public:openvpn_network_bridge_with_static_key_encryption
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
public:openvpn_network_bridge_with_static_key_encryption [2016/02/10 13:19] – fangfufu | public:openvpn_network_bridge_with_static_key_encryption [2018/03/31 00:38] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== OpenVPN Network Bridge with Static Key Authentication ====== | ||
+ | OpenVPN has two authentication modes, one based on SSL/TLS security using RSA certificates and keys, the other using a pre-shared static key [(OpenVPN Security Review -> https:// | ||
+ | A certain country' | ||
+ | |||
+ | The Chinese firewall doesn' | ||
+ | |||
+ | In this article, we explore how to create an OpenVPN network bridge to link all your VPN clients together, using static key authentication. | ||
+ | ===== Overview ===== | ||
+ | On the server, one OpenVPN instance is run for each client connecting to the server. The OpenVPN instances on the server are linked together using a network bridge created via bridge-utils [(Debian Wiki: Bridge Network Connections -> https:// | ||
+ | |||
+ | In our setup, TAP devices are required, as we are forwarding Ethernet frames between them. TAP devices operate at the link layer, while TUN devices operate at the network layer [(Wikipedia: | ||
+ | |||
+ | Compared to the official tutorial, we also set IP address for each client in the client configuration. The server does not assign IP address for each client. | ||
+ | |||
+ | We are effectively configuring OpenVPN to send traffic to a broadcast address. However in my experience, the kernel' | ||
+ | |||
+ | ===== Server-side configuration ===== | ||
+ | |||
+ | ==== Creating the network bridge ==== | ||
+ | We create ''/ | ||
+ | < | ||
+ | auto br0 | ||
+ | iface br0 inet static | ||
+ | address 192.168.4.1 | ||
+ | netmask 255.255.255.0 | ||
+ | pre-up /sbin/brctl addbr br0 | ||
+ | post-down /sbin/brctl delbr br0 | ||
+ | |||
+ | </ | ||
+ | ==== OpenVPN instance configuration ==== | ||
+ | For each client instance, we need to create a corresponding server instance. The following content can be used as a template: | ||
+ | < | ||
+ | dev tap1 | ||
+ | proto udp | ||
+ | port 12345 | ||
+ | secret home.key | ||
+ | ifconfig 192.168.4.1 255.255.255.0 | ||
+ | user nobody | ||
+ | group nogroup | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | comp-lzo | ||
+ | comp-noadapt | ||
+ | keepalive 2 10 | ||
+ | ping-timer-rem | ||
+ | cipher AES-256-CBC | ||
+ | up "/ | ||
+ | down "/ | ||
+ | script-security 2 | ||
+ | mtu-test | ||
+ | </ | ||
+ | Note that you need to specifically name the tap device - you can't just use '' | ||
+ | ==== Up-script ==== | ||
+ | The up-script adds the TAP interface into the network bridge. We create ''/ | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | brctl addif br0 $1 | ||
+ | </ | ||
+ | ==== Down-script ==== | ||
+ | The down-script destroys the TAP interface after OpenVPN shuts down. This enables OpenVPN to restart correctly. OpenVPN does not destroy the TAP device automatically, | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | tunctl -d $1 | ||
+ | </ | ||
+ | ===== Client-side configuration ===== | ||
+ | We can have the following in the client configuration: | ||
+ | < | ||
+ | remote your.hostname.com 12345 | ||
+ | nobind | ||
+ | dev tap | ||
+ | proto udp | ||
+ | secret secret.key | ||
+ | ifconfig 192.168.4.120 255.255.255.0 | ||
+ | user nobody | ||
+ | group nogroup | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | comp-lzo | ||
+ | comp-noadapt | ||
+ | verb 4 | ||
+ | cipher AES-256-CBC | ||
+ | mtu-test | ||
+ | </ |
public/openvpn_network_bridge_with_static_key_encryption.txt · Last modified: 2018/03/31 00:38 by 127.0.0.1