Difference between revisions of "OpenVPN Bridge"

From ArchWiki
Jump to: navigation, search
m (typos (nothing serious))
m (Using Systemd: .service not needed)
(29 intermediate revisions by 15 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]]
+
[[Category:Virtual Private Network]]
[[Category:HOWTOs (English)]]
+
This page describes how to create a network bridge on Arch Linux and host an OpenVPN server using a IP layer-2 based Ethernet bridge (TAP) rather than a IP layer-3 based IP tunnel (TUN). The general [[OpenVPN]] page describes setting up PAM authentication or OpenSSL security certificates in more detail.
OpenVPN is a full-featured SSL VPN solution which can accommodate a wide range of configurations
+
and is particularly useful for "road warriors" :).
+
  
This wiki page will discuss how to configure OpenVPN (1.6) in Bridge mode with a linux server and either a linux or a windows client. http://openvpn.sourceforge.net/howto.html discusses how to setup OpenVPN routing and explains the pros and cons of each. Also, I'm not going into depth on iptables or how to make a hole in your firewall to allow traffic to reach your OpenVPN machine.  That's for another wiki, or someone who's willing to add to this one.
+
==Introduction==
  
This page describes the "quick n dirty" setup using a secret ssh key for authentication,
+
The [http://openvpn.net/index.php/open-source/documentation.html OpenVPN documentation] page gives a full overview of server-side and client-side options that OpenVPN supports. It is easier to set up OpenVPN in tunneling mode and control routing the traffic and it is generally advised to do so if it serves your purpose. However, some network applications, such as Windows file sharing, rely on network broadcasts at the Ethernet level and benefit from believing they are physically located on the same subnet, and software bridging serves this purpose.
see the openvpn website for more information about SSL setups.
+
  
'''TODO''': This document seems out of date. I noticed there is a /etc/conf.d/bridges now, probably the bridging part should be taken out of the vpn configuration.
+
There are multiple ways to set bridging up. The dynamic method is where OpenVPN will be managing its own bridge on the system and will start, stop and configure it itself. This is the quickest way to set bridging up, although it interrupts other network services when OpenVPN starts and stops. If the system is going to manage its own bridge, maybe because other virtual network adapters connect to the bridge besides just that of OpenVPN, then it is preferable to use the static method.
  
==Server Config==
+
==Dynamic Bridge Installation==
First thing you want to do is install OpenVPN
+
 
 +
You will need to install OpenVPN and Linux bridging utilities
 
<pre>
 
<pre>
pacman -Sy openvpn bridge-utils
+
pacman -S openvpn bridge-utils
 
</pre>
 
</pre>
  
Next install this script as /etc/rc.d/openvpn
+
==Dynamic Bridge Configuration==
  
'''TODO:''' this script doesn't always correctly report "FAILED" or "DONE" so output can't be relied upon and may be confusing.
+
OpenVPN will create/destroy the TAP device automatically for the name specified in the config file. OpenVPN settings common to TUN or TAP are not shown in the example config file below, only settings that affect TAP mode. Make sure the 'up' and 'down' scripts are executable with 'chmod +x' after you write them.
Check /var/log/daemons if things don't seem to work.
+
 
 +
/etc/openvpn/server.conf (sections common to TUN and TAP omitted)
 +
<pre>
 +
# this uses a dhcp server, server-side
 +
#  clients must support binding their dhcp client to their tap adapter
 +
# do not append 'nogw' if using dhcp
 +
server-bridge
 +
# can specify interface, like tap0 or tap1
 +
#  or use up/down routing scripts to handle
 +
#  more than one, if needed
 +
dev tap0
 +
# needed to call scripts like up/down
 +
#  which call external programs within the scripts
 +
script-security 2
 +
# user defined scripts for adding/removing tap to bridge
 +
'dev mtu link_mtu ifconfig_local_ip ifconfig_remote_ip' are appended if set
 +
# make sure 'user' has permission to run 'down' ('up' will be root)
 +
up "up br0 eth0"
 +
down "down br0 eth0"
 +
# call 'down' before TUN/TAP close
 +
down-pre
 +
# drop root priveledges once connected
 +
#  good idea, for servers running on linux
 +
# 'up' script not affected, 'down' script is
 +
;user nobody
 +
;group nobody
 +
</pre>
 +
 
