OPENVPN - The Easy Tutorial - Bridging

OpenVPN Bridging
Last Update: Mar 05 2008


Tool
Install
Ergonomy
Forum



details Что такое OpenVPN?
Снимки экрана
Установка
Руководство по OpenVPN
-----SECURITY MODE-----------
Прозрачный туннель
Статический ключ
SSL & PKI (Сертификаты)
-----CASE STUDY-----------
IP VPN (TUN)
Ethernet VPN (TAP)
VPN Advanced Settings
----------------
Bridging
Routing

Russian translation by Sergiy Uvarov.



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!



1. PRINCIPLE
2. PICTURE
 
 
 
3. WINDOWS A
4. WINDOWS B
5. LINUX A
6. LINUX B
7. LINUX C
8. CHECKS
 
 
 
 
9. ANNEX
 
 
 
 



1. PRINCIPLE

The goal of this tutorial is to build a
OSI layer two link between two laptops separated by two Linux and one Windows machines.
To do it, bridges are built on these three machines because, as switches, the bridge operates at the OSI layer two level. This is different to the routers which work at the OSI layer three and stop the layer two broadcasts avoiding network saturation.

The bridges on the Windows B and Linux B machines are composed of a network and a virtual OpenVPN interface made by the Operating system. The bridge on Linux A is composed of two virtual interfaces and made by OpenVPN.

In this tutorial, OpenVPN is used in bridge and SSL mode. This is required to have multiple tunnels on a machine and establish an OpenVPN bridge.
You will need to establish a Public key Infrastructure and create a pair of public and private keys for Linux B (certificate common name is "server"), Windows B ("windows") and Linux B ("linux").

You can also find more information about the OpenVPN advanced options and about how to secure a Linux OpenVPN box.



2. PICTURE

openvpn bridge scenario
Top of the page



3. WINDOWS A

On the Windows A laptop, we just need to set an IP address and a subnet mask (10.9.0.111/24). The default gateway is not needed as we are working in a layer 2 environment.

- Start -> Settings -> "Network Connections"
- Select the network interface -> Right click -> Properties

openvpn bridge scenario openvpn bridge scenario
- Select "Internet Protocol (TCP/IP)"
- Configure the IP address and subnet mask

openvpn bridge scenario openvpn bridge scenario
Top of the page



4. WINDOWS B

WAN interface configuration:

We just need to set an IP address and a subnet mask (50.0.1.2/24). The default gateway is not needed as we are working in a layer 2 environment.

- Start -> Settings -> "Network Connections"
- Select the network interface -> Right click -> Properties

openvpn bridge scenario openvpn bridge scenario
- Select "Internet Protocol (TCP/IP)"
- Configure the IP address and subnet mask

openvpn bridge scenario openvpn bridge scenario
Bridge Configuration:

- Start -> Settings -> "Network Connections"

openvpn bridge scenario
- Select the network interfaces member of the bridge.
"Local Area Connection" which is one of the two physical interfaces.
"Local Area Connection 2" which is the virtual OpenVPN interface.

openvpn bridge scenario
- Right click -> Bridge Connections.

openvpn bridge scenario
The bridge is created with its two members.

openvpn bridge scenario
Configure the Bridge IP address:
- Select the bridge -> Right click -> Properties

openvpn bridge scenario
- Select "Internet Protocol (TCP/IP)"

openvpn bridge scenario
- Configure the IP address and subnet mask (10.9.0.101/24).

openvpn bridge scenario
OpenVPN Configuration:

On Windows B, you need to have the following files in the "/etc/openvpn/" directory:

- ca.crt
- linux.crt
- linux.key
- openvpn.conf
The Certificate Authority (CA) certificate.
The "windows" certificate which contains the "windows" public key.
The "windows" private key.
The OpenVPN configuration.
The three first files are provided by the CA and stored in the "C:\Program Files\OpenVPN\config" folder. Look at the
case study introduction at the top of this page for more information.

The Configuration file is "openvpn.conf" and also stored in the "C:\Program Files\OpenVPN\config" folder.

