Tuesday, August 04, 2009

OpenVPN Bridging with FreeBSD

Under normal circumstances VPN connectivity are carried out in a routing (IP Forwarding) fashion. Routing is a preferred method as it minimzes layer 2 broadcasts and other unecessary chatters such as ARPs and BPDUs which is quite expensive when traversing Internet links.

However, some scenarios does require a Bridging solution. This includes an application's (lack of) flexibility, the exclusive use of non-routable protocols such NetBIOS, end-user's operation familiarity etc.

OpenVPN Server : /etc/rc.conf
hostname="hq.company.com"
ifconfig_em0="inet 192.168.2.10 netmask 255.255.255.0"
defaultrouter="192.168.2.1"
ifconfig_em1="up"
cloned_interfaces="bridge0"

autobridge_interfaces="bridge0"
autobridge_bridge0="em1"
ifconfig_bridge0="inet 192.168.1.10 netmask 255.255.255.0 up"

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_if="tap bridge"

OpenVPN Server : /usr/local/etc/openvpn/openvpn.conf
server-bridge 192.168.1.10 255.255.255.0 192.168.1.11 192.168.1.15
proto udp
dev tap0
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ca /usr/local/etc/openvpn/x.509/ca.crt
cert /usr/local/etc/openvpn/x.509/hq.crt
key /usr/local/etc/openvpn/x.509/hq.key
client-connect /usr/local/etc/openvpn/scripts/client-connect.sh
client-disconnect /usr/local/etc/openvpn/scripts/client-disconnect.sh

OpenVPN Server : /usr/local/etc/openvpn/scripts/client-connect.sh
#!/bin/sh
ifconfig bridge0 addm $dev

OpenVPN Server : /usr/local/etc/openvpn/scripts/client-disconnect.sh

#!/bin/sh
ifconfig bridge0 deletem $dev

+++++++++++++++++++++++++++++++++++++++++++++++++++

OpenVPN Client : /etc/rc.conf
hostname="branch.company.com"
ifconfig_em0="inet 192.168.3.10 netmask 255.255.255.0"
defaultrouter="192.168.3.1"
ifconfig_em1="up"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em1 up"

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_if="tap bridge"

OpenVPN Client : /usr/local/etc/openvpn/openvpn.conf
client
proto udp
dev tap0
remote hq.company.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ca /usr/local/etc/openvpn/x.509/ca.crt
cert /usr/local/etc/openvpn/x.509/branch.crt
key /usr/local/etc/openvpn/x.509/branch.key
up /usr/local/etc/openvpn/scripts/connect.sh
down /usr/local/etc/openvpn/scripts/disconnect.sh

OpenVPN Client : /usr/local/etc/openvpn/scripts/connect.sh
#!/bin/sh
ifconfig bridge0 addm $dev

OpenVPN Client : /usr/local/etc/openvpn/scripts/disconnect.sh

#!/bin/sh
ifconfig bridge0 deletem $dev

2 comments:

ben.j said...

Hello! Great howto; it's been very helpful. One question, though: the first section seems to be about the server config, but lists this:

OpenVPN Client : /usr/local/etc/openvpn/openvpn.conf
server-bridge 192.168.1.10 255.255.255.0 192.168.1.11 192.168.1.15

That config *is* for the server, right? If so, should the lines for client-connect and client-disconnect appear on the server, or in the client's openvpn.conf file?

Shazrin said...

Yup... my bad..Typo error there. Thanks Ben for noticing :)