User Tools

Site Tools


public:openvpn_network_bridge_with_static_key_encryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
public:openvpn_network_bridge_with_static_key_encryption [2016/02/11 02:21] – [Client-side configuration] fangfufupublic:openvpn_network_bridge_with_static_key_encryption [2018/03/31 00:38] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +====== OpenVPN Network Bridge with Static Key Authentication ======
 +OpenVPN has two authentication modes, one based on SSL/TLS security using RSA certificates and keys, the other using a pre-shared static key [(OpenVPN Security Review -> https://openvpn.net/index.php/open-source/documentation/security-overview.html)]. 
  
 +A certain country's firewall tends to interrupt vanilla OpenVPN's connection if it is operated in TLS mode. I am not entirely sure how this is done, there are a lot of speculations on how it is done [(Schneier on Security: China Now Blocking Encryption -> https://www.schneier.com/blog/archives/2012/12/china_now_block.html)]. In short, rumour says the firewall is powerful enough to detect OpenVPN's key exchange signature through DPI. There are also a lot of fixes [(OpenVPN Forum: Patch: Fix for Iran and China users -> https://forums.openvpn.net/topic12605.html)][(Github: openvpn_xorpatch -> https://github.com/clayface/openvpn_xorpatch)], however they require applying patches and compilation, they are not exactly simple. 
 +
 +The Chinese firewall doesn't seem to interrupt OpenVPN when it is operated in static-key mode. However the basic static key configuration tutorial only tells you how to do a point-to-point link [(OpenVPN: Static Key Mini-HOWTO -> https://openvpn.net/index.php/open-source/documentation/miscellaneous/static-key-mini-howto.html)]. 
 +
 +In this article, we explore how to create an OpenVPN network bridge to link all your VPN clients together, using static key authentication. 
 +===== Overview =====
 +On the server, one OpenVPN instance is run for each client connecting to the server. The OpenVPN instances on the server are linked together using a network bridge created via bridge-utils [(Debian Wiki: Bridge Network Connections -> https://wiki.debian.org/BridgeNetworkConnections)]. (In contrast, only one OpenVPN instance is required on the server in the official tutorial [(OpenVPN: HOWTO : https://openvpn.net/index.php/open-source/documentation/howto.html)]). 
 +
 +In our setup, TAP devices are required, as we are forwarding Ethernet frames between them. TAP devices operate at the link layer, while TUN devices operate at the network layer [(Wikipedia: Internet Protocol -> https://en.wikipedia.org/wiki/Internet_protocol_suite#Layer_names_and_number_of_layers_in_the_literature)].
 +
 +Compared to the official tutorial, we also set IP address for each client in the client configuration. The server does not assign IP address for each client. 
 +
 +We are effectively configuring OpenVPN to send traffic to a broadcast address. However in my experience, the kernel's network bridge driver seems to take care of everything automatically. I am not sure if there is performance penalty with this configuration, however I find the performance acceptable. The data transfer rate seems to be limited only by the bandwidth between your client and the server. 
 +
 +===== Server-side configuration =====
 +
 +==== Creating the network bridge ====
 +We create ''/etc/network/interfaces.d/br0'' with the following content:
 +<code>
 +auto br0
 +iface br0 inet static
 +        address 192.168.4.1
 +        netmask 255.255.255.0
 +        pre-up /sbin/brctl addbr br0
 +        post-down /sbin/brctl delbr br0
 +
 +</code>
 +==== OpenVPN instance configuration ====
 +For each client instance, we need to create a corresponding server instance. The following content can be used as a template: 
 +<code>
 +dev tap1
 +proto udp
 +port 12345
 +secret home.key
 +ifconfig 192.168.4.1 255.255.255.0
 +user nobody
 +group nogroup
 +persist-key
 +persist-tun
 +comp-lzo
 +comp-noadapt
 +keepalive 2 10
 +ping-timer-rem
 +cipher AES-256-CBC
 +up "/etc/openvpn/tap-pre-up.sh tap1"
 +down "/etc/openvpn/tap-post-down.sh tap1"
 +script-security 2
 +mtu-test
 +</code>
 +Note that you need to specifically name the tap device - you can't just use ''tap'', you have to use ''tap0'', ''tap1'' and etc. You also need to set a new port for each instance - each OpenVPN instance needs an exclusive port. 
 +==== Up-script ====
 +The up-script adds the TAP interface into the network bridge. We create ''/etc/openvpn'' with the following content:
 +<code>
 +#!/bin/bash
 +brctl addif br0 $1
 +</code>
 +==== Down-script ====
 +The down-script destroys the TAP interface after OpenVPN shuts down. This enables OpenVPN to restart correctly. OpenVPN does not destroy the TAP device automatically, as it is still on the network bridge. We create ''/etc/openvpn/tap-post-down.sh'' with the following content: 
 +<code>
 +#!/bin/bash
 +tunctl -d $1
 +</code>
 +===== Client-side configuration =====
 +We can have the following in the client configuration: 
 +<code>
 +remote your.hostname.com 12345
 +nobind
 +dev tap
 +proto udp
 +secret secret.key
 +ifconfig 192.168.4.120 255.255.255.0
 +user nobody
 +group nogroup
 +persist-key
 +persist-tun
 +comp-lzo
 +comp-noadapt
 +verb 4
 +cipher AES-256-CBC
 +mtu-test
 +</code>