Howto/Setup Bridged OpenVPN server on Ubuntu 10.04: Difference between revisions
| Line 70: | Line 70: | ||
</pre> | </pre> | ||
Create the up.sh and down.sh scripts as per the Ubuntu guide. | Create the up.sh and down.sh scripts as per the Ubuntu guide and place them in /etc/openvpn. | ||
Here was the part that took me MANY HOURS to figure out as it was only by browsing the OpenVPN FAQ that I figured it out. For clients to see all machines on the server's side, edit /etc/sysctl.conf | Here was the part that took me MANY HOURS to figure out as it was only by browsing the OpenVPN FAQ that I figured it out. For clients to see all machines on the server's side, edit /etc/sysctl.conf | ||
| Line 89: | Line 89: | ||
Get a sample config file. On Ubuntu, it is located here | Get a sample config file. On Ubuntu, it is located here | ||
/usr/share/doc/openvpn/examples/sample-config-files/client.conf | /usr/share/doc/openvpn/examples/sample-config-files/client.conf | ||
and | and must be placed in /etc/openvpn along with the ca.crt file that was generated in Step 3. | ||
On Windows, it is located at | |||
C:\Program Files\OpenVPN\sample-config\client.opvn | C:\Program Files\OpenVPN\sample-config\client.opvn | ||
Modify the following lines | and it must be placed in | ||
C:\Program Files\OpenVPN\config | |||
along with the ca.crt file that was generated in Step 3. | |||
Modify the following lines in client.conf or client.opvn | |||
<pre> | <pre> | ||
dev tap | dev tap | ||
Revision as of 14:11, 23 December 2011
The desired setup requirements
I want users to be able to access my network remotely as if they were locally. Also, I want client side configuration steps kept to a minimum. Specifically, I want clients to use the "alternative OpenVPN authentication method". Also, I want clients to be able to see all machines on the server's side (this last bit was what cost me a LOT of time to figure out). Last but not least, I do NOT want all traffic being forwarded through the VPN.
My setup
- The following was tested on OpenVPN 2.1 but may work for other version
- I have a standard router that acts as my gateway, located at 192.168.8.1
- My OpenVPN server has one NIC on eth1 and its ip address is 192.168.8.141 and it is using the default UDP 1194 port
- My router is setup to assign ip addresses upon requests via dhcp in the range 192.168.8.100 to 192.168.8.199, and my servers have static leases.
- The OpenVPN server will be responsible for handing out ips to clients in the range 192.168.8.5 to 192.168.8.99
The Steps
Using the following as a guide,
https://help.ubuntu.com/10.04/serverguide/C/network-configuration.html#bridging
- Step 1) Install openvpn
sudo apt-get install openvpn
- Step 2) Install a virtual bridged adapter
Install the necessary package
sudo apt-get install bridge-utils
Modify /etc/network/interfaces
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 192.168.8.141
network 192.168.8.0
netmask 255.255.255.0
broadcast 192.168.8.255
gateway 192.168.8.1
bridge_ports eth1
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
Restart networking
sudo /etc/init.d/networking restart
- Step 3) Create the server certificates
Follow the directions on the link above.
- Step 4) Configure the server
Note: Do not create client certificates as we wish to only authenticate with a username and password as per the instructions at http://openvpn.net/index.php/open-source/documentation/howto.html#auth Specifically, start by getting a sample config file
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz
Then modify the server.conf
local 192.168.8.141 dev tap0 ;dev tun server-bridge 192.168.8.141 255.255.255.0 192.168.8.5 192.168.8.99 push "route 192.168.8.0 255.255.255.0" push "dhcp-option DNS 192.168.8.1" client-to-client duplicate-cn ;tls-auth ta.key 0 user nobody group nogroup plugin /usr/lib/openvpn/openvpn-auth-pam.so login client-cert-not-required username-as-common-name up "/etc/openvpn/up.sh br0" down "/etc/openvpn/down.sh br0" push "ip-win32 dynamic 0 3600"
Create the up.sh and down.sh scripts as per the Ubuntu guide and place them in /etc/openvpn.
Here was the part that took me MANY HOURS to figure out as it was only by browsing the OpenVPN FAQ that I figured it out. For clients to see all machines on the server's side, edit /etc/sysctl.conf
net.ipv4.ip_forward=1
Restart the server for changes to take effect.
- Step 5) Forward ports on the router
Forward requests for port 1194 on the router to the ip address of the server via the router's web interface.
- Step 6) Install the client
For Ubuntu it is already installed after doing
sudo apt-get install openvpn
For Windows, get the complete installation package here
http://openvpn.se/download.html
- Step 6) Configure the client
Get a sample config file. On Ubuntu, it is located here
/usr/share/doc/openvpn/examples/sample-config-files/client.conf
and must be placed in /etc/openvpn along with the ca.crt file that was generated in Step 3.
On Windows, it is located at
C:\Program Files\OpenVPN\sample-config\client.opvn
and it must be placed in
C:\Program Files\OpenVPN\config
along with the ca.crt file that was generated in Step 3. Modify the following lines in client.conf or client.opvn
dev tap ;dev tun remote www.interpause.com 1194 user nobody group nobody ;cert client.crt ;key client.key ;tls-auth ta.key 1 auth-user-pass
