Site-to-Site Layer 2 Bridging Using OpenVPN Access Server and a Linux Gateway Client

Server Installation

OpenVPN 2.1
Though OpenVPN's security features make this unlikely, it is provided as a second line of defense. It appears to be not necessary and it interfered with the ability to uninstall and reinstall the driver without needing to reboot. Now try to establish your VPN. First, install openvpn on the client: For TAP devices, which provide the ability to create virtual ethernet segments, --ifconfig is used to set an IP address and subnet mask just as a physical ethernet adapter would be similarly configured. The script should examine the username and password, returning a success exit code 0 if the client's authentication request is to be accepted, or a failure code 1 to reject the client. Passwords will be filtered.

Your Answer

OpenVPN Support Forum

All times are GMT The time now is Open Source Consulting Domain Registration. Linux - Newbie This Linux forum is for members that are new to Linux. Just starting out and have a question? If it is not in the man pages or the how-to's this is the place! Tue Sep 1 No such file or directory: Find More Posts by jonaskellens.

Find More Posts by gmkey. Find More Posts by dazdaz. Make sure you do not mistakenly note the interface you use to connect to the Internet, or else you WILL lose connectivity! Note this interface name down for the next step. For example, if you determined that the private interface is called eth2 , change eth1 to eth2. Also, change the IP address and subnet mask to a static IP you want to assign to the bridge this IP address and subnet should be one that is located on the remote site you are trying to bridge.

Save the file and exit the text editor. On the top of the file, add these following lines to the profile:. If the bridging is successful, the br0 interface should be configured with the IP address you have set earlier in the bridge-up. This website is currently undergoing maintenance.

We are working to get everything resolved and finished ASAP. In order to complete this setup, all of the following requirements must be met: You have two sites, each one connected to the Internet. The site hosting the Access Server must be accessible from the Internet, or have its required ports forwarded to it from the Internet. Client and server must use same protocol and port, e. UDP port , see port and proto config option.

Client and server must use same config regarding compression, see comp-lzo config option. Client and server must use same config regarding bridged vs routed mode, see server vs server-bridge config option. The above is a very simple working VPN. The client can access services on the VPN server machine through an encrypted tunnel.

If you want to reach more servers or anything in other networks, push some routes to the clients. But you will also have to change the routing for the way back - your servers need to know a route to the VPN client-network. Or you might push a default gateway to all the clients to send all their internet traffic to the VPN gateway first and from there via the company firewall into the internet.

This section shows you some possible options. Push routes to the client to allow it to reach other private subnets behind the server. Remember that these private subnets will also need to know to route the OpenVPN client address pool The server will take Each client will be able to reach the server on Comment this line out if you are ethernet bridging. Maintain a record of client to virtual IP address associations in this file. If OpenVPN goes down or is restarted, reconnecting clients can be assigned the same virtual IP address from the pool that was previously assigned.

The keepalive directive causes ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down.

Ping every 1 second, assume that remote peer is down if no ping received during a 3 second time period. To use this authentication method, first add the auth-user-pass directive to the client configuration.

Useful if you have centralized authentication with e. Please read the OpenVPN hardening security guide for further security advice. In a bridged VPN all layer-2 frames - e.

Before you setup OpenVPN in bridged mode you need to change your interface configuration. Let's assume your server has an interface eth0 connected to the internet and an interface eth1 connected to the LAN you want to bridge.

This straight forward interface config needs to be changed into a bridged mode like where the config of interface eth1 moves to the new br0 interface. Plus we configure that br0 should bridge interface eth1. We also need to make sure that interface eth1 is always in promiscuous mode - this tells the interface to forward all ethernet frames to the IP stack. At this point you need to bring up the bridge. Be prepared that this might not work as expected and that you will lose remote connectivity.

Make sure you can solve problems having local access. Next, create a helper script to add the tap interface to the bridge and to ensure that eth1 is promiscuous mode. After configuring the server, restart openvpn by entering:. In a terminal on the client machine enter:. It also can manage your VPN connections.

Make sure you have package network-manager-openvpn installed. Here you see that the installation installs all other required packages as well:. To inform network-manager about the new installed packages you will have to restart it:. Use the advanced button to enable compression e. Now try to establish your VPN.

Openvpn command line arguments on Ubuntu: