BOX - OPENVPN SERVER:
The configuration below is stored in the "/etc/openvpn/server.txt" file.

# Tunnel mode
dev tap
# Ip addresses
ifconfig 10.8.0.1 255.255.255.0
# shared key
secret /home/user/key.txt
# Log verbosity
verb 2

Lauch OpenVPN

/etc/openvpn#openvpn server.txt

Read information about how to use OpenVPN startup scripts.

Log output:

1



2/3
4


5
6/7
8


10

11
12
OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 2 2007
IMPORTANT: OpenVPN's default port number is now 1194, based on an official port num.
   assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
WARNING: file '/home/po/key.txt' is group or others accessible
Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
TUN/TAP device tap0 opened
ifconfig tap0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '1d6953e5'
Expected Remote Options hash (VER=V4): '1d6953e5'
UDPv4 link local (bound): [undef]:1194
UDPv4 link remote: [undef]
Peer Connection Initiated with 50.0.0.2:1194
Initialization Sequence Completed
Continue with the network statistics

Top of the page


3. SSL

Read the SSL OpenVPN mode to know how to create keys and certificates or to get more information.
Refer to the OpenVPN tutorial for explanations about the configurations.

WINDOWS VPN BOX - OPENVPN CLIENT:

Configuration file:
The configuration below is stored in the "C:\Program Files\OpenVPN\config\client.txt" file.

# TLS mode - client
tls-client
# openVPN server
remote 100.0.0.2
# Tunnel mode
dev tap
# IP addresses
ifconfig 10.8.0.2 255.255.255.0
# CA certificate
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
# client certificate
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
# client private key
key "C:\\Program Files\\OpenVPN\easy-rsa\\keys\\server.key"
# Log verbosity
verb 2

Lauch OpenVPN

C:\Program Files\OpenVPN\config>openvpn client.txt

Log output:

1




5

6
7
8






9
10


15

14

3
4


2
11
12
OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
IMPORTANT: OpenVPN's default port number is now 1194, based on an official port
   number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default
   port.
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
TAP-WIN32 device [Connexion au rseau local 3] opened: \\.\Global\{928ACEB1-D160-420A-ADD6-A72E816FC022}.tap
TAP-Win32 MTU=1500
Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on
   interface {928ACEB1-D160-420A-ADD6-A72E816FC022} [DHCP-serv: 10.8.0.1,
   lease-time: 31536000]
Successful ARP Flush on interface [3] {928ACEB1-D160-420A-ADD6-A72E816FC022}
Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '2ea34e3b'
Expected Remote Options hash (VER=V4): '2ea34e3b'
UDPv4 link local (bound): [undef]:1194
UDPv4 link remote: 100.0.0.2:1194
TLS Error: local/remote TLS keys are out of sync: 100.0.0.2:1194 [0]
VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=OpenManiak/
   CN=OpenManiak_CA/emailAddress=me@myhost.mydomain
VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=OpenManiak/
   CN=server/emailAddress=me@myhost.mydomain
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
[server] Peer Connection Initiated with 100.0.0.2:1194
Initialization Sequence Completed
Legend:

1.
2.
3.
4.
OpenVPN version
Security mode
Cipher algorithm
Hash algorithm
5.
6.
7.
8.
TUN/TAP drivers
Tunnel MTU
Tunnel Local IP
Tunnel Remote IP
9.
10.
11.
12
TCP or UDP port
OpenVPN server IP
Remote OpenVPN peer
OpenVPN status
13.
14.
15.
 
Client certificat
Server certificat
CA certificat
 

LINUX VPN BOX - OPENVPN SERVER:
The configuration below is stored in the "/etc/openvpn/server.txt" file.

# TLS mode - server
tls-server
# Tunnel mode
dev tap
# IP addresses
ifconfig 10.8.0.1 255.255.255.0
# CA certificate
ca ca.crt
# server certificate
cert client.crt
# server private key
key server.key
# Diffie-Hellman Settings
dh dh1024.pem
# Log verbosity
verb 2

Lauch OpenVPN

/etc/openvpn#openvpn server.txt

Read information about how to use OpenVPN startup scripts.

