[SOLVED] VPN Noob needs help with configuration

[Sky]

I am having trouble understanding how to configure OpenVPN community software (stable release 2.1.4) for server and client config files. For starters, I imagine I should use dev tap rather than dev tun because I imagine I want ethernet tunneling rather than IP tunneling (though I can't be certain). My goal is for multiple LANs with machines running Windows (Win 7) to be able to communicate as if they are all on one LAN, specifically to allow LAN games to work. The forum rules mentions using a WINS server instead of dev tap if all I need is windows file sharing, but I imagine games don't use windows file sharing protocol for LAN game communication.

I also haven't figured out many of the other settings in the config file... quite possibly most of them on default will work for me. Am I trying to do LAN bridging? If so I need to comment out the line for the server subnet addressing. But I don't even know if I am doing LAN bridging. Is that synonymous with Virtual Lan? Isn't that the entire point of what VPN is for?

I imagine I'll need to forward a port on my router so the server can work. Where do I find that port number? Do clients need to forward a port too?

Just so you know I am an advanced computer user so it's not like you're dealing with a knucklehead. I even have course level understanding of concepts like ca certificates, public/private keys, etc. I just don't know how to go about creating them from the "easy-rsa" folder that contains some .bat files for doing that kind of stuff. The readme file in the directory confused me.

One last thing. Are clients supposed to use the OpenVPN2.1.4 app with a client config or are they supposed to use the OpenVPN Community Software Windows Client Download to connect?

Any help will be much appreciated. I tried to find a tutorial/guide/How-To that would help me with the configs, but the only useful one I found was for using Zeroshell, but I don't have a Linux box to install Zeroshell on and I'm not going to make one.

Thanks!

[Sky]

Oops, I had already seen where the port was, I just forgot. It's 1194 by default. I'll open that up in my firewall/router. Does that port need to be open for clients too? I'm going to keep trying to figure out the configuration stuff on my own and may discover some of the answers on my own. But I am quite certain I will not learn it all on my own without some help.

[krzee]

you do need a bridge
http://openvpn.net/index.php/open-sourc ... o.html#pki for how to make your PKI stuff (ca, and certs)
clients and server will use the openvpn installer from here http://openvpn.net/download
clients do not need open ports, they just connect to the server
i dont support bridges, so thats all i can do to help

http://openvpn.net/index.php/documentat ... dging.html
http://openvpn.net/index.php/documentat ... ml#bridge1
and see --server-bridge in the manual

[Sky]

Thanks a ton! I'm getting started on all that. I'm just wondering if it would be worthwhile to just use the static key security? I am just connecting 3 home networks for LAN gaming, but full cryptographic security is important to me. I don't just want encryption, I do want authentication to prevent man-in-the-middle attacks. I'm guessing that static key security does not offer authentication. Am I correct?

[Sky]

Well, at this point I'm going with PKI.

I want the clients to generate their own private keys, but I don't know how the clients can initiate a "Certificate Signing Request" to the server to generate the public key (certificate). Can anyone tell me how? Thanks!

Edit: Hmm, upon thinking about this... is it not the case that since the ca.crt file (the Certificate Authority's public key (certificate)) is available to anyone and everyone and I place this on all clients, that a client would simply be able to generate it's own public key locally without needing to send a CSR to the server? No I must be thinking of this wrong. The server signs the client's private key with the ca.key. Right? If so, then how can such a CSR be conducted without a secure channel existing already? If you need a secure channel to do a CSR then I might as well just generate all the keys on the server and send them to the clients using AES encryption and tell my buddies the password over the phone.

I'll have to do it that way unless someone can clarify this for me.

Edit2: No, clearly a CSR does not require a private key leave the hard drive of the machine that requires it. I suppose the client's private key gets encrypted with the server's ca cert so then only the server can decrypt it with it's private key and then create the client's certificate by signing their private key with the ca private key. I think that's how it works. Been a while since I took Cryptography

Regardless, all I need to do is learn how to allow the client to do a CSR to the server machine and then I'm set!

Edit3: Never mind, I figured out how to do CSR woot!

[Sky]

I have another question.

If one of the gaming machines is running the OpenVPN server, does that machine need to run a client in order for it to be part of the VLAN? At first I assumed this would be the case, but I'm second guessing that now.

[Sky]

I'm struggling to get Ethernet Bridging to work.

I have a single Ethernet adapter and I bridge it with the tap-win32 adapter but no matter what settings I put in the IP-v4 properties I can't connect back to the internet. I can ONLY connect back into the LAN (obviously created by the router I have) by choosing an IP in the range of IPs that the router offers to adapters connected to it (192.168.xyz.xxx where xyz = a specific number specified in the router settings) so using either 10.8.0.4 or 192.168.8.4 won't work since those aren't within that range. However, it makes more sense to use numbers NOT inside the router's assignable range because we don't want conflicts in the routing.

So I am SUPER confused how to do this. I don't even understand why 2 physical network adapters on the same machine is better.

I also read:
"A common mistake that people make when manually configuring an Ethernet bridge is that they add their primary ethernet adapter to the bridge before they have set the IP and netmask of the bridge interface. The result is that the primary ethernet interface "loses" its settings, but the equivalent bridge interface settings have not yet been defined, so the net effect is a loss of connectivity on the ethernet interface."

But I don't think I'm making that mistake. For starters, the ethernet adapter just uses "obtain IP/DNS address automatically" and using those settings on the tap-bridge adapter doesn't help. Like I said, specifying an IP address doesn't seem to help except get me as part of the network (all though even when I'm part of the network I can't access the router's website (but I can access other computers on the LAN)).

Is part of the problem that I don't have the DNS server nor Gateway addresses specified? What on earth would I set them to?

Sorry for the lack of conciseness

[Sky]

I changed my VPN server to a Windows XP machine that has two ethernet adapters and I successfully bridged the tap-adapter to the spare ethernet adapter and that machine still has internet thanks to other adapter.

So all my above problems seem to be solved. I am having connecting problems, but I'll create a new thread for that.