OpenVPN setup HowTo: allow an external laptop to connect to your home network
Introduction
This howto will explain the setup of a bridged openvpn system, where an external laptop will be able to join a home local network (through a vpn encrypted tunnel) in order to access resources on the LAN/intranet and still be able to browse the internet. This particular configuration is suitable for one who wants to connect to the company office or to the home network in a secure way even from insicure places such as airports, cafes, hotels, or public hot spots.
Openvpn GUI clients are available also for Windows and Mac OS
Requirements and notes
Broadband connection
Broadband router with port forward and DynDns support
Open vpn server (Ubuntu server is ok)
Home router public address: home.dyndns.org
Home router ip address: 192.168.1.1
Home vpn server: 192.168.1.251
The Setup Procedure
Start to finish instructions how to set up the OpenVPN system
1) Subscribe to dyndns or other dns services , enable the port forwarding on the router. In this case the port 1194 UDP is forwarded to port UDP 1194 on the openvpn server inside the lan 192.168.1.251.
2) Software required
apt-get install openvpn openssl bridge-utils
3) Openvpn keys generations
copy the easy rsa script to the openvpn direcotry
cp -a /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
go to /etc/openvpn/easy-rsa/2.0/ and open the file called vars, you must edit the last five lines according to your parameters. "US" must be replaced with your country code.
export KEY_COUNTRY="US"
export KEY_PROVINCE="US"
export KEY_CITY="mycity"
export KEY_ORG="vpn"
export KEY_EMAIL="myname@myemail.org"
Then run the following commands,the certification authority creation it's very straightforward.
. ./vars
./clean-all
./build-ca
Now you need to create the server keys
./build-key-server server
Now you need to generate the keys for the users, user1 can be as well the username.
./build-key user1
Generate the Diffie Hellman
./build-dh
Generate the static key
openvpn --genkey --secret ta.key
Server side configuration.
Create a directory called /etc/openvpn/keys.
mkdir /etc/openvpn/keys
Copy the keys and certificates previusly generated in the server keys folder.
cp ca.crt server.crt server.key dh1024.pem ta.key /etc/openvpn/keys
in /etc/openvpn/ create a file called server.conf
#/etc/openvpn/server.conf
local 192.168.1.251
port 1194
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/ta.key 0
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.1 255.255.255.0 192.168.1.70 192.168.1.79
keepalive 10 120
push "redirect-gateway"
max-clients 5
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
Bridge script , is needed to combine the ethernet interface with one or more virtual TAP interfaces and bridging them together .
In /etc/init.d/ create a file called bridge.sh
#bridge.sh
#!/bin/bash
# Create global variables
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="192.168.1.251"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
gw="192.168.1.251"
start_bridge () {
#################################
# Set up Ethernet bridge on Linux
#################################
for t in $tap; do
openvpn --mktun --dev $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $br
}
stop_bridge () {
####################################
# Pull Down Ethernet bridge on Linux
####################################
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $eth
}
case "$1" in
start)
echo -n "Starting Bridge"
start_bridge
;;
stop)
echo -n "Stopping Bridge"
stop_bridge
;;
restart)
stop_bridge
sleep 2
start_bridge
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac
Enable the openvpn server at the system boot.
chmod +x /etc/init.d/bridge.sh
update-rc.d bridge.sh defaults
On the client side
Install openvpn.
apt-get install openvpn
Create the keys directory
mkdir /etc/openvpn/keys
copy in a secure way (preferably with scp) the keys and certificates from the server to the client.
scp ca.crt user1.crt user1.key ta.key user@laptop:/etc/openvpn/keys
in /etc/openvpn create a file called client1.conf with this configuration
client
dev tap0
proto udp
remote mojito.homelinux.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/user1.crt
key /etc/openvpn/keys/user1.key
tls-auth /etc/openvpn/ta.key 1
verb 5
ping 10
ping-restart 60
--explicit-exit-notify 2
Starting the vpn on the laptop
As root type
openvpn --config /etc/openvpn/home/client1.conf
On the laptop a virtual interface called tap0 will aquire a local ip address of your local area network, this will grant the access to the home/office resources through an encrypted tunnel.
This article is derived from Openvpn roadwarrior bridged mode howto and is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License