Click on the top button to “open code in new window” to see it in a nice format
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 |
OPENVPN – 3 – BRIDGED VPN – STATIC KEY – CLIENT 2 SITE ####################################################### ####################################################### SIMPLEST BRIDGED OPENVPN CONFIG - WITH STATIC KEY ################################################### ################################################### CITATION: http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tap First generate a key. Then write the openvpn bridge script (start it, and might as well always have it start once per boot) Then write the openvpn server config and start the openvpn server Then copy the key to the client and repeat Then start the server openvpn Then start the client openvpn Both should start no problem although we still cant access anything, you must now add an ip address to the client in the same subnet as the server - make sure its unused NOTE @ THE FIREWALL IN THE NETWORK WHERE THE SERVER (THE ONE BEING THE OPENVPN SERVER) IS AT THERE IS A UDP PORT FORWARD OF PORT 50006 FROM FIREWALL FACING INTERNET TO PORT 50006 UDP ON SERVER (THE ONE BEING THE OPENVPN SERVER) THE ONLY FIREWALL CONFIG I NEEDED AT THE CLIENT WAS A PORTFORWARD TO ACCESS SSH ON THE CLIENT, BUT THATS OPTIONAL THATS JUST SO I HAVE ACCESS TO THE LINUX SHELL FROM ANYWHERE, THE MAIN ONE FOR THIS IS ESSENTIALLY ALLOWING OUTBOUND TRAFFIC OUT AT THE CLIENT NETWORK - THATS TYPICAL FIREWALL DEFAULTS THOUGH ALL ALL OUTBOUND TRAFFIC INSTALLATION ################# ON SERVER: apt-get install bridge-utils apt-get install openvpn apt-get install openssl ON CLIENT: apt-get install openvpn apt-get install openssl GENERATE KEY ################ openvpn --genkey --secret /etc/openvpn/openvpn.key TX KEY TO CLIENT: cat openvpn.key | ssh -p 50005 www.client.com "cat - > /etc/openvpn/openvpn.keykey" SIMPLE OPENVPN BRIDGE ######################## touch /etc/openvpn/openvpnbridge.sh; chmod +x /etc/openvpn/openvpnbridge.sh #!/bin/bash # /etc/openvpn/openvpnbridge.sh # Taken from http://openvpn.net/bridge.html insmod tun br="br0" tap="tap0" for t in $tap; do openvpn --mktun --dev $t done for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done OTHER BRIDGE START AND STOP FROM PREVIOUS EXAMPLE WORK, BUT ABOVE LOOKS MORE APPEALING ######################################################################################### Why this one isnt as good? This bridge start stop, enabled the bridge and tap and it switches the ip of eth0 to the bridge/tap where as on the above one it stays on eth... This can happen because they are the same leg, so it doesnt matter especially since they are all promiscous. And the above method doesnt need a stop. OTHER START BRIDGE ====================== At the very bottom/end in OTHER/EXTRA notes section OTHER STOP BRIDGE ==================== At the very bottom/end in OTHER/EXTRA notes section SIMPLE SERVER /etc/openvpn/openvpn.conf ######################################### port 50006 proto udp dev tap0 keepalive 10 120 ;comp-lzo ;persist-key ;persist-tun status openvpn-status.log verb 3 secret /etc/openvpn/openvpn.key SIMPLE CLIENT /etc/openvpn/openvpn.conf ########################################### dev tap0 proto udp remote www.server.com 50006 resolv-retry infinite nobind ;persist-key ;persist-tun # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. mute-replay-warnings secret /etc/openvpn/openvpn.key ;comp-lzo verb 3 START ON SERVER ################### service openvpn start It start no problem if you followed above methods START ON CLIENT ################## service openvpn start EXTRA NEEDED THINGS - GET AN IP TO THE CLIENT IN THE SUBNET ============================================================== Both openvpns at the server and client should start no problem although we still cant access anything, you must now add an ip address to the client in the same subnet as the server - make sure its unused ifconfig tap0 172.18.10.160 netmask 255.255.0.0 broadcast 172.18.255.255 OTHER EXTRA NOTES SECTION ################################## IMPORTANT SIDE NOTE: * NOTE IT WORKED FOR ME AND I USED THE BRIDGE FROM BELOW BECAUSE I WAS TOO LAZY TO SWITCH OVER TO THE BETTER/SIMPLER BRIDGE SCRIPT ABOVE. I DIDNT HAVE TO USE ANY FIREWALL IPTABLES (BECAUSE I ALREADY HAVE ALL OPEN NETWORK :-) ) WHAT FILES DID I HAVE IN THE END AT THE SERVER ================================================ If you followed the instructions with the bridge config from above you should have: /etc/openvpn/openvpnbridge.sh <- even though I didnt test this yet, I know this works as the site is credible and users post great things on the comments (what site? the one in citation from above) /etc/openvpn/openvpn.key /etc/openvpn/openvpn.conf If you followed the same instructions but using the bridge below (in OTHER EXTRA NOTES section) instead, which is actually what I ended up doing during the writing of this article: /etc/openvpn/openvpnbridge.sh /etc/openvpn/openvpn.key /etc/openvpn/openvpn.conf WHAT FILES DID I HAVE IN THE END AT THE SERVER ================================================ /etc/openvpn/openvpn.key <-- this is the same as the file @ the server /etc/openvpn/openvpn.conf HOW TO START SERVER WITH BOOT ================================= #!