 +
/etc/openvpn/up
 
<pre>
 
<pre>
 
#!/bin/bash
 
#!/bin/bash
 +
br=$1
 +
eth=$2
 +
dev=$3
 +
mtu=$4
 +
cd /usr/sbin/
  
# /etc/rc.d/openvpn
+
# only if you start dhcpcd and leave it
#
+
# running for eth
# An init script to start and stop OpenVPN daemons
+
#dhcpcd -k $eth
  
. /etc/rc.conf
+
# needed if script is run independently
. /etc/rc.d/functions
+
# but when run through openvpn
 +
# openvpn will do this automatically
 +
#  could also use 'ip tuntap ..'
 +
#openvpn --mktun --dev $dev
  
openvpn_config_dir=/etc/openvpn
+
brctl addbr $br
 +
# set forwarding delay to 0
 +
#  otherwise dhcp called below would timeout
 +
brctl setfd $br 0
 +
brctl addif $br $eth
 +
# order matters here.. right now there is only
 +
#  one mac in the bridge's table
 +
# if there were two.. there is no guarantee
 +
#  which would be passed to the dhcp server
 +
dhcpcd $br
 +
brctl addif $br $dev
  
make_bridge ()
+
ip link set $eth up promisc on mtu $mtu
{
+
ip link set $dev up promisc on mtu $mtu
#echo "# mkbr $1"
+
</pre>
# for example $1 = "br0" and
+
# $br0 = ("br0 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255" eth1)
+
eval brvar="(\"\${${1}[@]}\")"
+
brdev=$1
+
  
brctl addbr $brdev
+
/etc/openvpn/down
add_to_bridge ${brvar[1]} $brdev
+
<pre>
 +
#!/bin/bash
 +
br=$1
 +
eth=$2
 +
cd /usr/sbin/
  
        ifconfig ${brvar[0]}
+
dhcpcd -k $br
return $?
+
}
+
  
add_to_bridge ()
+
ip link set $br down
{
+
brctl delbr $br
#echo "# addbr $1 $2"
+
# for example $1=tap0 and $2=br0
+
ifconfig $1 down >/dev/null 2>&1
+
brctl addif $2 $1
+
ifconfig $1 0.0.0.0 promisc up
+
}
+
  
destroy_bridge ()
+
# needed if script is run independently
{
+
# but when run through openvpn
eval brvar="(\"\${${1}[@]}\")"
+
# openvpn will do this automatically
brdev=$1
+
#  could also use 'ip tuntap ..'
+
#openvpn --rmtun --dev $dev
ifconfig $brdev down
+
brctl delbr $brdev
+
}
+
  
make_vpn ()
+
# only if you start dhcpcd and leave it
{
+
running for eth
#echo "# mkvpn $1"
+
#dhcpcd $eth
# for example $1 = vpn0 and
+
</pre>
# $vpn0 = ("default.conf" tap0 br0)
+
eval vpnvar="(\"\${${1}[@]}\")"
+
+
openvpn --mktun --dev ${vpnvar[1]} > /dev/null
+
if [ "${vpnvar[2]}" != "" ]; then
+
add_to_bridge ${vpnvar[1]} ${vpnvar[2]}
+
fi
+
  
openvpn --cd $openvpn_config_dir --daemon --config ${vpnvar[0]}
+
These examples are for using dhcp. If you are going to use static IP addresses, you will need to adjust accordingly.
return $?
+
}
+
  
destroy_vpn ()
+
==Using Systemd==
{
+
eval vpnvar="(\"\${${1}[@]}\")"
+
openvpn --rmtun --dev ${vpnvar[1]} > /dev/null
+
return $?
+
}
+
  
case "$1" in
+
The OpenVPN systemd script looks for <name>.conf files in the /etc/openvpn folder by default. So assuming you have a file named server.conf:
        start)
+
<pre>
        stat_busy "Starting OpenVPN daemons"
+
systemctl enable openvpn@server
 +
systemctl start openvpn@server
 +
</pre>
  
        # enable IP forwarding
+
Be careful about having dhcpcd enabled separately (ie. dhcpcd@eth0.service) at the same time. It is possible, though unlikely, for it to complete after OpenVPN and ruin your dhcp setup for OpenVPN. You could probably disable dhcpcd@eth0.service since you know openvpn@server.service will be resetting dhcp anyway.
        echo 1 > /proc/sys/net/ipv4/ip_forward
+
  
