I'm actually very interested in helping you with this as I've been working on the headache of bridge mode for quite some time myself and there are only
scant amounts of tutorials that tackle this beast. The one that you were following will do nothing for you for bridge mode because bridge mode involves setting up a bridge and a tap device and linking the eth, the br, and the tap all together. There are also a number of caveats to keep in mind with bridge mode, too, but in my use case, I was able to set up a configuration that allows my clients to access their files on a Windows-based server from anywhere. I'm not sure about your use case as the link to the picture is apparently broken.
As for your router: I have a tp link as well. I don't have the OpenVPN daemon running at all--either as a server or client. Perhaps you need it as a client? At any rate, the only things to do with the router might be to assign port forwarding rules and maybe set a DDNS up (like, for example, with noip).
When I have time next week, I'll come back to this, but here is a
draft version of a tutorial I'm working on--mostly for myself right now--on how to set this thing up. I hope to turn it into a proper tutorial that I can post--formatted with bells and whistles--but the following is where I'm at right now. Keep in mind it is a DRAFT. It's choppy. It's messy. It's gross. I'm very aware of grammatical/syntactical issues
So I promise nothing--especially not visibility of every machine on the network (I'm still working on that and I'm not so sure it's an OpenVPN thing, but maybe someone else knows better. Open to suggestions). BUT, thankfully, visibility is not the same thing as accessibility and if you know the local address of the target, you'll be just fine (e.g., \\SERVERNAMEHERE for Windows). I'm also pretty sure I don't need D-H parameters as I'm using elliptic curves for the key encryption.
All that said, if you follow this (with some tweaks and such of your own along the way), you should get a setup that does as described.
EasyRSA should be picked up from here:
https://github.com/OpenVPN/easy-rsa/releases
In my lab instance, I have the OpenVPN floating on a VM through KVM. My CA is on an air-gapped Rasberry Pi with the system on a USB stick for safe keeping (or it will be air-gapped, in production level; for now, I like being able to connect that ethernet cable and have it power right up).
In my client's office, it's an older version of Linux, an older version of OpenVPN, etc., so what I have here is somewhat from scratch, but I found a few nuggets to bring in--and a few to export to their server to improve it.
Server-side setup (including CA Authority)
Code: Select all
####################
### INSTALLATION ###
####################
* install linux ubuntu operating system
- this tutorial is for Linux Ubuntu Server 22.04.2
- should include setting up SSH with keys ONLY
* update and reboot
$ sudo apt update && sudo apt upgrade -y && sudo reboot
* install openvpn. leave easy-rsa for manual installation.
bridge-utils (which is often recommended) will not be
necessary
$ sudo apt install openvpn
#############################
### WORKSPACE PREPARATION ###
#############################
* create a client work directory
$ mkdir /home/<user>/clients
* copy the client.ovpn template into this directory
* create subdirectories according to known client names
$ mkdir /home/<user>/clients/<client_name>
* for each known client, copy the client.conf file as
<client_name>.ovpn
* create subdirectories for input and output
$ mkdir /home/<user>/inbox
$ mkdir /home/<user>/outbox
###########################
### NETWORK PREPARATION ###
###########################
### IP FORWARDING ###
* ip forwarding is turned off by default. we'll need to
enable it persistently by editing the sysctl configuration
file, but first test anyway
# sysctl net.ipv4.ip_forward
* if the result equals zero, it's disabled. if it's 1, it's already
enabled. if it's disabled...
# nano /etc/sysctl.conf
* find the commented row that reads net.ipv4.ip_forward=1 and
uncomment. save and restart the service
# sysctl -p /etc/sysctl.conf
-OR-
# sysctl -a
* NOTE: might also need to edit the same file in /etc/ufw/ if you're
using ufw. in ufw, the line reads net/ipv4/ip_forward=1
### BUILDING BRIDGES ###
* if you're like me, setting up a bridge using a bridge script
has been the bane of this operation. this time around, i decided
to edit the netplan file and use a script only for activating
the tap device. be sure to make a copy of your original
configuration file
# cp /etc/netplan/00-name...file.yaml.<delineation_appendage>
# nano /etc/netplan/00-name-of-your-configuration-file.yaml
* in here, you can set the bridge to come up with your system. i
know that's not ideal for everyone, but in this instance, it's
presumed that the machine is a dedicated OpenVPN server. it's
also presumed you'll be using a static ip address, but it isn't
strictly necessary. i only do it because i've had ssh break on
me too many times when i let slow-az dhcp servers hobble along
not keeping host names up to date with their local ip addresses
Therefore, you might set it up something like this...
