Friday, September 24, 2010

OpenVPN server configuration

I wanted to have as much of the configuration on the server as possible so that I could easily add more clients and wouldn't have a need to update client configuration when ever the server preferences change.

Here is my OpenVPN server configuration:

mode server
dev tap0
ifconfig-pool-persist /var/run/openvpn-ip.txt
keepalive 10 60
push "route"
push "dhcp-option DNS"
ca /root/easy-rsa-2.0/keys/ca.crt
key /root/easy-rsa-2.0/keys/
cert /root/easy-rsa-2.0/keys/
dh /root/easy-rsa-2.0/keys/dh1024.pem
up /etc/openvpn/

and the up script:

# Bind the tunnel interface to the bridge


ifup $1
brctl addif $BRIDGE $1

There is nothing really special about that configuration. The server is in TLS mode configures a bridge. The keys are generated with easy-rsa by following a openvpn howto entry. The up script just binds the tap0 device to the network bridge after bringing up the device.

Next I created the interface configuration by adding the following to /etc/network/interfaces:

iface br0 inet static
bridge-ports eth0

The trick here is to create a single bridge with just the eth0 device. We use the up script for openvpn to add the tunnel device to the bridge. Otherwise the bridge would never contain the proper devices.

As for the client, you simply set the client to use the CA-certificate and Host key created with easy-rsa, set the hostname and tunnel type. Tunnel type is assumed to be a tun-device instead of tap, so in my case I needed to change it too.

There is no need to tell the client anything else. Everything else will be negotiated through the tunnel. And since I use NetworkManager to set up my tunnels I didn't have a need to drop in to a shell even once at the client.

1 comment:

My Mine