# Client mode
tls-client
# Server IP address
remote 50.0.1.1
# Bridge mode
dev tap
# Port
port 2000
# Certificate authority (CA) certificate
ca ca.crt
# "windows" private key
key windows.key
# "windows" public key
cert windows.crt
# Accept data pushed by the server
pull
# verbosity level
verb 2
To start OpenVPN automatically at logon, follow the steps below:

- Start -> Run:

Open the group policy editor:

- gpedit.msc

Computer Configuration -> Administrative Templates -> System -> Logon

- Select "Run these programs at logon" -> Right Click "Properties"

- Click on "Enabled", then on the "Show..." button

- In the "Show Contents" window, Click on the "add" button:
- Enter the following command: 'openvpn "C:\Program Files\OpenVPN\config\openvpn.conf"'.

- Click on "OK".

- Click on "OK".

Windows is now configured to launch OpenVPN automatically at logon.

Top of the page



5. LINUX A

Network Interfaces Configuration:

Configure the interfaces IP address:

#ifconfig eth0 50.0.1.1 netmask 255.255.255.0
#ifconfig eth1 60.0.1.1 netmask 255.255.255.0
To keep your settings after a reboot, edit the "/etc/network/interfaces" file:

#vim /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 50.0.1.1
netmask 255.255.255.0

auto eth1
iface eth1 inet static
address 60.0.1.1
netmask 255.255.255.0
OpenVPN Configuration:

On Linux A, you need to have the following files in the "/etc/openvpn/" directory:

- ca.crt
- server.crt
- server.key
- openvpn.conf
- ipp.txt
The Certificate Authority (CA) certificate.
The "server" certificate which contains the server public key.
The "server" private key.
The OpenVPN configuration.
The clients IP address reservations.
The three first files are provided by the CA. Look at the
case study introduction at the top of this page for more information.

Let's create the OpenVPN config file.
Be careful to put the configuration file in the "/etc/openvpn" directory and with a ".conf" extension to be able to use the OpenVPN startup script.
Note the "lport" setting is used to create several tunnels on a device with a single OpenVPN configuration file.

# Server mode
tls-server
# Bridge mode
dev tap0
# IP settings, server takes 10.9.0.1
server 10.9.0.0 255.255.255.0
# Local port
lport 2000
# Certificate authority (CA) certificate
ca ca.crt
# "server" private key
key server.key
# "server" public key
cert server.crt
# Diffie-Hellman settings
dh dh1024.pem
# Authorises client to client connectivity
client-to-client
# clients IP address reservations
ifconfig-pool-persist ipp.txt
# Verbosity level
verb 2
By default, OpenVPN is automatically launched at user logon.

Top of the page



6. LINUX B

Network Interface Configuration:

#ifconfig eth0 60.0.1.2 netmask 255.255.255.0
To keep your settings after a reboot, edit the "/etc/network/interfaces" file:

#vim /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 60.0.1.2
netmask 255.255.255.0
Bridge Configuration:

- Install the tools need to build a bridge:

#apt-get install bridge-utils
- Load the bridge kernel module:

#modprobe bridge
- Check that the bridge module is loaded:

#lsmod | grep bridge
- The OpenVPN virtual interface has to be permanently up to be integrated in a bridge:

#openvpn --mktun --dev tap0
- Activate eth1 interface:

#ifconfig eth1 up
- Create the bridge:

#brctl addbr br0
- Add members to the bridge:

#brctl addif br0 eth1
#brctl addif br0 tap0
- Set the bridge IP address:

#ifconfig br0 10.9.0.201 netmask 255.255.255.0
- Check the bridge status:

#brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0000ab12cd34 no tap0
      eth1
The bridge ID begins with "8000" and is followed by the lowest MAC address of its members.

