In a previous post, I laid out step-by-step how to set up an OpenVPN server, to support roaming VPN clients. We created an ethernet bridge so that each remote client appears on the LAN just like any desktop PC in your office. We used a dedicated OpenVPN server to act like a network switch; however, each client has to install and run software in order to connect.

Now I'm going to discuss a permanent bridge, using two Linux boxes. This allows all clients on each side to see all clients on the other side. None of the clients need to run any special software. You might use this, as I did, to connect a branch office to your headquarters. Throughout this discussion, I'm going to refer to these two Linux boxes as "vpnmaster" and "vpnslave". You may call them whatever you wish when you implement this. ;)

Steps 1-9: Build vpnslave.

See the previous post, steps 1 to 9. Follow those steps without any changes. We're going to end up with the same, bridged ethernet setup on the vpnslave machine that we did with the vpnmaster.

Unlike with roaming clients, you want the same subnet in both locations. It's no good having a bridge between divergent networks. When we're done, all clients will exist on the same network. Imagine you have an unmanaged switch halfway between both locations, with very long cables in-between. ;) You need to set aside a block of IP addresses which only the computers on the slave LAN will use. For example, you might tell your DHCP server(s) at the master site to lease the addresses to .99, and the DHCP server(s) at your slave site to lease to .254. We'll block any DHCP broadcasts from going over the VPN, so that computers in the slave LAN will only talk to their local DHCP servers.

Step 10: Copy and edit the firewall script.

cp /usr/src/openvpn-2.0_rc21/sample-config-files/ /etc/openvpn/
cd /etc/openvpn

  • Change the value of PRIVATE to your local subnet. Yours might be Again, use the same network for the slave site that you use at the master site.
  • After iptables -A INPUT -p udp --dport 1194 -j ACCEPT
    add the line iptables -A INPUT -p udp --dport 4444:4460 -j ACCEPT
    or whatever port range you're going to use for your clients.
  • If the example firewall script has NAT MASQUERADING turned on (last line), comment it out in your new copy. (If you're wondering, we can't simply use NAT to bridge two different networks, because the broadcasts would not then be routed across the bridge).
  • Add the following lines to the script. These turn off DHCP broadcasts across the slave's bridge. You probably do not want to do this wholesale DROP on vpnmaster, because it's probably serving roaming clients who want DHCP.

iptables -A FORWARD -p tcp --dport 67:68 -j DROP
iptables -A FORWARD -p udp --dport 67:68 -j DROP
iptables -A INPUT -p tcp --dport 67:68 -j DROP
iptables -A INPUT -p udp --dport 67:68 -j DROP

Step 11: Create /etc/openvpn/

At this point, you only need one item in the TAPS list. I used "0" to make "tap0". You may use vpnslave to serve its own remote clients, as well, but we're not going to describe that here.

Step 12: Create /etc/openvpn/bridge.conf.

This file provides config information for the permanent bridge on vpnslave. It's a little bit different from common.conf on vpnmaster.

dev tap0
port 1194
secret /etc/openvpn/static.key
ping 10
verb 5

Step 13: Create an init script.

Create the file /etc/init.d/openvpn, to run everything at startup:



/usr/local/sbin/openvpn --config /etc/openvpn/bridge.conf --daemon tap0

exit 0

Remember to make this file executable, using chmod.

Notice we're only running one instance of openvpn. Again, if you want to serve additional, roaming clients from vpnslave, feel free. But I'd recommend doing that after the permanent pipe is up and running.

In /etc/rc2.d through rc5.d, add symlinks to the file you just created. The "S number" you supply in the filename will determine the order in which your startup script is run (lowest first). I picked 19 a bit arbitrarily, based on other scripts in the rc folders.

ln -s /etc/init.d/openvpn S19openvpn

Step 14: Copy the static.key from vpnmaster to vpnslave.

Use scp, sftp, a floppy, a thumbdrive…whatever it takes. But keep it secret. Keep it safe.

Step 15: There is no Step 15.

Step 16: Test OpenVPN.

Make sure that OpenVPN is running on vpnmaster. On vpnslave, type the following. Note that, for the most part, we are doing by hand what your init.d script does. We do it by hand so we can see the output at each step, in case something goes wrong:

cd /etc/openvpn

/usr/local/sbin/openvpn --config /etc/openvpn/bridge.conf --dev tap0 --port 1194

Notice we do not supply the daemon argument to openvpn on the command line. This means your terminal will now be occupied running openvpn. You should start seeing traffic display in the openvpn process: it'll start spitting out w's and r's as it reads and writes data from vpnmaster.

Alt-F2 to another tty and login again so you can test the connection. Try accessing resources on the LAN (ping remote boxes by IP and by name). If something goes wrong, fix it before proceeding to the next step.

If the vpnslave can ping machines on the master LAN (over the VPN), then move to another computer on the slave LAN and see if you get the same results. In some network setups, your default gateway may need a new static route, directing packets to eth1 on vpnslave. If you've got a single gateway and a single switch or hub, you shouldn't have to do this.

Step 17: Test your startup script.

Kill the openvpn process from step 16 using Ctrl-C. Reboot vpnslave. Test the connection again (from vpnslave). If that works, test again from another computer on the slave LAN.

If all that works, you're done! Unplug the monitor, keyboard, and mouse from vpnslave and tuck it away somewhere. Come back in 5 years when the hard drive starts to make loud banging noises.

Comments and corrections are certainly welcome.

Site-to-site ethernet bridge over OpenVPN (2 of 2)

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다