# create bridge(s)
+
{{Warning| The Static Bridge section does not describe a method using systemd at all. In addition, it may contain outdated information. It should be revised at some point.}}
error=0
+
      for brconf in ${BRIDGES[@]}; do
+
              if echo $brconf | grep '^[^\!]' >/dev/null 2>&1; then
+
                      make_bridge $brconf || error=1
+
              fi
+
      done
+
  
# create vpn(s)
+
==Static Bridge Installation==
      for vpnconf in ${VPNS[@]}; do
+
              if echo $vpnconf | grep '^[^\!]' >/dev/null 2>&1; then
+
                      make_vpn $vpnconf || error=1
+
              fi
+
      done
+
  
if [ $error -eq 0 ]; then
+
The first thing you want to do is install OpenVPN, the Linux bridging utilities and [[netcfg]].
stat_fail
+
<pre>
else
+
pacman -S openvpn bridge-utils netcfg
stat_done
+
</pre>
fi
+
;;
+
        stop)
+
        stat_busy "Stopping OpenVPN daemons"
+
  
        killall `which openvpn` 2> /dev/null
+
==Static Bridge Configuration==
  
# destroy bridge(s)
+
Earlier versions of guides for OpenVPN provided by the OpenVPN team or various Linux packagers give example scripts for constructing a bridge when starting OpenVPN and destroying it when shutting OpenVPN down.
error=0
+
      for brconf in ${BRIDGES[@]}; do
+
              if echo $brconf | grep '^[^\!]' >/dev/null 2>&1; then
+
                      destroy_bridge $brconf || error=1
+
              fi
+
      done
+
  
# destroy vpn(s)
+
However, this is a somewhat deprecated approach, since OpenVPN as of 2.1.1 defaults to not allowing itself to call external scripts or programs unless explicitly enabled to, for security reasons.
      for vpnconf in ${VPNS[@]}; do
+
              if echo $vpnconf | grep '^[^\!]' >/dev/null 2>&1; then
+
                      destroy_vpn $vpnconf || error=1
+
              fi
+
      done
+
  
if [ $error -eq 0 ]; then
+
Also, constructing the bridge is relatively slow compared to all other parts of the network initialization process. (In fact, so slow that dhcpcd will time out before the bridge is ready. See [[#Troubleshooting]].) Also, when restarting OpenVPN after configuration changes, there is no reason to rebuild a working bridge, interrupting all your other network applications. So, setting up a static bridge configuration as follows is the recommended method.
stat_fail
+
else
+
stat_done
+
fi
+
;;
+
        restart)
+
                $0 stop
+
sleep 1
+
                $0 start
+
                ;;
+
        *)
+
                echo $"Usage: $0 {start|stop|restart}"
+
                RETVAL=1
+
esac
+
</pre>
+
  
and make the script executable
+
To create an OpenVPN bridge for your server, you are going to have to use [[netcfg]] and create two network profiles - one for the tap interface and one for the bridge.
<pre>
+
chmod 755 /etc/rc.d/openvpn
+
</pre>
+
  
In /etc/rc.conf add the following modules to the MODULES array
+
Go to /etc/network.d/. Then copy the tuntap example file to the directory.
 
<pre>
 
<pre>
tun bridge
+
cd /etc/network.d/
 +
cp examples/tuntap openvpn_tap
 
</pre>
 
</pre>
  
add the following configuration
+
Now edit openvpn_tap to create a tap interface. It may look like this.
 
<pre>
 
<pre>
# Bridges and VPN setup
+
INTERFACE='tap0'
br0=("br0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255" eth0)
+
CONNECTION='tuntap'
BRIDGES=(br0)
+
MODE='tap'
vpn0=("vpn0.conf" tap0 br0)
+
USER='nobody'
VPNS=(vpn0)
+
GROUP='nobody'
 
</pre>
 
</pre>
  
and add the following daemons to the DAEMONS array
+
Do not configure the IP address here, this is going to be done for the bridge interface!
<pre>
+
bridge_devices openvpn
+
</pre>
+
  
So what does all of that mean up there?
+
To create the bridge profile, copy the example file:
First we create a bridge called br0 which attaches itself to eth0 and has certain ip address etc.
+
Then we create a vpn daemon with config file "vpn0.conf" (see below) which uses device
+
tap0 and attaches to the bridge br0. The "BRIDGES" and "VPNS" arrays should allow you to define more then
+
one of each (but I didn't test this).
+
  
