Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Configuration and scripts for OpenVPN in Bridged Mode. Script to generate new client (with their keys and configuration file for OpenVPN). Script to manage the bridge. Configuration for systemd to start/stop the OpenVPN with Brige.
#!/bin/bash
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.42.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.42.255"
eth_gateway="192.168.42.1"
eth_mac="XX:XX:XX:XX:XX:XX"
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged together
tap="tap0"
#!/bin/bash
. /etc/openvpn/bridge/bridge-conf
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
iptables -A INPUT -i $t -j ACCEPT
done
iptables -A INPUT -i $br -j ACCEPT
iptables -A FORWARD -i $br -j ACCEPT
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ip link set $br address $eth_mac
route add default gw $eth_gateway $br
#!/bin/bash
. /etc/openvpn/bridge/bridge-conf
####################################
# Tear Down Ethernet bridge on Linux
####################################
iptables -D INPUT -i $br -j ACCEPT
iptables -D FORWARD -i $br -j ACCEPT
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
iptables -D INPUT -i $t -j ACCEPT
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway $eth
#!/bin/bash
#This script generate the key for the wanted client and it's configuration file
#to be used with OpenVPN. If the key has already been generated it will only
#generate the configuration file for OpenVPN
#VARIABLES
#If you don't set a remote (the external IP of the server or the hostname)
#the script will try to gather it using dig
#You need to change the port to the one set in your server
#if you want to add new directive to client configuration use $OPENVPN_CLIENT_DIRECTIVE
PROTO="${PROTO:-udp}"
REMOTE="${REMOTE:-}"
PORT="${PORT:-5555}"
OPENVPN_EASY_RSA_PATH="/etc/openvpn/easy-rsa/"
OPENVPN_CLIENT_DIRECTIVE="${OPENVPN_CLIENT_DIRECTIVE:-}"
DEV_TYPE=${DEV_TYPE:-tap0}
COMPRESS=${COMPRESS:-compress}
#DO NOT MODIFY BELOW
function usage {
echo "Usage: $0 clientName"
echo "ENV Variables:"
echo "PROTO: protocol used"
echo "REMOTE: host or IP address of the server"
echo "PORT: port on the server"
echo "DEV_TYPE: device type (tun+/tap+)"
echo "COMPRESS: The compression algorithm used (comp-lzo, compress (if pushed by the server), compress snappy)"
exit -1
}
function getIp {
echo `dig +short myip.opendns.com @resolver1.opendns.com`
}
function clientConfig {
cat <<CLIENT_CONF
client
dev $DEV_TYPE
proto $PROTO
remote $REMOTE $PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
$COMPRESS
verb 3
pull
$OPENVPN_CLIENT_DIRECTIVE
<ca>
$CA
</ca>
<cert>
$CERT
</cert>
<key>
$KEY
</key>
CLIENT_CONF
}
if [ $# -eq 0 ]; then
echo "No arguments supplied"
usage
fi
if [ -z "$1" ]; then
echo "Client name not supplied"
usage
fi
if [ -z "$REMOTE" ]; then
REMOTE=$(getIp)
fi
CLIENT=$1
if [ ! -f $OPENVPN_EASY_RSA_PATH/keys/${CLIENT}.crt ]; then
pushd $OPENVPN_EASY_RSA_PATH
source ./vars
./build-key $CLIENT
popd
fi
CA=`cat $OPENVPN_EASY_RSA_PATH/keys/ca.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE"`
CERT=`cat $OPENVPN_EASY_RSA_PATH/keys/${CLIENT}.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE"`
KEY=`cat $OPENVPN_EASY_RSA_PATH/keys/${CLIENT}.key | grep -A 100 "BEGIN PRIVATE KEY" | grep -B 100 "END PRIVATE KEY"`
clientConfig > $CLIENT.ovpn
exit 0
[Unit]
Description=OpenVPN server %i
Wants=syslog.target
Requires=network.target
After=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
Documentation=https://www.aaflalo.me/2015/01/openvpn-tap-bridge-mode
[Service]
PrivateTmp=true
Type=forking
PermissionsStartOnly=true
RuntimeDirectory=openvpn
ExecStartPre=/etc/openvpn/bridge/bridge-start
PIDFile=/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --status /run/openvpn/status-%i.log --status-version 2 --config %i.conf --daemon --writepid /run/openvpn/%i.pid
ExecStopPost=/etc/openvpn/bridge/bridge-stop
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.target
dev tap0
#tun-mtu 1500
#tun-ipv6
tls-server
proto udp
port 5555
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
topology subnet
user nobody
group nogroup
server-bridge 192.168.42.2 255.255.255.0 192.168.42.128 192.168.42.254
#server-ipv6 2001:db8::/64
mssfix
persist-key
persist-tun
#log /var/log/openvpn
status /var/log/openvpn-status.log
verb 4
client-to-client
keepalive 10 120
mute 50
#set the dns servers
push "dhcp-option DNS 192.168.42.1"
#set the WINS server (SAMBA)
push "dhcp-option WINS 192.168.42.2"
#For windows, to make the network recognized
push "route 0.0.0.0 0.0.0.0 192.168.42.2"
cipher AES-256-CBC
auth SHA512
log-append /var/log/openvpn
compress lz4-v2
# Activate this option only if you're running OpenVPN < 2.4.X
# In that case, you can disable the compress lz4-v2 and enable comp-lzo.
#comp-lzo
#replay-window 128
@Emran1987

This comment has been minimized.

Copy link

Emran1987 commented Jan 3, 2020

can you please give me the diagram and as well vpn router and client ip address details

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.