====== OpenVPN Bridges ======
===== Prepare OpenVPN =====
  * Rather than repeating the already excellent documentationf from Ubuntu, we are just going to give you the URL with the instructions to follow in order to get a OpenVPN server installed and configured.
  * [[https://help.ubuntu.com/18.04/serverguide/openvpn.html|Install OpenVPN on Ubuntu 18.04]]
  * You can complete the steps up to and including **Simple Server Configuration**.
  * After this we will remove the **/etc/openvpn/server.conf** file and replace it with the following three files.
  * Please adapt to your server, especially the value of **local** to reflect the public IP Address of your server.
  * We are going to use OpenVPN configured as follows:
    * We are not going to use encryption of the tunnel.
    * We are not going to use the PKI
    * We are compressing the data
    * We are using a username and password given by the client and pass it onto a script to verify if the client is valid. 
  * Remove /etc/openvpn/server.conf
<code bash>
sudo rm /etc/openvpn/server.conf
</code>

-----------------

===== OpenVPN server config for br0.101 =====
  * Create a file called **/etc/openvpn/server_vlan_101.conf**.
  * Be sure to check the correct value for eth0.101. It might be eth1.101 with your config. (up "/etc/openvpn/up.sh br0.101 eth1.101")
<code bash>
mode server

auth none
cipher none

tmp-dir /dev/shm

auth-user-pass-verify /home/system/openvpn_auth.pl via-file
client-cert-not-required
username-as-common-name
script-security 2

local 198.27.111.78
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem

up "/etc/openvpn/up.sh br0.101 eth0.101"
server-bridge 10.101.0.1 255.255.0.0 10.101.0.2 10.101.0.100

ifconfig-pool-persist ipp.txt
;client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

</code>

------------

===== OpenVPN server config for br0.102 =====
  * Create a file called **/etc/openvpn/server_vlan_102.conf**.
  * Be sure to check the correct value for eth0.102. It might be eth1.102 with your config. (up "/etc/openvpn/up.sh br0.102 eth1.102")
<code bash>
mode server

auth none
cipher none

tmp-dir /dev/shm

auth-user-pass-verify /home/system/openvpn_auth.pl via-file
client-cert-not-required
username-as-common-name
script-security 2

local 198.27.111.78
port 1195
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem

up "/etc/openvpn/up.sh br0.102 eth0.102"
server-bridge 10.102.0.1 255.255.0.0 10.102.0.2 10.102.0.100

ifconfig-pool-persist ipp.txt
;client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

</code>

------

===== OpenVPN server config for br0.103 =====
  * Create a file called **/etc/openvpn/server_vlan_103.conf**.
  * Be sure to check the correct value for eth0.103. It might be eth1.103 with your config. (up "/etc/openvpn/up.sh br0.103 eth1.103")
<code bash>
mode server

auth none
cipher none

tmp-dir /dev/shm

auth-user-pass-verify /home/system/openvpn_auth.pl via-file
client-cert-not-required
username-as-common-name
script-security 2

local 198.27.111.78
port 1196
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem

up "/etc/openvpn/up.sh br0.103 eth0.103"
server-bridge 10.103.0.1 255.255.0.0 10.103.0.2 10.103.0.100

ifconfig-pool-persist ipp.txt
;client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

</code>

------

===== Prepare /etc/openvpn/up.sh =====
  * You'll see in the config files there are reference to two scripts.
    * **/etc/openvpn/up.sh** is called when the tap interface comes up.
    * **/home/system/openvpn_auth.pl** is used to verify the clients.
    * Create the **/etc/openvpn/up.sh** file
<code bash>
sudo vi /etc/openvpn/up.sh
</code>
  * Give it the following content:
<code bash>
#!/bin/sh

BR=$1
ETHDEV=$2
TAPDEV=$3

/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV

</code>
  * Make it executable
<code bash>
sudo chmod 755 /etc/openvpn/up.sh
</code>

---------------

===== Prepare openvpn_auth.pl =====
  * You can run the OpenVPN server separate from the RADIUSdesk server.
  * The **openvpn_auth.pl** script can then be copied to the server running the OpenVPN server.
  * You just have to configure the **openvpn_auth.pl** script to point to your RADIUSdesk server to do the API calls when authenticating a client.
  * The **openvpn_auth.pl** script is traditionally under **/usr/share/nginx/html/cake2/rd_cake/Setup/Scripts/**.
  * Copy this file to a convenient location on  the OpenVPN server and edit the following to point to your RADIUSdesk server.
<code perl>
my $protocol='http';
my $server_name_or_ip='198.27.111.78';
my $api_path="/cake2/rd_cake/openvpn_servers/auth_client.json";
</code>
  * Make sure this file is executable in its new location:
<code bash>
sudo chmod 755 /home/system/openvpn_auth.pl
</code>

===== Restart OpenVPN service =====
  * Restart the OpenVPN service.
<code bash>
sudo service openvpn stop
sudo service openvpn start
#You should now see the following
* Starting virtual private network daemon(s)... 
Autostarting VPN 'server_vlan_101'
Autostarting VPN 'server_vlan_102'
Autostarting VPN 'server_vlan_103'      
</code>

------------------

===== Check the bridges =====
  * Confirm that the bridges each have a tap interface included:
<code bash>
brctl show
bridge name	bridge id		STP enabled	interfaces
br0.101		8000.000c294aafdf	no		eth0.101
							tap0
br0.102		8000.000c294aafdf	no		eth0.102
							tap1
br0.103		8000.000c294aafdf	no		eth0.103
							tap2

</code>
  * ifconfig should also include a list of three tap interfaces
<code bash>
tap0      Link encap:Ethernet  HWaddr 22:1a:35:b6:01:d7  
          inet6 addr: fe80::201a:35ff:feb6:1d7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:768 (768.0 B)  TX bytes:820 (820.0 B)

tap1      Link encap:Ethernet  HWaddr ca:e0:7d:c0:ea:a0  
          inet6 addr: fe80::c8e0:7dff:fec0:eaa0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)

tap2      Link encap:Ethernet  HWaddr f2:36:e7:d2:da:c1  
          inet6 addr: fe80::f036:e7ff:fed2:dac1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)

</code>

<WRAP center round tip 90%>
  * If your server  has only **one** interface card, be sure to add the following line to the **/etc/rc.local** file to ensure OpenVPN is only started up after the bridges have been set up

<code bash>
/sbin/brctl addif br0.103 eth1.103
/sbin/ip addr add 10.103.0.1/16 dev br0.103
/sbin/ip link set dev br0.103 up

#Add the startup of OpenVPN
/usr/sbin/service openvpn start

exit 0

</code>

</WRAP>


  * We are making good progress. Next we will install and configure **Coova Chilli** so that it runs an instance on each VLAN.
  * To confirm everything will come up after a power cycle, go ahead and reboot the server.
<code bash>
sudo reboot
</code>