===Now onto creating the config files===
 
Firstly create the secret key
 
 
<pre>
 
<pre>
openvpn --genkey --secret /etc/openvpn/vpn0.key
+
cp examples/bridge openvpn_bridge
 
</pre>
 
</pre>
and then make the vpn0.conf and save it in /etc/openvpn/
 
<pre>
 
#/etc/openvpn/vpn0.conf
 
#
 
# Sample OpenVPN server configuration file
 
# using a pre-shared static key.
 
#
 
# See man openvpn for more configuration options.
 
# (the config file options are the same as the commandline switches)
 
#
 
# '#' or ';' may be used to delimit comments.
 
 
# Define the virtual ethernet device.
 
dev tap0
 
 
# Our pre-shared static key
 
secret /etc/openvpn/sample.key
 
 
# OpenVPN uses UDP port 1194 by default.
 
# Each OpenVPN tunnel must use
 
# a different port number.
 
# lport or rport can be used
 
# to denote different ports
 
# for local and remote.
 
port 1194
 
 
# Protocol to use; udp is the default for good reason.
 
# Alternative is 'tcp-server' (with 'tcp-client' on the other side of the line)
 
# which can be useful in certain situations or behind certain firewalls.
 
; proto udp
 
 
# Downgrade UID and GID to
 
# "nobody" after initialization
 
# for extra security.
 
user nobody
 
group nobody
 
 
# If you built OpenVPN with
 
# LZO compression, uncomment
 
# out the following line.
 
comp-lzo
 
 
# Send a UDP ping to remote once
 
# every 15 seconds to keep
 
# stateful firewall connection
 
# alive.  Uncomment this
 
# out if you are using a stateful
 
# firewall.
 
; ping 15
 
 
# Uncomment this section for a more reliable detection when a system
 
# loses its connection.  For example, dial-ups or laptops that
 
# travel to other locations.
 
ping 15
 
ping-restart 45
 
ping-timer-rem
 
persist-tun
 
persist-key
 
 
# Verbosity level.
 
# 0 -- quiet except for fatal errors.
 
# 1 -- mostly quiet, but display non-fatal network errors.
 
# 3 -- medium output, good for normal operation.
 
# 9 -- verbose, good for troubleshooting
 
verb 3
 
</pre>
 
 
If you have more then one vpn daemon you should not reuse devices or port numbers across .conf files.
 
  
Now we can start up our daemons scripts.
+
Now edit openvpn_bridge. It may look like this:
 
<pre>
 
<pre>
sudo modprobe tun
+
INTERFACE="br0"
sudo modprobe bridge
+
CONNECTION="bridge"
sudo /etc/rc.d/openvpn start
+
DESCRIPTION="OpenVPN Bridge"
 +
BRIDGE_INTERFACES="eth0 tap0"
 +
IP='static'
 +
ADDR='192.168.11.1'
 +
GATEWAY='192.168.11.254'
 +
DNS=('192.168.11.254')
 
</pre>
 
</pre>
 +
For more information, for example how to use DHCP instead, check the [[netcfg]] article.
  
==Linux client config==
+
Now set the NETWORKS array in /etc/conf.d/netcfg (order is important!):
Install openvpn on the client machine the same way as on the server.
+
Copy /etc/rc.d/openvpn, /etc/openvpn/vpn0.key and /etc/openvpn/vpn0.conf to the client (preferably using sftp or scp).
+
  
Add the following lines to /etc/openvpn/vpn0.conf with the "real" address of the server
 
and the virtual address of the client.
 
 
<pre>
 
<pre>
remote real_server_address
+
NETWORKS=(openvpn_tap openvpn_bridge)
ifconfig vpn_client_ip vpn_netmask
+
 
</pre>
 
</pre>
(And set proto to 'tcp-client' if you used 'tcp-server' on the server)
 
  
Now edit /etc/rc.conf to include
+
Then add net-profiles to your [[Rc.conf#Daemons|DAEMONS array]] (net-profiles must be before openvpn!):
 
<pre>
 
<pre>
# Bridges and VPN setup
+
DAEMONS=(... net-profiles openvpn ...)
BRIDGES=()
+
vpn0=("vpn0.conf" tap0)
+
VPNS=(vpn0)
+
 
</pre>
 
</pre>
  
Now start it up
+
==Static Bridge Troubleshooting==
<pre>
+
modprobe tun
+
/etc/rc.d/openvpn start
+
</pre>
+
  
You should now be able to ping across the tunnel to any of the hosts on the other end.
+
Q: Why does starting the network [FAIL] ?
  
