OpenVPN client and server configuration with bridging

Linux VPN server.md

OpenVPN server configuration for a Linux server like a Raspberry Pi

Prerequisites

• Linux (tested on Raspbian 10 Buster and 11 Bullseye)
• OpenVPN (tested on 2.4.7-1 and 2.5.1-3 from apt)
• bridge-utils (tested on 1.6-2 and 1.7-1 from apt)

Ethernet configuration

/etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

auto br0
iface br0 inet static
address 192.168.1.16 # local IP address of OpenVPN server on the home network
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1 # router IP address
bridge_ports eth0
bridge_fd 0
bridge_hello 2
bridge_maxage 12
bridge_stp on
bridge_prio 1000

/etc/sysctl.conf

Add or uncomment

net.ipv4.ip_forward=1

This requires a restart to take effect, or you can run echo 1 > /proc/sys/net/ipv4/ip_forward as root to temporarily enable packet forwarding until the next restart

OpenVPN configuration

/etc/openvpn/Erebus.conf

mode server
proto udp
port 1194
dev tap0
server-bridge 192.168.1.16 255.255.255.0 192.168.1.200 192.168.1.250
client-to-client
dh /etc/openvpn/keys/dh2048.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/erebus.crt
key /etc/openvpn/keys/erebus.key
client-config-dir /etc/openvpn/Erebus-clients
script-security 2
cipher AES-256-CBC
#tls-version-min 1.0 # uncomment if you have older OpenVPN clients without TLS 1.2 support
keepalive 10 120
persist-key
persist-tun
mute-replay-warnings
verb 3
mute 20
log /var/log/openvpn/erebus.log
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

/etc/openvpn/up.sh

Ensure this file has its executable bit set.

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV

/etc/openvpn/down.sh

Ensure this file has its executable bit set.

#!/bin/sh

BR=$1
DEV=$2
/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

/etc/openvpn/Erebus-clients/

This directory should contain one plaintext file per client, where the filename is the client's host, like sigyn. The contents of the file allow you to set a static local IP address of the client when it joins the VPN. This is the IP address that you can use to reach the VPN client from a computer on the home network.

ifconfig-push 192.168.1.10 255.255.255.0

/etc/openvpn/keys/

This is the directory with all of the key files, like ca.crt, dh2048.pem, erebus.crt, and erebus.key. Make sure you make it owner-readable only (chmod 0600 /etc/openvpn/keys/*).

Running

Restart, or run

sudo service openvpn stop; sudo ifdown br0; sudo ifdown eth0; sudo ifup eth0; sudo ifup br0; sudo service openvpn start; sudo ifconfig; sudo tail -f /var/log/openvpn/*.log

Sources

1. "Bridging OpenVPN." CyberPunk, Synex, 21 July 2015, 2:54, n0where.net/bridging-openvpn.

VPN client keys.md

1. SSH into Balder
2. Go to c:\Programs\Servers\OpenVPN\easy-rsa
3. Run vars.bat
4. Run build-key freyr or whatever the name of your client is
5. Use the default answer for all of the questions, except supply your client's name for the Common Name and Name prompts.
6. The new .crt and .key files are generated in ..\keys.

VPN client.md

Erebus.conf

Linux

client
dev tap0
proto udp
remote my.vpn.server.com
ca "keys/ca.crt"
cert "keys/skadi.crt"
key "keys/skadi.key"
cipher AES-256-CBC
ns-cert-type server
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
mute 20
log /var/log/openvpn

Windows

client
dev tap0
proto udp
remote my.vpn.server.com
ca "..\\keys\\ca.crt"
cert "..\\keys\\sigyn.crt"
key "..\\keys\\sigyn.key"
cipher AES-256-CBC
ns-cert-type server
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
mute 20

zz_deprecated DD-WRT VPN server.md

OpenVPN server configuration for a Linksys E1000 v1 running DD-WRT v24-sp2 (03/25/13) vpn-small

Services > VPN

OpenVPN Server/Daemon

• OpenVPN: Enable
• Start Type: System
• Config as: Daemon
• CA Cert: contents of ca.crt
• Public Server Cert: contents of erebus.crt (starting with -----BEGIN CERTIFICATE-----)
• Private Server Key: contents of erebus.key
• DH PEM: contents of dh.pem
• Additional Config:

  mode server
  proto udp
  port 1194
  dev tap0
  server-bridge 192.168.1.2 255.255.255.0 192.168.1.200 192.168.1.250
  client-to-client
  dh /tmp/openvpn/dh.pem
  ca /tmp/openvpn/ca.crt
  cert /tmp/openvpn/cert.pem
  key /tmp/openvpn/key.pem
  client-config-dir /tmp/openvpn/ccd
  script-security 2
  daemon
  keepalive 10 120
  persist-key
  persist-tun
  mute-replay-warnings
  verb 3
  mute 20
  log /var/log/openvpn
  

Administration > Commands

Startup

openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

mkdir -p /tmp/openvpn/ccd
echo "ifconfig-push 192.168.1.9 255.255.255.0" > /tmp/openvpn/ccd/skadi
echo "ifconfig-push 192.168.1.10 255.255.255.0" > /tmp/openvpn/ccd/sigyn

Firewall

iptables -A INPUT -i tap0 -j ACCEPT 
iptables -I INPUT -p udp --dport 1194 -j ACCEPT 

Administration > Management

Cron

* * * * * root ifconfig tap0 0.0.0.0 promisc up

This thing actually survives restarts, amazing.

I also used rcconf to disable the dhcpcd service, which wasn't doing anything except logging an error during startup.
With systemd, this is sudo systemctl disable dhcpcd.service.

Thank you so much my OpenVPN server stopped working correctly after upgrading to Debian 11 and no matter what I did I could not find any way to fix it, until I found this guide in Google and applied this structure to my configuration now my issues are gone! I never wrote br0 into /etc/network/interfaces before, but I assume this is necessary for OpenVPN bridge mode now because what I used to do doesn't work reliably anymore

You're welcome! Glad it worked. I went through several configurations before I found this tutorial on CyberPunks on which my current setup is based, which has been stable for many years (although the article is offline now).