# This is the network config written by YOU!
------- pertinent file contents below this line -------
network:
ethernets:
enp1s0:
dhcp4: no
bridges:
br0:
addresses:
- 192.168.6.44/22
nameservers:
addresses:
- 208.67.222.222
- 208.67.220.220
search: []
routes:
- to: default
via: 192.168.4.1
interfaces:
- enp1s0
version: 2
------- file contents above this line -------
* reboot to enforce changes or enable the bridge right away
# reboot
-OR-
# netplan apply
### TAP DEVICE ###
* create ovpntap in /etc/openvpn
# touch /etc/openvpn/ovpntap
* open the file to copy the script below
# nano /etc/openvpn/ovpntap
* copy ovpntap script to /etc/openvpn/ovpn
------- script starts below this line -------
#!/bin/sh
# define bridge interface
br="br0"
# define list of tap interfaces to be bridged
# example: tap="tap0 tap1 tap2"
tap="tap0"
# define the physical ethernet adapter
eth="enp1s0"
case "$1" in
start)
for t in $tap; do
openvpn --mktun --dev $t
ip link set $t promisc on up
ip link set $t master $br
done
ip link set $eth promisc on
;;
stop)
for t in $tap; do
openvpn --rmtun --dev $t
done
ip link set $eth promisc off
;;
*)
echo "Usage: ovpntap {start|stop}"
exit 1
;;
esac
exit 0
------- script ends above this line -------
* modify variables to match your system
* save, exit
* make executable
# chmod +x /etc/openvpn/ovpntap
* the script
usage: ovpntap {start|stop}
# /etc/openvpn/./ovpntap start
* to make sure the device appears and that it has your bridge as
its master
# ip a
* make sure the internet is reachable
# apt update
* no need to keep it on, for now, so...
# ./ovpntap stop
* and test once again for settings and internet connectivity
# ip a
# apt update
* if everything checks, go ahead and enable the autostart for this
script
$ sudo systemctl edit openvpn
* add the following lines in the appropriate section
[Service]
ExecStartPre=/etc/openvpn/ovpntap start
ExecPostStop=/etc/openvpn/ovpntap stop
* save and exit
* reboot to test
# reboot
* look at network configuration and test for internet connectivity
$ ip a
$ sudo apt update
### PORT FORWARDING AND DDNS ###
* other parameters for network configuration will need to
be set outside the scope of this tutorial. You'll
need to set up DDNS (unless you plan on using your public
IP address), create port forwarding rules on your firewall,
etc.
#####################################
### AUTHENTICATION AND ENCRYPTION ###
#####################################
# ON A SEPARATE, AIR-GAPPED, BARE METAL MACHINE #
# WITH SOME KIND OF WAY OF CREATING NOISE FOR #
# RANDOMNESS #
# THIS WILL BE YOUR CERTIFICATE AUTHORITY SERVER #
# IT IS PRESUMED THIS WILL BE LINUX UBUNTU SERVER 22.04.2 #
* copy most recent EasyRSA into system. You may do this
using curl or wget or whatever other method. I simply
downloaded from the git repository and then used WinSCP
to copy the files and subdirectories into a /tmp directory
I named easy-rsa
$ mkdir /tmp/easy-rsa
(copy files into this directory from wherever)
$ sudo cp -r /tmp/easy-rsa/ /usr/share/
$ sudo cp -r /usr/share/easy-rsa/ /etc/
$ sudo chmod +x /etc/easy-rsa/easyrsa
* The result:
default location: /usr/share/easy-rsa
working location: /etc/easy-rsa
* initialize PKI
cd /etc/easy-rsa
$ sudo su
# ./easyrsa init-pki
* modify vars file
# nano pki/vars
* change... (as below, or use your own preferences)
set_var EASYRSA_KEY_SIZE 3072
set_var EASYRSA_ALGO ed
set_var EASYRSA_CURVE ed25519
set_var EASYRSA_CERT_EXPIRE 3650
* build the certificate authority
# ./easyrsa build-ca
* create workspace directories and copy the ca.crt
into the "outbox"
$ mkdir /home/<user>/inbox && mkdir /home/<user>/outbox
# cp /etc/easy-rsa/pki/ca.crt /home/<user>/outbox
# chown <user>:<user> /home/<user>/outbox/ca.crt
* DO NOT COPY THE ca.key out of the easy-rsa subdirctory!
