OpenVPN Bridge on CentOS (With br0 in /etc/sysconfig/network-scripts)

Having installed many OpenVPN systems I can almost configure it with my eyes closed… or so I thought! Whilst the previous statement might be true for routed setups, bridged configurations were an entirely different animal (for me at least).

The initial steps required installation of Sourceforge repositories (OpenVPN is not in the standarad CentOS repos), installation of OpenVPN, build of CA for the certificates, and installation of ntp to ensure time sync (if the time is wrong certificates will not validate).

OpenVPN

wget http://apt.sw.be/redhat/el5/en/i386/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm
rpm -i rpmforge-release-0.3.6-1.el5.rf.*.rpm
yum update
yum install openvpn
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/
cd 2.0/
chmod +rwx *
./clean-all 
. ../vars 
./clean-all 
vi openssl.cnf 
vi vars 
./build-ca 
./build-dh
./build-key-server um-hq1-svr1
./build-key road-warrior1
./build-key road-warrior2
cp -R keys/ /etc/openvpn/keys/
yum install ntp
ntpdate pool.ntp.org
chkconfig ntpd on
chkconfig openvpn on

Bridge

We need to link the OpenVPN tap interface to the LAN port (in my case eth0). This is done below (for CentOS 5.x at least):

yum install bridge-utils 
 
cat /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
IPADDR=192.168.0.50
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
ONBOOT=yes 
 
cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes

We then go onto add a script that will add the tap interface to the bridge when OpenVPN is started.

cat /etc/openvpn/bridge-start
#!/bin/bash
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
echo "adding $1 to bridge"
brctl addif br0 $1
ifconfig $1 up

OpenVPN Configuration

The server is setup to bridge using the tap interface below:

cat /etc/openvpn/roadwarrior-server.conf
 
server-bridge 192.168.0.50 255.255.255.0 192.168.0.230 192.168.0.239 
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/um-hq1-svr1.crt
key /etc/openvpn/keys/um-hq1-svr1.key
dh /etc/openvpn/keys/dh2048.pem 
keepalive 10 60
user nobody
group nobody
persist-key
persist-tun
client-to-client
verb 3 
up /etc/openvpn/bridge-start

Bridge Confirmation

To check everything is working we can check the interfaces and bridges. For starters, fire up OpenVPN (/etc/init.d/openvpn start) and you should see:

 brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.0004a70886d6       no              tap0
                                                        eth0

And also:

brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.0004a70886d6       no              tap0
                                                        eth0
 
ifconfig
br0       Link encap:Ethernet  HWaddr 00:04:04:04:04:04
          inet addr:192.168.0.50  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::204:a7ff:fe08:86d6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:140288 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129928 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:127719635 (121.8 MiB)  TX bytes:82040256 (78.2 MiB) 
 
eth0      Link encap:Ethernet  HWaddr 00:04:A7:04:84:04
          inet6 addr: fe80::204:a7ff:fe08:86d6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:140304 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129950 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:129717057 (123.7 MiB)  TX bytes:82085992 (78.2 MiB)
          Interrupt:137 Base address:0x6c00 
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:9 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1136 (1.1 KiB)  TX bytes:1136 (1.1 KiB) 
 
tap0      Link encap:Ethernet  HWaddr FE:38:CE:A4:4E:F1
          inet6 addr: fe80::fc38:ceff:fea4:4ef1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:466 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:91883 (89.7 KiB) 
Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s