Open-VPN Ethernet Bridging HowTo

Virtual Private Network

Yves-Gwenael Bourhis <[email protected]>, Mandriva SA, Paris
(C) 2006 Yves-Gwenael Bourhis -- Distribute freely without change -- leave Copyright Note intact

References : OpenVPN Ethernet Bridging with the use of this script,
OpenVPN 2 HOWTO français (in French).

Table of contents:

OpenVPN Ethernet Bridging Configuration
Shorewall Configuration
Back to the Open-VPN HowTo index

OpenVPN Ethernet Bridging:

urpmi openvpn bridge-utils
cd /etc/openvpn/
cp /usr/share/openvpn/sample-scripts/bridge-* .

Or, in case of self build rpm (see Build your own rpm from the tarball):

 cp /usr/share/doc/openvpn-2.1_beta14/sample-scripts/bridge-* .

Then, edit /etc/openvpn/bridge-start and /etc/openvpn/bridge-stop,
and Set the br, tap, eth, eth_ip, eth_netmask, and eth_broadcast parameters according to the physical ethernet interface you would like to bridge.
Make sure to use an interface which is private and which is connected to a LAN which is protected from the Internet by a firewall.
You can use the Linux ifconfig command to get the necessary information about your network interfaces to fill in the /etc/openvpn/bridge-start parameters.

NOTE : Sometimes /etc/openvpn/bridge-start might be too fast when executing and br0 gets no IP. So if this happens, use this file instead and redo the above modifications.

Then, edit /etc/openvpn/server.conf and comment this line:

;server 10.8.0.0 255.255.255.0

And uncomment this one:

server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

change the above IP's. replace 10.8.0.4 by the eth (LAN side) IP of the vpn server, and in the above example, 10.8.0.50 and 10.8.0.100 are the IP range within which the clients will get their IP. Modify them so that they reflect IP's from the LAN side
.
Now, comment out:

;dev tun

and uncomment:

dev tap

and then modify dev tap to precise explicitly which device you are using:

dev tap0

(or tap1, whatever you use)
Save the /etc/openvpn/server.conf file.

create the following links:

ln -s /etc/openvpn/bridge-start /etc/openvpn/openvpn-startup
ln -s /etc/openvpn/bridge-stop /etc/openvpn/openvpn-shutdown

Start the server:

service openvpn start

Always launch it with the above command. The above command runs the /etc/init.d/openvpn script, and this script looks for openvpn-startup and openvpn-shutdown scripts in /etc/openvpn and runs them in the correct order when start/stopping the VPN.

The clients will need to be configured as described here : Client (PC2) Configuration , except that you will have to modify /etc/openvpn/client.conf by commenting:

;dev tun

And uncommenting:

dev tap

Then, if apart from the openvpnserver you have no other bridge configured on the server, run this command:

chkconfig bridge off

Back to the Table of contents

Shorewall Configuration:
If you have shorewall installed and running, you need to allow connections threw the bridge.
References : Official Shorewall Bridging Howto

First, declare you are going to use bridging. Edit /etc/shorewall/shorewall.conf and set BRIDGING=Yes:

#
# BRIDGING
#
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
# then set BRIDGING=Yes. Your kernel must have the physdev match option
# enabled; that option is available at the above URL for 2.4 kernels and
# is included as a standard part of the 2.6 series kernels. If not
# specified or specified as empty (BRIDGING="") then "No" is assumed.
#

BRIDGING=Yes

Declare the VPN zone in /etc/shorewall/zones as follows if you have shorewall 2.x.x:

#ZONE           DISPLAY           COMMENTS
vpn             VPN               Remote subnet

Or as follows in /etc/shorewall/zones if you have shorewall 3.x.x:

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
vpn     ipv4

In /etc/shorewall/interfaces add the br0 interface, and remove the eth0 (Your LAN interface you are bridging with the VPN, it can be eth1 or whatever you are using):

#ZONE      INTERFACE        BROADCAST     OPTIONS
-        br0

edit /etc/shorewall/hosts as follows:

#ZONE           HOST(S)                         OPTIONS
lan     br0:eth0
vpn     br0:tap0

and define the following in /etc/shorewall/tunnels :

# TYPE                  ZONE    GATEWAY         GATEWAY
#                                               ZONE
generic:udp:1194        net     0.0.0.0/0       vpn

You can also do the following:

# TYPE                  ZONE    GATEWAY         GATEWAY
#                                               ZONE
openvpn        net     0.0.0.0/0       vpn

But I prefer the generic:udp:1194 syntax because as you can see in /etc/openvpn/server.conf or /etc/openvpn/client.conf, you can easily define any port and protocol (udp or tcp).
With the generic:udp:1194 syntax you easily reflect the server configuration. the openvpn syntax is only for the standard openvpn protocol on udp port 1194.

Now edit /etc/shorewall/policy and add policies as follows:

#SOURCE        DEST          POLICY          LOG LEVEL
loc            vpn           ACCEPT
vpn            loc           ACCEPT

Now, restart Shorewall :

service shorewall restart

The stand-alone clients need to be configured normally as described here : Configure Shorewall

Back to the Table of contents