Question: Bridging client TAP (linux)

[BrianATSI]

I currently have the following setup

LAN
10.47.0.0/16
|
LINUX VPN/DHCP SERVER
br0 if device
(bridged vpn server tap0 + eth1)
+
eth0 - static public IP
|
<Internet>
|
<Internal LAN>
|
VPN Client
(tap client)
issued an IP (10.47.0.0/16)

Code: Select all

-----server
local <my static IP>
port 1194
proto udp
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
ca ca.crt
cert server.crt
key server.key 
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.47.1.1 255.255.0.0 10.47.1.21 10.47.1.50
push "route 10.47.1.1 255.255.0.0"
push "route-gateway 10.47.1.1"
push "dhcp-option WINS 10.47.1.4"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-128-CBC   # AES
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

-----client
client
dev tap
proto udp
remote <my server> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert mycert.crt
key mycert.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
reneg-sec 86400
route-method exe
route-delay 2
verb 3

I love this setup, broadcast works, low latency but I now need multiple clients on the same local LAN to connect to the server and I don't want to issue a cert to each client. Is there a way to do this...


LAN
10.47.0.0/16
|
LINUX VPN/DHCP SERVER
(bridged vpn server)
+
eth0 - static public IP
|
<Internet>
|
<Internal LAN>
|
2 NIC VPN Client router <~~~~ Can't be a public static IP
eth0
|
(br0 - bridged vpn tap + eth1)
|
LAN
local machines issued a DHCP IP (10.47.0.0/16)

So any client on the remote lan gets issued an IP from the server's DHCP. I'm not sure how to bridge a client to the LAN interface.

[janjust]

interesting question: it should be possible but it is tricky; the tricky part is in setting up the VPN client . you'd need to bridge tap0 to the eth1 i/f using the normal 'brctl' commands, but this means assigning a static IP to the bridge. Normally a bridged i/f is not assigned a DHCP based IP (but in theory it should be possible).

I would
- choose a static IP (from the server side IP range) for the VPN client
- bring up tap0 (using openvpn --mktun ....)
- bridge tap0+eth1 and assign the static IP
- set up forwarding on the VPN client
- connect the VPN client

I might be missing something but this should allow you to assign IP addresses from the server-side DHCP server to clients on the VPN client side.

[BrianATSI]

According to this link I found, http://ubuntuforums.org/showthread.php?t=1067247 I can set up a bridge i/f that uses DHCP in /etc/network/interfaces but the question would be will the vpn connection open before it tried to aquire an IP.

[janjust]

you could use a custom 'up' script to achieve that, of perhaps even use 'ifconfig-noexec' to stop openvpn from bringing up the i/f by itself.
when openvpn brings up the i/f and tries to assign an addres the tunnel is open.