* NOTE: if you need to reinitialize the PKI, but
don't want to lose your vars file, do this...
# ./easyrsa init-pki soft
* if you reinitialize the pki, be sure to copy the NEW ca.crt
to the /home/<user>/outbox directory and remove the old one
(you can simply overwrite the old)
# cp /etc/easy-rsa/pki/ca.crt /home/<user>/outbox/
* you may be prompted to confirm overwrite
# ON THE OPENVPN SERVER #
* copy most recent EasyRSA into system per above
* initialize PKI per above
* modify vars file per above
* working as root within /etc/easy-rsa...
* generate Diffie-Hellman parameters and copy to
/etc/openvpn/server/
# ./easyrsa gen-dh <key_size>
# cp pki/dh.pem /etc/openvpn/server/
* generate server-side HMAC key and copy to /etc/openvpn/server/
# openvpn --genkey tls-crypt-v2-server pki/private/<server_name>.pem
* generate signature request (password only for highest security
levels)
# ./easyrsa gen-req <server_name> nopass
# TRANSPORT .REQ FILE TO CA SERVER #
# THEN, ON THE CA SERVER... #
* import the .req file
# cd /etc/easy-rsa
# ./easyrsa import-req /home/<user>/inbox/<server_name>.req <server_name>
* sign the request
# ./easyrsa sign-req server <server_name>
* create an empty crl (certificate revocation list)
# ./easyrsa gen-crl
* remove keys, crl, and certificates to their pertinent
locations on the OpenVPN server. you may wish to make use of
the outbox and pick up a copy of the ca.crt on the way out
# REVOKING CERTIFICATES FROM THE CERTIFICATE #
# AUTHORITY SERVER #
* use the revoke command
# ./easyrsa revoke <client_name>
* then create an updated crl
# ./easyrsa gen-crl
* copy this file to the openvpn server under
/etc/openvpn/server
* by the end of all of this, you'll have the following files in your
/etc/openvpn/server directory:
ca.crt
crl.pem
dh.pem
<server_name>.crt
<server_name>.key
<server_name>.pem
#################################
### Server Configuration File ###
#################################
* copy configuration file to /etc/openvpn/ and modify
# touch /etc/openvpn/server.conf
# nano /etc/openvpn/server.conf
------- copy below this line -------
### CONNECTION LAYER ###
proto udp
port 1194
keepalive 10 120
ifconfig-pool-persist server/ipp.txt
persist-key
persist-tun
### AUTHENTICATION LAYER ###
tls-server
cert server/openvpnx.crt
ca server/ca.crt
dh none
tls-crypt-v2 server/openvpnx.pem
crl-verify server/crl.pem
### ENCRYPTION LAYER ###
key server/openvpnx.key
cipher AES-256-GCM
auth SHA512
### NETWORK LAYER ###
dev tap0
topology subnet
server-bridge 192.168.6.44 255.255.252.0 192.168.7.1 192.168.7.16
client-to-client
mssfix
### ADMINISTRATIVE LAYER ###
status server/openvpn-status.log
verb 3
------- DO NOT copy this line or past it -------
* paste the above into server.conf and save and exit
#######################
### Initiate System ###
#######################
* start the service
$ sudo systemctl start openvpn@<server_name>
* if all goes well, enable the system
$ sudo systemctl enable openvpn@<server_name>
As for the client-side ovpn file, I have this as a template that works with the above:
Code: Select all
### CONNECTION LAYER ###
remote <remote-server-name-or-ip> 1194 udp
connect-retry 5 5
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
### NETWORK LAYER ###
dev tap
### ENCRYPTION LAYER ###
cipher AES-256-GCM
auth SHA512
### ADMINISTRATIVE LAYER ###
client
mute-replay-warnings
verb 3
### AUTHENTICATION LAYER ###
tls-client
remote-cert-tls server
auth-nocache
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>
