Introduction

This howto will explain the setup of a bridged openvpn system, where an external laptop will be able to join a home local network (through a vpn encrypted tunnel) in order to access resources on the LAN/intranet and still be able to browse the internet. This particular configuration is suitable for one who wants to connect to the company office or to the home network in a secure way even from insicure places such as airports, cafes, hotels, or public hot spots.

Openvpn GUI clients are available also for Windows and Mac OS

Requirements and notes

Broadband connection
Broadband router with port forward and DynDns support
Open vpn server (Ubuntu server is ok)

Home router public address: home.dyndns.org
Home router ip address: 192.168.1.1
Home vpn server: 192.168.1.251

The Setup Procedure

Start to finish instructions how to set up the OpenVPN system

1) Subscribe to dyndns or other dns services , enable the port forwarding on the router. In this case the port 1194 UDP is forwarded  to port UDP 1194 on the openvpn server inside the lan 192.168.1.251.

2) Software required 

apt-get install openvpn openssl bridge-utils

3) Openvpn keys generations


copy the easy rsa script to the openvpn direcotry 

cp -a /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/

go to /etc/openvpn/easy-rsa/2.0/ and open the file called vars, you must edit the last five lines according to your parameters. "US" must be replaced with your country code.


export KEY_COUNTRY="US"
export KEY_PROVINCE="US"
export KEY_CITY="mycity"
export KEY_ORG="vpn"
export KEY_EMAIL="myname@myemail.org"

Then run the following commands,the certification authority creation it's very straightforward.

. ./vars
	 ./clean-all 
	 ./build-ca


Now you need to create the server keys

./build-key-server server


Now you need to generate the keys for the users, user1 can be as well the username.


./build-key user1


Generate the Diffie Hellman 


./build-dh


Generate the static key


openvpn --genkey --secret ta.key


Server side configuration.


Create a directory called /etc/openvpn/keys.


mkdir /etc/openvpn/keys


Copy the keys and certificates previusly generated  in the server keys folder.


cp ca.crt  server.crt server.key dh1024.pem  ta.key  /etc/openvpn/keys


in /etc/openvpn/ create a file called server.conf 

#/etc/openvpn/server.conf
 local 192.168.1.251
 port 1194
 proto udp
 dev tap0
 ca /etc/openvpn/keys/ca.crt
 cert /etc/openvpn/keys/server.crt
 key /etc/openvpn/keys/server.key
 dh /etc/openvpn/keys/dh1024.pem
 tls-auth /etc/openvpn/keys/ta.key 0
 ifconfig-pool-persist ipp.txt
 server-bridge 192.168.1.1 255.255.255.0 192.168.1.70 192.168.1.79

 keepalive 10 120
 push "redirect-gateway"
 max-clients 5
 persist-key
 persist-tun
 status openvpn-status.log
 log-append openvpn.log
 verb 3


Bridge script , is needed to combine the ethernet interface with one or more virtual TAP interfaces and bridging them together .

In /etc/init.d/ create a file called bridge.sh


#bridge.sh
 #!/bin/bash  
 # Create global variables
    # Define Bridge Interface 
 br="br0"
 # Define list of TAP interfaces to be bridged, 
 # for example tap="tap0 tap1 tap2". 
 tap="tap0"
 # Define physical ethernet interface to be bridged
  # with TAP interface(s) above. 
 eth="eth1"
 eth_ip="192.168.1.251"
 eth_netmask="255.255.255.0"
 eth_broadcast="192.168.1.255"
 gw="192.168.1.251"
 start_bridge () {
 #################################
    # Set up Ethernet bridge on Linux   
 ################################# 
    for t in $tap; do
 openvpn --mktun --dev $t
 done
 for t in $tap; do
 ifconfig $t 0.0.0.0 promisc up
 done
 ifconfig $eth 0.0.0.0 promisc up
 brctl addbr $br
 brctl addif $br $eth
 for t in $tap; do
 brctl addif $br $t
 done
 ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
 route add default gw $gw $br
 }
 stop_bridge () {
 ####################################   
 # Pull Down Ethernet bridge on Linux   
 ####################################    
 ifconfig $br down
 brctl delbr $br
 for t in $tap; do
 openvpn --rmtun --dev $t
 done
 ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
 route add default gw $gw $eth
 }
 case "$1" in
 start)
 echo -n "Starting Bridge"   
 start_bridge
 ;;
 stop)
 echo -n "Stopping Bridge"   
 stop_bridge
 ;;
 restart)
 stop_bridge
 sleep 2
 start_bridge
 ;;
 *)
 echo "Usage: $0 {start|stop|restart}" >&2
 exit 1
 ;;
 esac


Enable the openvpn server at the system boot.


chmod +x /etc/init.d/bridge.sh
 update-rc.d bridge.sh defaults



On the client side

Install openvpn.


apt-get install openvpn


Create the keys directory

mkdir  /etc/openvpn/keys


copy in a secure way (preferably with scp) the keys and certificates from the server to the client.


scp ca.crt   user1.crt   user1.key ta.key user@laptop:/etc/openvpn/keys


in /etc/openvpn create a file called client1.conf with this configuration

client
 dev tap0
 proto udp
 remote mojito.homelinux.org 1194
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 ca /etc/openvpn/keys/ca.crt
 cert /etc/openvpn/keys/user1.crt
 key /etc/openvpn/keys/user1.key
 tls-auth /etc/openvpn/ta.key 1

 verb 5
 ping 10
 ping-restart 60
 --explicit-exit-notify 2


Starting the vpn on the laptop

As root type

openvpn --config /etc/openvpn/home/client1.conf



On the laptop  a virtual interface called tap0 will aquire a local ip address of your local area network, this will grant the access to the home/office resources through an encrypted tunnel.

This article is derived from Openvpn roadwarrior bridged mode howto and is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License