==Windows client config==
+
A:This is probably because you are using DHCP on the bridge and setting up the bridge takes longer than dhcpcd is willing to wait. You can fix this by setting the FWD_DELAY parameter in your bridge network profile (openvpn_bridge). Start with a value of 5 and decrease it until it works.
Install OpenVPN from openvpn-1.6.0-install.exe
+
now copy the vpn0.key from the VPN server (preferably using sftp or scp) and the vpn0.conf
+
below to "C:\Program Files\OpenVPN\config\". And delete the sample file in that folder (or at least move it to another folder).
+
<pre>
+
# replace with the public ip address of the vpn server
+
remote remote.public.ip.address
+
port 5000
+
dev tap
+
ifconfig 192.168.0.200 255.255.255.0
+
ifconfig-nowarn
+
secret "C:\Program Files\OpenVPN\config\vpn0.key"
+
ping 10
+
comp-lzo
+
verb 5
+
</pre>
+
 
+
Now open a command prompt and enter
+
<pre>
+
net start openvpnservice
+
</pre>
+
  
You should now be able to ping across the tunnel to any of the hosts on the other end.
+
==More Resources==
  
 +
[[OpenVPN]] | General page on configuring OpenVPN, including setting up authentication methods.
 
----
 
----
  

Revision as of 12:32, 27 October 2012

This page describes how to create a network bridge on Arch Linux and host an OpenVPN server using a IP layer-2 based Ethernet bridge (TAP) rather than a IP layer-3 based IP tunnel (TUN). The general OpenVPN page describes setting up PAM authentication or OpenSSL security certificates in more detail.

Introduction

The OpenVPN documentation page gives a full overview of server-side and client-side options that OpenVPN supports. It is easier to set up OpenVPN in tunneling mode and control routing the traffic and it is generally advised to do so if it serves your purpose. However, some network applications, such as Windows file sharing, rely on network broadcasts at the Ethernet level and benefit from believing they are physically located on the same subnet, and software bridging serves this purpose.

There are multiple ways to set bridging up. The dynamic method is where OpenVPN will be managing its own bridge on the system and will start, stop and configure it itself. This is the quickest way to set bridging up, although it interrupts other network services when OpenVPN starts and stops. If the system is going to manage its own bridge, maybe because other virtual network adapters connect to the bridge besides just that of OpenVPN, then it is preferable to use the static method.

Dynamic Bridge Installation

You will need to install OpenVPN and Linux bridging utilities

pacman -S openvpn bridge-utils

Dynamic Bridge Configuration

OpenVPN will create/destroy the TAP device automatically for the name specified in the config file. OpenVPN settings common to TUN or TAP are not shown in the example config file below, only settings that affect TAP mode. Make sure the 'up' and 'down' scripts are executable with 'chmod +x' after you write them.

/etc/openvpn/server.conf (sections common to TUN and TAP omitted)

# this uses a dhcp server, server-side
#  clients must support binding their dhcp client to their tap adapter
# do not append 'nogw' if using dhcp
server-bridge
# can specify interface, like tap0 or tap1
#  or use up/down routing scripts to handle
#  more than one, if needed
dev tap0
# needed to call scripts like up/down
#  which call external programs within the scripts
script-security 2
# user defined scripts for adding/removing tap to bridge
#  'dev mtu link_mtu ifconfig_local_ip ifconfig_remote_ip' are appended if set
# make sure 'user' has permission to run 'down' ('up' will be root)
up "up br0 eth0"
down "down br0 eth0"
# call 'down' before TUN/TAP close
down-pre
# drop root priveledges once connected
#  good idea, for servers running on linux
# 'up' script not affected, 'down' script is
;user nobody
;group nobody

