Setting up a TAP OpenVPN server

Samples of working configurations.
Post Reply
chameleon
OpenVpn Newbie
Posts: 3
Joined: Wed Sep 11, 2019 4:54 am

Setting up a TAP OpenVPN server

Post by chameleon » Wed Jul 15, 2020 5:21 pm

After a lot of months I finally setup OpenVPN TAP (layer 2) successfully.

Because none of the guides help me 100%, and I found setup VERY HARD, I wrote this guide for me, and now I translate it to english for community.
Basically, I ask before a lot of months this forum for help, but none was able to help me.

Setup VPN layer 2 with OpenVPN


Why layer 2
Layer 2 is MAC address level.
There is no other way to play LAN games with your friends in the world.
Unfortunately with layer 3 there is no multicast in x.x.x.255.
Layer 3 is IP address level. Why, there is no multicast on IP level, ask OpenVPN.


Architecture
When we say LAN, we mean physical local area network.
When we say VPN, we mean virtual network acting like a LAN.
We will connect clients all over the world with OpenVPN, to a LAN.
Lets say, LAN where OpenVPN server belongs, is 10.0.0.0/24.
Every OpenVPN client's LAN, MUST NOT contain 10.0.0.0/24. An acceptable OpenVPN client's LAN is 192.168.1.0/24.
After OpenVPN connection establishment, all devices in LAN 10.0.0.0/24 will keep their IP address (10.0.0.0/24) but also all OpenVPN clients will take an IP in VPN 10.0.0.0/24, keeping their LAN IP (192.168.1.0/24).
So, OpenVPN server will be in LAN 10.0.0.0/24, OpenVPN clients will be in VPN 10.0.0.0/24, extension of LAN. All devices in LAN 10.0.0.0/24 even no OpenVPN clients will included both in LAN 10.0.0.0/24 and in VPN 10.0.0.0/24.


Can I connect whole LAN of an OpenVPN client with whole LAN of OpenVPN server?
Yes but I don't describe that thing here.
As I said before, we connect OpenVPN clients with whole OpenVPN server's LAN.


OpenVPN architecture
Every client and the server have a certification signed from a certification authority.
Also they have a configuration file which all of them must have many settings the same, or else connection will not be established.


Creating certification authority
To create certification of certification authority, you must run the commands:

Code: Select all

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -utf8 -days 36500 -key ca.key -out ca.crt
and we have public ca.crt and private key ca.key.


Creating server's certification
We must create a file openssl.x509.server.conf with contents:

Code: Select all

# These extensions are added when 'ca' signs a request.
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth
To create certification of server, you must run the commands:

Code: Select all

openssl genrsa -out server.key 4096
openssl req -new -utf8 -key server.key -out server.csr
openssl x509 -req -days 36500 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -extfile openssl.x509.server.conf
rm server.csr
and we have public server.crt and private key server.key.


Creating each client's certification
We must create a file openssl.x509.client.conf with contents:

Code: Select all

# These extensions are added when 'ca' signs a request.
keyUsage = digitalSignature
extendedKeyUsage=clientAuth
To create certification of each client, you must run the commands for every client:

Code: Select all

openssl genrsa -out client.key 4096
openssl req -new -utf8 -key client.key -out client.csr
openssl x509 -req -days 36500 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt -extfile openssl.x509.client.conf
rm client.csr
and we have public client.crt and private key client.key.


Creating the tls-auth key
To create tls-auth key, which provides more security, you must run the commands:

Code: Select all

openvpn --genkey --secret ta.key
and we have the private key ta.key.


Creating Diffie-Hellman file
To create Diffie-Hellman file at 4096 bits, you must run the commands:

Code: Select all

openssl dhparam -out dh4096.pem 4096
and we have -after a lot of time- file dh4096.pem.


Setting up the server
We modify the network configuration file /etc/network/interfaces as folling:

Code: Select all

#auto eth0
##iface eth0 inet dhcp
#iface eth0 inet static
#address 10.0.0.2
#netmask 255.255.255.0
#gateway 10.0.0.1
#dns-nameservers 10.0.0.1

auto br0
iface br0 inet static
address 10.0.0.2
netmask 255.255.255.0
gateway 10.0.0.1
network 10.0.0.0
broadcast 10.0.0.255
dns-nameservers 10.0.0.1
bridge_ports eth0
Disable everything related with eth0 and enable network bridge br0 with the same options.
On option bridge_ports we don't put tap0 (tap0 is the network interface created from OpenVPN) because OpenVPN hasn't executed yet: Network must be setup before OpenVPN.

Copy files ca.crt, dh4096.pem, server.crt, server.key, ta.key to folder /etc/openvpn, with ownership root:root and permissions 400.

Create an executable script /etc/openvpn/openvpn_up with contents:

Code: Select all

#!/bin/bash
brctl addif br0 $1
ifconfig $1 up
This file, when OpenVPN create network interface tap0 ($1), connects this network interface under the bridge br0. Then up network interface tap0.

Modify or create the file /etc/openvpn/server.conf with following contents (comments stripped):
Server config

port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key # This file is secret
dh dh4096.pem
topology subnet
ifconfig-pool-persist ipp.txt
server-bridge 10.0.0.2 255.255.255.0 10.0.0.192 10.0.0.254
client-to-client
;keepalive 10000 11000 # super max or disable or else disconnections
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
;compress lz4-v2 # Maybe I add it later
;push "compress lz4-v2"
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
script-security 2
up openvpn_up
;down openvpn_down # no need


reboot.


Setting up the client
Copy files ca.crt, client.crt, client.key, ta.key to folder /etc/openvpn, with ownership root:root and permissions 400.
If we have windows in client, do something similar. It is easier.

Modify or create the file /etc/openvpn/client.conf with following contents (comments stripped):
Client config

remote mydomain.myftp.org 1194
client
proto udp
dev tap
ca ca.crt
cert client.crt
key client.key # This file is secret
tls-auth ta.key 1 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1


Or else we can insert inline the certificates inside configuration file (I didn't test it), so contents are:
Client config

remote mydomain.myftp.org 1194
client
proto udp
dev tap
<ca>
-----BEGIN CERTIFICATE-----
...certificate contents...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...certificate contents...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
...certificate contents...
-----END RSA PRIVATE KEY-----
</key>
;keepalive 60 120
key-direction 1 # Complementary of tls-auth
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...certificate contents...
-----END OpenVPN Static key V1-----
</tls-auth>
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1


Run the OpenVPN client service.
Last edited by Pippin on Wed Jul 15, 2020 6:09 pm, edited 1 time in total.
Reason: Formatting

chameleon
OpenVpn Newbie
Posts: 3
Joined: Wed Sep 11, 2019 4:54 am

Re: Setting up a TAP OpenVPN server

Post by chameleon » Tue Jul 21, 2020 10:31 pm

Some extra info:
  • An OpenVPN server MUST NOT be also an OpenVPN client of itself! (Actually I did this error!)
  • Any device in LAN 10.0.0.0/24 belongs to VPN even if not is an OpenVPN client. Basically there is no need to be an OpenVPN client. Exception is a portable device (a laptop) which must belong to VPN even after moving to another place (outside LAN).
PS: Why I cannot edit my original post after a period of time? Now, I must add additional posts.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7576
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting up a TAP OpenVPN server

Post by TinCanTech » Tue Jul 21, 2020 10:43 pm

There is a time limit on editing posts .. due to excessive spam .. as you might imagine.

Thanks for the write up 8-)

You can also post things like this to the OpenVPN Wiki if you prefer..
where you can also edit your work. If you pass some tests :mrgreen:

Post Reply