/bin/sh #/etc/init.d/S46openvpn <-- make this file with this in it /etc/openvpn/openvpnbridge.sh openvpn /etc/openvpn/openvpn.conf & OR if S##openvpn already exists then find the append_param() function and add into it: /etc/openvpn/openvpnbridge.sh ANOTHER WAY TO START CONFIGS ================================ Name them other names and launch like this openvpn [config filename here] ANOTHER BRIDGE AND SOME OTHER THINGS TO CONSIDER ==================================================== cd /etc/openvpn touch start.sh; chmod +x start.sh; touch stop.sh; chmod +x stop.sh; MY /etc/openvpn/start.sh --------------------------- #!/bin/bash br="br0" # Define Bridge Interface tap="tap0" # Define list of TAP example tap="tap0 tap1 tap2" eth="eth0" # * CHANGE FROM HERE DOWN eth_ip="172.18.10.21" eth_netmask="255.255.0.0" eth_broadcast="172.18.255.255" eth_gw="172.18.10.2" # * CHANGE FROM HERE UP AND NOTHING BELOW for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast route add default gw $eth_gw $br echo "* Bridge STARTED `date`" >> /var/log/syslog MY /etc/openvpn/stop.sh ----------------------------- #!/bin/bash br="br0" tap="tap0" # * CHANGE FROM HERE DOWN eth="eth0" eth_ip="172.18.10.21" eth_netmask="255.255.0.0" eth_broadcast="172.18.255.255" eth_gw="172.18.10.2" # * CHANGE FROM HERE UP AND NOTHING BELOW ifconfig $br down brctl delbr $br for t in $tap; do openvpn --rmtun --dev $t done ifconfig eth0 -promisc ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast route add default gw $eth_gw $eth echo "* Bridge STOPPED `date`" >> /var/log/syslog TEST THE BRIDGE ----------------------- The bridge should be able to get started and start a ping, you might get disconnected for a second ./start.sh; ping 8.8.8.8 ./stop.sh; ping 8.8.8.8 You should be able to do the above all day long, note its okay if there is a delay after you start the bridge with start.sh and the pings comeing through, sometimes it took me 10 seconds, and sometimes its instant Note when you start the bridge on the server your ifconfig should look like this: ./start.sh ifconfig And when you stop the bridge on the server your ifconfig should look like this: ./stop.sh ifconfig OUTPUT: br0 Link encap:Ethernet HWaddr 00:50:56:aa:cc:44 inet addr:172.18.10.21 Bcast:172.18.10.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feaa:cc44/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:226268724 errors:0 dropped:40 overruns:0 frame:0 TX packets:72419607 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:128122219579 (119.3 GiB) TX bytes:38122071147 (35.5 GiB) eth0 Link encap:Ethernet HWaddr 00:50:56:aa:cc:44 inet6 addr: fe80::250:56ff:feaa:cc44/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:4785785867 errors:0 dropped:624 overruns:0 frame:0 TX packets:911487819 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3251376854369 (2.9 TiB) TX bytes:967950374803 (901.4 GiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:408 (408.0 B) TX bytes:408 (408.0 B) tap0 Link encap:Ethernet HWaddr a6:0a:c1:be:20:e5 inet6 addr: fe80::a40a:c1ff:febe:20e5/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:14557 errors:0 dropped:0 overruns:0 frame:0 TX packets:69436125 errors:0 dropped:140650466 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1047354 (1022.8 KiB) TX bytes:32999262636 (30.7 GiB) Before continuing start the bridge ./start.sh ifconfig OUTPUT: eth0 Link encap:Ethernet HWaddr 00:50:56:aa:cc:44 inet addr:172.18.10.21 Bcast:172.18.10.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feaa:cc44/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4786738468 errors:0 dropped:624 overruns:0 frame:0 TX packets:911566372 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3251996200507 (2.9 TiB) TX bytes:967991077500 (901.5 GiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:408 (408.0 B) TX bytes:408 (408.0 B) OTHER CONFIGS: ============== 1. If your server is on an ESXi Server make sure to allow that NIC to have Promiscous mode enabled, for more on that look below If you are setting up the server as a virtual machine, in a ESXi server there is a nasty little gotcha on the network card settings that needs to be changed. The setting is in the VMWare ESX Management Client, then in Networking/Properties/Choose The VLAN your server is using/Edit/Security/Promiscous Mode/Check the box and choose Enable. Otherwise the bridge wont work because the ESX is preventing it from going into promiscous mode. vSphere 5.0 -> Home -> Inventory -> Hosts and Clusters -> select HOST 172.18.10.200 -> Configuration Tab -> Networking -> select Properties for vSwitch that has your machine VSWITCH2 PHYSICAL ADDRESS vmnic4 -> From List select vSwitch and hit edit (((notice there are 2 enteries a vSwitch - which has a summary in the tree of "120 Ports" and a Network "Core Lab Network", editing the vSwitch affects the Network called "Core Lab Network" - which has the summary in the tree of "Virtual Machine Port Group"))) -> Security Tab -> Promiscous Mode -> Change to Accept from Reject (((There shouldnt be a checkbox you have to check to change this, unless you selected the Network/"Virtual Machine Port Group" instead of the correct selection which is the vSwitch))) 2. If you have firewall rules setup with IPTABLES other then allow all then allow the correct packets to passthrough Note with no iptables rules, or just the default Allow All, everything should work: iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination But if you have more vigourous security make sure you run these commands to allow br0 and tap0 to communicate: iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT I dont think applies here but maybe this might help, so your troubleshooting you can put this in: echo 1 > /proc/sys/net/ipv4/ip_forward For me it worked with that on "echo 1" and off "echo 0" |