- Check the bridge members:

#brctl showmacs br0
port no mac addr is local? ageing timer
2   00:00:ab:12:cd:34 yes 0.00
1   00:04:11:22:33:44 yes 0.00
To keep your settings after a reboot, create the following script stored in the "/root/bridge.sh" file:

#!bin/bash
# Load the bridge kernel module
modprobe bridge
# Open permanently the tap0 virtual interface
openvpn --mktun --dev tap0
# Activate eth1 interface
ifconfig eth1 up
# Create the bridge
brctl addbr br0
# Add members to the bridge
brctl addif br0 eth1
brctl addif br0 tap0
# Set the bridge IP address:
ifconfig br0 10.9.0.201 netmask 255.255.255.0
Then you have to add the following line in the "/etc/crontab" file:

#vim /etvc/crontab
@reboot root /root/bridge.sh
OpenVPN Configuration:

On Linux B, you need to have have the following files in the "/etc/openvpn/" directory:
- ca.crt
- linux.crt
- linux.key
- openvpn.conf
The Certificate Authority (CA) certificate.
The "linux" certificate which contains the "linux" public key.
The "linux" private key.
The OpenVPN configuration.
The three first files are provided by the CA.

Let's create the OpenVPN config file.
Be careful to put the configuration file in the "/etc/openvpn" directory and with a ".conf" extension to be able to use the OpenVPN startup script.

# Client mode
tls-client
# Server IP address
remote 60.0.1.1
# Bridge mode
dev tap0
# Port
port 2000
# Certificate authority (CA) certificate
ca ca.crt
# "linux" private key
key linux.key
# "linux" public key
cert linux.crt
# Accept data pushed by the server
pull
# verbosity level
verb 2
By default, OpenVPN is automatically launched at user logon.

Top of the page



7. LINUX C

On Linux C, we only need to configure the network interfaces IP address:

#ifconfig eth0 10.9.0.222 netmask 255.255.255.0
To keep your settings after a reboot, edit the "/etc/network/interfaces" file:

#vim /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 10.9.0.222
netmask 255.255.255.0
Top of the page



8. CHECKS

We are now ready to perform checks to validate that Linux C and Windows A can see each other (See the
case study picture).

LinuxC#ping 10.9.0.111
Linux C can also ping successfully:
- The Linux B bridge
- The Linux B tap0 virtual interface
- The Linux A bridge
- The Windows B bridge
- The Windows A network interface
10.9.0.201
10.9.0.200
10.9.0.1
10.9.0.101
10.9.0.111
Let's check if we really have a layer 2 link and no routing between Linux C and Windows A.

LinuxC#ping 10.9.0.111
openvpn bridge wireshark
Before being able to send ICMP packets with the Ping command, Linux C must know the Windows A MAC address. That's why Linux C first sends a layer two broadcast (FF:FF:FF:FF:FF:FF) to find who has the MAC address matching the 10.9.0.222 IP address. Windows A answers to Linux C and indicates its MAC address.
Linux C now knows Windows A MAC address and can send it icmp packets to see if the network connectivity is established.

The capture, performed on Windows A, shows that there is an OSI layer two link between Linux C and Windows A because Windows A receives the layer two broadcast.

It's good to remember that the default behaviour of routers which work at layer 3, are to stop the layer two broadcasts avoiding a network saturation.
Bridges or Switches, which work at the Layer two level, will let the layer two broadcast pass through them.

Another test to do to check whether we really have a layer two connectivity between Linux C and Windows A is to use the Traceroute command. If there is no hop, which represents routing device, until the destination it means we have our layer two link.

LinuxC#traceroute 10.9.0.111
traceroute to 10.9.0.111 (10.9.0.111), 30 hops max, 40 bytes packets
1 10.9.0.111 (10.9.0.111) 0.134 ms 0.110 ms 0.025 ms


If you don't have the traceroute command, you can easily install it with:

#apt-get install traceroute
Top of the page



9. ANNEX

When you have more than one tunnel on a Windows machine, you need to create new virtual interfaces. Only one virtual address is created by default when OpenVPN is installed.

In the example below, we create a second OpenVPN virtual interface:

Start -> Programs -> OpenVPN -> "Add a new TAP32-Win32 virtual ethernet adapter".

openvpn bridge scenario
openvpn bridge scenario
openvpn bridge scenario
- We have now our two virtual interfaces tagged as "TAP-Win32 Adapter".

openvpn bridge scenario
Top of the page