OpenVPN Bridges
Prepare OpenVPN
Rather than repeating the already excellent documentationf from Ubuntu, we are just going to give you the
URL with the instructions to follow in order to get a OpenVPN server installed and configured.
-
You can complete the steps up to and including Simple Server Configuration.
After this we will remove the /etc/openvpn/server.conf file and replace it with the following three files.
Please adapt to your server, especially the value of local to reflect the public IP Address of your server.
We are going to use OpenVPN configured as follows:
We are not going to use encryption of the tunnel.
We are not going to use the PKI
We are compressing the data
We are using a username and password given by the client and pass it onto a script to verify if the client is valid.
Remove /etc/openvpn/server.conf
sudo rm /etc/openvpn/server.conf
OpenVPN server config for br0.101
mode server
auth none
cipher none
tmp-dir /dev/shm
auth-user-pass-verify /home/system/openvpn_auth.pl via-file
client-cert-not-required
username-as-common-name
script-security 2
local 198.27.111.78
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
up "/etc/openvpn/up.sh br0.101 eth0.101"
server-bridge 10.101.0.1 255.255.0.0 10.101.0.2 10.101.0.100
ifconfig-pool-persist ipp.txt
;client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
OpenVPN server config for br0.102
mode server
auth none
cipher none
tmp-dir /dev/shm
auth-user-pass-verify /home/system/openvpn_auth.pl via-file
client-cert-not-required
username-as-common-name
script-security 2
local 198.27.111.78
port 1195
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
up "/etc/openvpn/up.sh br0.102 eth0.102"
server-bridge 10.102.0.1 255.255.0.0 10.102.0.2 10.102.0.100
ifconfig-pool-persist ipp.txt
;client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
OpenVPN server config for br0.103
mode server
auth none
cipher none
tmp-dir /dev/shm
auth-user-pass-verify /home/system/openvpn_auth.pl via-file
client-cert-not-required
username-as-common-name
script-security 2
local 198.27.111.78
port 1196
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
up "/etc/openvpn/up.sh br0.103 eth0.103"
server-bridge 10.103.0.1 255.255.0.0 10.103.0.2 10.103.0.100
ifconfig-pool-persist ipp.txt
;client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
Prepare /etc/openvpn/up.sh
sudo vi /etc/openvpn/up.sh
#!/bin/sh
BR=$1
ETHDEV=$2
TAPDEV=$3
/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV
sudo chmod 755 /etc/openvpn/up.sh
Prepare openvpn_auth.pl
You can run the OpenVPN server separate from the RADIUSdesk server.
The openvpn_auth.pl script can then be copied to the server running the OpenVPN server.
You just have to configure the
openvpn_auth.pl script to point to your RADIUSdesk server to do the
API calls when authenticating a client.
The openvpn_auth.pl script is traditionally under /usr/share/nginx/html/cake2/rd_cake/Setup/Scripts/.
Copy this file to a convenient location on the OpenVPN server and edit the following to point to your RADIUSdesk server.
my $protocol='http';
my $server_name_or_ip='198.27.111.78';
my $api_path="/cake2/rd_cake/openvpn_servers/auth_client.json";
sudo chmod 755 /home/system/openvpn_auth.pl
Restart OpenVPN service
sudo service openvpn stop
sudo service openvpn start
#You should now see the following
* Starting virtual private network daemon(s)...
Autostarting VPN 'server_vlan_101'
Autostarting VPN 'server_vlan_102'
Autostarting VPN 'server_vlan_103'
Check the bridges
brctl show
bridge name bridge id STP enabled interfaces
br0.101 8000.000c294aafdf no eth0.101
tap0
br0.102 8000.000c294aafdf no eth0.102
tap1
br0.103 8000.000c294aafdf no eth0.103
tap2
tap0 Link encap:Ethernet HWaddr 22:1a:35:b6:01:d7
inet6 addr: fe80::201a:35ff:feb6:1d7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:768 (768.0 B) TX bytes:820 (820.0 B)
tap1 Link encap:Ethernet HWaddr ca:e0:7d:c0:ea:a0
inet6 addr: fe80::c8e0:7dff:fec0:eaa0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)
tap2 Link encap:Ethernet HWaddr f2:36:e7:d2:da:c1
inet6 addr: fe80::f036:e7ff:fed2:dac1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)
/sbin/brctl addif br0.103 eth1.103
/sbin/ip addr add 10.103.0.1/16 dev br0.103
/sbin/ip link set dev br0.103 up
#Add the startup of OpenVPN
/usr/sbin/service openvpn start
exit 0
We are making good progress. Next we will install and configure Coova Chilli so that it runs an instance on each VLAN.
To confirm everything will come up after a power cycle, go ahead and reboot the server.
sudo reboot