OpenVPN Woes: The Revenege of Nick

OpenVPN Woes: The Revenege of Nick

After one week of struggle, head ache, and a very patient girlfriend I have OpenVPN running in a bridged configuration! What follows are the steps that I had taken (minus the blood, sweat, and tears):

  • Read the OpenVPN HOWTO! Nothing will replace the knowledge of how this beast works.
  • Bridge your OpenVPN virtual network adapter with your local LAN-side adapter. Make sure to set your bridge adapter network information (IP, netmask, ect) to what your local LAN adapter information was set to. I did come across a decent guide with images in my travels for Windows.
  • Generate the certificates. Do not forget to generate the Generate Diffie Hellman keys as this was a small road block for me. (I am just going to link this one since this step is easy and is explained very well in the HOWTO.) Copy the ca.crt, client1.crt, and client1.key files to your clients. It is also a good idea to read the section on Hardening OpenVPN Security and generating a ta.key.
  • Create your configuration files using the samples as a base making sure to use your new bridge adapters IP and netmask as your server configurations IP and netmask. These samples are also included in the OpenVPN distribution. (I am including my working configurations below.)
  • Fire up the server and then the client.
  • Read the OpenVPN HOWTO!

My Configurations

Server

port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge [Server IP] [Server Netmask] [OpenVPN DHCP Range Start] [OpenVPN DHCP Range End]
client-config-dir ccd
client-to-client
keepalive 10 120
tls-auth ta.key 0
tls-cipher DHE-RSA-AES256-SHA
replay-persist persist.txt
cipher AES-256-CBC
comp-lzo
max-clients 16
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 4
mute 20

Client

client
dev tap
proto udp
remote [VPN IP] [VPN Port]
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-remote [Server Common Name]
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 4
mute 20


Notes

  • All my testing was done with OpenVPN v2.1.1.
  • A bridge configuration will give your VPN clients IPs on your local LAN. Make sure you choose a free range of IPs that does not conflict with anything (including an existing DHCP server).
  • Make sure to disable any firewalls on the bridged adapter if you can. If that is a problem– say your bridged adapter is plugged directly into a WAN connection– you will need to experiment since I did not have to go that far in my setup.
  • I have done most of my testing on Windows XP Professional SP3 and Ubuntu 9.10. These configurations should work for any support platform.
  • I have chosen to allow OpenVPN to dish out the IPs instead of my local DHCP server. The reason for this is some clients will not allow this functionally based on client OS. Since I was already using most of my IPs for DHCP I just lowered the number of available DHCP addresses and set OpenVPN to use those as it wished.
  • Some versions of Windows have an issue bridging the adapter properly. It will say it worked but there is still another step you need to take. Check out this article for more information.
  • If you are unfamiliar with networking and subnetting Wikipedia may be a good place to start.

With the OpenVPN HOWTO and this information you should be able to avoid the headache I went through.

I would very, very, very much like to thank #openvpn on the freenode IRC servers! Without them I would still be at this thing. You guys helped me so much and I appreciate it so much.

Edit 2010.12.23
I have done a lot of experimentation since I originally wrote this. I have updated this article with my current configs.

Leave a Reply

Your email address will not be published.