Log output:

1




5
6/7
8


9

15

13

3
4


2
11
12
OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on May 21 2007
IMPORTANT: OpenVPN's default port number is now 1194, based on an official port
   number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default
   port.
Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
TUN/TAP device tap0 opened
ifconfig tap0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '2ea34e3b'
Expected Remote Options hash (VER=V4): '2ea34e3b'
UDPv4 link local (bound): [undef]:1194
UDPv4 link remote: [undef]
VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=OpenManiak/
   CN=OpenManiak_CA/emailAddress=me@myhost.mydomain
VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=OpenManiak/
   CN=client/emailAddress=me@myhost.mydomain
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
[client] Peer Connection Initiated with 50.0.0.2:1194
Initialization Sequence Completed
Continue with the network statistics

Top of the page


NETWORK STATISTICS: (similar for the three case studies)

INTERFACES:

OpenVPN client  C:\>ipconfig

Windows IP Configuration
     
Ethernet adapter Local Area Connection:
     
  Connection-specific DNS Suffix . :
  IP Address. . . . . . . . . . . . . . . : 50.0.0.2
  Subnet Mask . . . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . . . : 50.0.0.1
     
Ethernet adapter Local Area Connection 1:
     
  Connection-specific DNS Suffix .  
  IP Address. . . . . . . . . . . . . . . : 10.8.0.2
  Subnet Mask . . . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . . . :
OpenVPN server  #ifconfig

eth0 Link encap:Ethernet HWaddr 11:22:33:44:55:66
  inet adr:100.0.0.2 Bcast:100.0.0.255 Mask:255.255.255.0
  adr inet6: fe80::212:3fff:3344:5566/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX Packets:1641 errors:0 :0 overruns:0 frame:0
  TX packets:2130 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:186894 (182.5 KiB) Octets transmis:231430 (226.0 KiB)
  Interrupt:16
   
lo Link encap:Local Loopback
  inet adr:127.0.0.1 Mask:255.0.0.0
  adr inet6: ::1/128 Scope:Host
  UP LOOPBACK RUNNING MTU:16436 Metric:1
  RX Packets:929 errors:0 :0 overruns:0 frame:0
  TX packets:929 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:128263 (125.2 KiB) TX bytes:128263 (125.2 KiB)
   
tun 0 Link encap:UNSPEC HWaddr 00:FF:11:22:33:44
  inet adr:10.8.0.1 Bcast:10.8.0.255 Mask:255.255.255.0
  inet6 addr: fe80::2ff:cfff:1122:3344/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX Packets:89 errors:0 :0 overruns:0 frame:0
  TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:100
  RX bytes:5340 (5.2 KiB) TX bytes:5424 (5.2 KiB)
ROUTING TABLE:

OpenVPN client  C:\>route print

==============================================================
Interface List
0x1   MS TCP Loopback interface
0x2
 
00 08 02 94 c1 eb
 
Intel(R) PRO/100 VM Network Connection - Packet Scheduler Miniport
0x3 00 ff e2 d8 7a ad TAP-Win32 Adapter V8 - Packet Scheduler Miniport
===============================================================
===============================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 50.0.0.1 50.0.0.2 20
10.8.0.0 255.255.255.0 10.8.0.2 10.8.0.2 30
10.8.0.2 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.8.0.2 10.8.0.2 30
50.0.0.0 255.255.255.0 50.0.0.2 50.0.0.2 20
50.0.0.2 255.255.255.255 127.0.0.1 127.0.0.1 20
50.255.255.255 255.255.255.255 50.0.0.2 50.0.0.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.8.0.2 10.8.0.2 30
224.0.0.0 240.0.0.0 50.0.0.2 50.0.0.2 20
255.255.255.255 255.255.255.255 10.8.0.2 10.8.0.2 1
255.255.255.255 255.255.255.255 10.8.0.2 3 1
255.255.255.255 255.255.255.255 50.0.0.2 50.0.0.2 1
Default Gateway: 50.0.0.1      
===============================================================
Persistent Routes:
  None            
OpenVPN server  #route -n

Kernel Ip routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tap0
100.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 100.0.0.1 0.0.0.0 UG 0 0 0 eth0
CONNECTIVITY CHECKS:

OpenVPN client  C:\>tracert 10.8.0.1

Tracing route to 10.8.0.1 over a maximum of 30 hops

1  <1 ms  <1 ms   <1 ms  10.8.0.1

Trace complete.
OpenVPN client  C:\>tracert 100.0.0.2

Tracing route to 100.0.0.2 over a maximum of 30 hops

1  <1 ms  <1 ms  <1 ms  50.0.0.1
2  <1 ms  <1 ms  <1 ms  100.0.0.2

Trace complete.

Top of the page