OpenVPN SSL/TLS Bridged configuration

Introduction

Static key vs. SSL/TLS

OpenVPN can be configured in a manner called "static key", in this mode the configuration is easier and quick since you don't need to setup a CA and public/private keys. Client and server will then share the same symmetric key that has to be transferred on a secure channel. The "static key" setup has unfortunately some drawbacks: you can't authenticate multiple users at the same time. To use the "SSL/TLS" mode is required the definition of a CA and generation of keys but it's not that hard, in this tutorial we'll focus on this setup.

Routed vs. Bridged

After a client is successfully connected to OpenVPN to be able to talk with the server and with other hosts on the remote network the OpenVPN server interfaces must be configured in one of these ways: # Routing IP # Bridge ethernet Routing it's easier (everything is handled by OpenVPN) but it doesn't support non-IP protocols (for example IPX) or applications that needs broadcast access. In this tutorial we'll configure a Bridged OpenVPN.

Bridge Configuration

Let's install the package: 
sudo apt-get install bridge-utils
we now have to edit the network configuration file in /etc/network/interfaces, remove the lines about the physical interface with which we are bridging, we are gonna replace them with the bridge definition. You'll have to write on the bridge interface br0 the IP address that was assigned to the physical interface that you are bridging, for example: 
auto lo
iface lo inet loopback
 
auto br0
iface br0 inet static
  #ip, netmask, ecc are the original ones
  address 10.0.0.10
  netmask 255.255.255.0
  gateway 10.0.0.4
  #network interfaces on which to enable the bridge
  bridge_ports eth0
  # optional configurations if the machine is a VM
  #bridge_fd 9
  #bridge_hello 2
  #bridge_maxage 12
  #bridge_stp off
let's restart the networking service 
sudo /etc/init.d/networking restart
and check that the bridge is working correctly 
brctl show
you should get an output similar to this: 
bridge name	bridge id		STP enabled	interfaces
br0		8000.002421eeaf99	no		eth0

What to do if using Ubuntu Desktop

If the Ubuntu box on which you're install OpenVPN has a gnome desktop it may have installed the "Network Manager" application. Sometimes this hinders the ability for the bridge to work, you may have more success just removing it. 
sudo apt-get remove network-manager
sudo /etc/init.d/networking restart
At this point it's better to also reboot the system to check that everything works as it should on startup.

OpenVPN installation

Let's install the required packages: 
sudo apt-get install openvpn

Certificate creation

OpenVPN already includes a set of script called "easy-rsa" that handles all the certificates creations for us, it's also already included in the ubuntu documentation, so let's copy it: 
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/
You should then edit the file /etc/openvpn/easy-rsa/vars setting default variables for the certificates: 
export KEY_COUNTRY="IT"
export KEY_PROVINCE="VE"
export KEY_CITY="Venezia"
export KEY_ORG="Example"
export KEY_EMAIL="info@example.com"

CA Certificate and Keys

Let's finally create those certificates following the script wizards: 
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
Keys and certificate for the CA: 
./build-ca
Keys and certificate for the OpenVPN Server: 
./build-key-server server
Diffie Hellman crypto parameters: 
./build-dh

Client Certificates

It's now time to generate the certificates for all the clients, it's also possible to share one certificate between various clients. 
cd /etc/openvpn/easy-rsa/
source vars
./build-key client1
Let's move the certificate directory on the right place, on the root of /etc/openvpn and let's leave a symbolic link in "easy-rsa": 
cd /etc/openvpn/easy-rsa/
mv /etc/openvpn/easy-rsa/keys /etc/openvpn/
ln -s /etc/opevpn/keys keys

Server configuration

As firt thing let's create scripts to connect/disconnect the tap interface to the bridge at the start/stop of the VPN service. Let's create /etc/openvpn/up.sh: 
#!/bin/sh
 
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV
and also /etc/openvpn/down.sh: 
#!/bin/sh
 
BR=$1
DEV=$2
 
/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
Let's make those script executable: 
sudo chmod 755 /etc/openvpn/down.sh
sudo chmod 755 /etc/openvpn/up.sh
We can now configure the OpenVPN server editing the file in /etc/openvpn/server.conf and changing the option as required. The important parameters you should take care are ''server-bridge'' and ''push'' where you'll define the range of addresses the OpenVPN server will assign to clients. 
# main configuration #
mode server
 
port 1194
proto udp
 
# bridging directive - this is needed to use the br0
dev tap0
# script to attach the tap0 interface to the bridge
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
 
persist-key
persist-tun
 
#certificates and encryption
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh keys/dh1024.pem
 
cipher BF-CBC   # Blowfish (default)
comp-lzo        # compression
 
# enable communication between vpn clients
client-to-client
 
# enable multiple access from the same client certificate
duplicate-cn
 
# DHCP configuration #
# ipp.txt saves the status of the dhcp leases
ifconfig-pool-persist ipp.txt
# pool of addresses available for VPN leases
# format: <server IP> <netmask> <pool start IP> <pool end IP>
server-bridge 192.168.11.8 255.255.255.0 192.168.11.220 192.168.11.249
# additional option to give to dhcp clients
push "dhcp-option DNS 192.168.11.4"
 
# maximium number of clients connected at a time
max-clients 10
 
# log and security #
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3
script-security 3 system
Let's restart the OpenVPN server and we are good to go: 
sudo /etc/init.d/openvpn restart

Client configuration

Let's create a configuration file for the clients in a safe folder (for example /root/customername/customername.conf).
Inside this file it's important to setup the parameter "remote" with correct hostname/ip address for our OpenVPN server and also to setup the correct path for keys and certificates, in this example the files are in a folder called "customername": 
# Specify that this is a client
client
 
# Bridge device setting
dev tap
 
# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote server.example.com 1194
 
# Client does not need to bind to a specific local port
nobind
 
# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule. 
##You may need to comment it out.
resolv-retry infinite
 
# Preserve state across restarts
persist-key
persist-tun
 
# SSL/TLS parameters - files created previously
ca customername/ca.crt
cert customername/client1.crt
key customername/client1.key
 
# Specify same cipher as server
cipher BF-CBC
 
# Use compression
comp-lzo
 
# Log verbosity (to help if there are problems)
verb 3
let's copy in the same folder the keys and certificate genereated on the previous steps: 
sudo cp /etc/openvpn/keys/ca.crt .
sudo cp /etc/openvpn/keys/client1.crt .
sudo cp /etc/openvpn/keys/client1.key .
To the client we just have to give the content of the "customername" folder and copy it in the OpenVPN client folder.

Additional configuration

# If the OpenVPN server is behind a NAT device, it's required to configure the router/firewall to forward the UDP port 1194 to the host. # If the host is inside a network with managed switch (for example on a VM in ESXi) it's necessary to enable the transit of promiscuous IP packets.
Tags: 
OpenVPN
VPN
Bridge
Visit the website of the company behind these tutorials: www.qaniklab.it