/etc/openvpn/up

#!/bin/bash
br=$1
eth=$2
dev=$3
mtu=$4
cd /usr/sbin/

# only if you start dhcpcd and leave it
#  running for eth
#dhcpcd -k $eth

# needed if script is run independently
# but when run through openvpn
# openvpn will do this automatically
#  could also use 'ip tuntap ..'
#openvpn --mktun --dev $dev

brctl addbr $br
# set forwarding delay to 0
#  otherwise dhcp called below would timeout
brctl setfd $br 0
brctl addif $br $eth
# order matters here.. right now there is only
#  one mac in the bridge's table
# if there were two.. there is no guarantee
#  which would be passed to the dhcp server
dhcpcd $br
brctl addif $br $dev

ip link set $eth up promisc on mtu $mtu
ip link set $dev up promisc on mtu $mtu

/etc/openvpn/down

#!/bin/bash
br=$1
eth=$2
cd /usr/sbin/

dhcpcd -k $br

ip link set $br down
brctl delbr $br

# needed if script is run independently
# but when run through openvpn
# openvpn will do this automatically
#  could also use 'ip tuntap ..'
#openvpn --rmtun --dev $dev

# only if you start dhcpcd and leave it
#  running for eth
#dhcpcd $eth

These examples are for using dhcp. If you are going to use static IP addresses, you will need to adjust accordingly.

Using Systemd

The OpenVPN systemd script looks for <name>.conf files in the /etc/openvpn folder by default. So assuming you have a file named server.conf:

systemctl enable openvpn@server
systemctl start openvpn@server

Be careful about having dhcpcd enabled separately (ie. dhcpcd@eth0.service) at the same time. It is possible, though unlikely, for it to complete after OpenVPN and ruin your dhcp setup for OpenVPN. You could probably disable dhcpcd@eth0.service since you know openvpn@server.service will be resetting dhcp anyway.

Warning: The Static Bridge section does not describe a method using systemd at all. In addition, it may contain outdated information. It should be revised at some point.

Static Bridge Installation

The first thing you want to do is install OpenVPN, the Linux bridging utilities and netcfg.

pacman -S openvpn bridge-utils netcfg

Static Bridge Configuration

Earlier versions of guides for OpenVPN provided by the OpenVPN team or various Linux packagers give example scripts for constructing a bridge when starting OpenVPN and destroying it when shutting OpenVPN down.

However, this is a somewhat deprecated approach, since OpenVPN as of 2.1.1 defaults to not allowing itself to call external scripts or programs unless explicitly enabled to, for security reasons.

Also, constructing the bridge is relatively slow compared to all other parts of the network initialization process. (In fact, so slow that dhcpcd will time out before the bridge is ready. See #Troubleshooting.) Also, when restarting OpenVPN after configuration changes, there is no reason to rebuild a working bridge, interrupting all your other network applications. So, setting up a static bridge configuration as follows is the recommended method.

To create an OpenVPN bridge for your server, you are going to have to use netcfg and create two network profiles - one for the tap interface and one for the bridge.

Go to /etc/network.d/. Then copy the tuntap example file to the directory.

cd /etc/network.d/
cp examples/tuntap openvpn_tap

Now edit openvpn_tap to create a tap interface. It may look like this.

INTERFACE='tap0'
CONNECTION='tuntap'
MODE='tap'
USER='nobody'
GROUP='nobody'

Do not configure the IP address here, this is going to be done for the bridge interface!

To create the bridge profile, copy the example file:

cp examples/bridge openvpn_bridge

Now edit openvpn_bridge. It may look like this:

INTERFACE="br0"
CONNECTION="bridge"
DESCRIPTION="OpenVPN Bridge"
BRIDGE_INTERFACES="eth0 tap0"
IP='static'
ADDR='192.168.11.1'
GATEWAY='192.168.11.254'
DNS=('192.168.11.254')

For more information, for example how to use DHCP instead, check the netcfg article.

Now set the NETWORKS array in /etc/conf.d/netcfg (order is important!):

NETWORKS=(openvpn_tap openvpn_bridge)

Then add net-profiles to your DAEMONS array (net-profiles must be before openvpn!):

DAEMONS=(... net-profiles openvpn ...)

Static Bridge Troubleshooting

Q: Why does starting the network [FAIL] ?

A:This is probably because you are using DHCP on the bridge and setting up the bridge takes longer than dhcpcd is willing to wait. You can fix this by setting the FWD_DELAY parameter in your bridge network profile (openvpn_bridge). Start with a value of 5 and decrease it until it works.

More Resources

OpenVPN | General page on configuring OpenVPN, including setting up authentication methods.


Any additions, clarifications, reorganizations, feedback etc. etc. are more than appreciated.