This article describes, how you install a OpenVPN server with 2 subnets with pre-shared key authentication on Debian Etch:
The base for the VPN server is the Debian Router.
The router has already 2 networks, so i don’t want to create one for the VPN. With the bridging mode you can connect the clients into an existing network. This works over an ethernettunnel.
aptitude install openvpn bridge-utils iproute openssl
The first step is to create the pre-shared key with openssl:
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0 . ./vars ./clean-all ./build-ca ./build-key-server server ./build-key vpnclient ./build-dh mv keys /etc/openvpn/
You have to copy the files ca.crt, vpnclient.key and vpnclient.crt to the VPN client.
The next step is to create the bridging interface for the ethernet bridge. You have to insert this lines in /etc/network/interfaces.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # VPN Bridge auto br0 iface br0 inet static address 192.168.0.1 netmask 255.255.255.0 pre-up /usr/sbin/openvpn --mktun --dev tap0 pre-up /sbin/ip link set tap0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth1 pre-up /usr/sbin/brctl addif br0 tap0 pre-up /sbin/ifconfig eth1 0.0.0.0 promisc up pre-down /usr/sbin/brctl delif br0 eth1 pre-down /sbin/ip link set eth1 down pre-down /usr/sbin/brctl delif br0 tap0 pre-down /sbin/ip link set tap0 down post-down /usr/sbin/brctl delbr br0 post-down /usr/sbin/openvpn --rmtun --dev tap0
192.168.0.1 is the address of the interface in which subnet you want connect your vpn clients. The bridging interface take the network adress from eth1 and an tap0 device for the OpenVPN is created. According to your personal configuration, you have to change the interface (eth1) the network address and the netmask.
Note: You have to configurate your firewall for the new interfaces.
iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A OUTPUT -i tab0 -j ACCEPT iptables -A OUTPUT -i br0 -j ACCEPT iptables -A FORWARD -i tap0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT
Now you can configurate the VPN server. You can use the default configuration file and copy it into the Open VPN folder.
cd /usr/share/doc/openvpn/examples/sample-config-files gzip -d server.conf.gz cp server.conf /etc/openvpn/networkVPN.conf
Now you can modify the configuration file:
dev tap ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pm server-bridge 192.168.0.1 255.255.255.0 192.168.0.201 192.168.0.250 client-to-client push "redirect-gateway" push "route 192.168.0.0 255.255.255.0" push "dhcp-option DEFAULT_GATEWAY 192.168.0.1" push "dhcp-option DNS 192.168.0.1" push "dhcp-option DOMAIN network.lan" push "dhcp-option WINS 192.168.0.1"
You have to replace “dev tun” with “dev tap” and the “server” configuration with the “server-bridge” configuration line and you have to allow the OpenVPN port 1194 UDP in your firewall.
Restart the OpenVPN server:
Now your VPN server is ready. You can setup the VPN client on Ubuntu with an networkmanager plugin.
Note: If you don’t want to create keys for every client, you have to enable “duplicate-cn” in the server configuration.