Howto/Setup Bridged OpenVPN server on Ubuntu 10.04

From Interpause
Revision as of 15:00, 23 December 2011 by Andrew (talk | contribs) (→‎My setup)
Jump to navigationJump to search

The desired setup requirements

I want users to be able to access my network remotely as if they were locally. Also, I want client side configuration steps kept to a minimum. Specifically, I want clients to use the "alternative OpenVPN authentication method". Also, I want clients to be able to see all machines on the server's side (this last bit was what cost me a LOT of time to figure out). Last but not least, I do NOT want all traffic being forwarded through the VPN.

My setup

  • The following was tested on OpenVPN 2.1 but may work for other version
  • I have a standard router that acts as my gateway, located at 192.168.8.1
  • My OpenVPN server has one NIC on eth1 and its ip address is 192.168.8.141 and it is using the default UDP 1194 port
  • My router is setup to assign ip addresses upon requests via dhcp in the range 192.168.8.100 to 192.168.8.199, and my servers have static leases.
  • The OpenVPN server will be responsible for handing out ips to clients in the range 192.168.8.5 to 192.168.8.99

The Steps

Using the following as a guide,

https://help.ubuntu.com/10.04/serverguide/C/network-configuration.html#bridging
Step 1) Install openvpn
sudo apt-get install openvpn
Step 2) Install a virtual bridged adapter

Install the necessary package

sudo apt-get install bridge-utils

Modify /etc/network/interfaces

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
        address 192.168.8.141
        network 192.168.8.0
        netmask 255.255.255.0
        broadcast 192.168.8.255
        gateway 192.168.8.1
        bridge_ports eth1
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

Restart networking

sudo /etc/init.d/networking restart
Step 3
Create the server certificates

Follow the directions on the link above.

Step 4
Configure the server

Note: Do not create client certificates as we wish to only authenticate with a username and password as per the instructions at http://openvpn.net/index.php/open-source/documentation/howto.html#auth Specifically, start by getting a sample config file

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

Then modify the server.conf

local 192.168.8.141
dev tap0
;dev tun
server-bridge 192.168.8.141 255.255.255.0 192.168.8.5 192.168.8.99
push "route 192.168.8.0 255.255.255.0"
push "dhcp-option DNS 192.168.8.1"
client-to-client
duplicate-cn
;tls-auth ta.key 0
user nobody
group nogroup
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
push "ip-win32 dynamic 0 3600"

Create the up.sh and down.sh scripts as per the Ubuntu guide.

Here was the part that took me MANY HOURS to figure out as it was only by browsing the OpenVPN FAQ that I figured it out. For clients to see all machines on the server's side, edit /etc/sysctl.conf

net.ipv4.ip_forward=1

Restart the server for changes to take effect.

Step 5
Forward ports on the router