Difference between revisions of "OpenVPN Bridge"

From ArchWiki
Jump to: navigation, search
m (Introduction)
m (Installation)
Line 13: Line 13:
The first thing you want to do is install OpenVPN and Linux bridging utilities.
The first thing you want to do is install OpenVPN and Linux bridging utilities.
pacman -Sy openvpn bridge-utils
pacman -S openvpn bridge-utils

Revision as of 11:25, 2 November 2010

TODO: check this now updated article for accuracy, readability and completeness

This page describes multiple ways to create a network bridge on Arch Linux and host an OpenVPN server using a IP layer-2 based Ethernet bridge (TAP) rather than a IP layer-3 based IP tunnel (TUN). The general OpenVPN page describes setting up PAM authentication or OpenSSL security certificates in more detail.


The OpenVPN documentation pages give a full overview of server-side and client-side options that OpenVPN supports. It is easier to set up OpenVPN in tunneling mode and control routing the traffic and it is generally advised to do so if it serves your purpose. However, some applications, such as Windows file sharing or Samba, rely on network broadcasts at the Ethernet level and benefit from believing they are physically located on the same subnet, and software bridging serves this purpose.


The first thing you want to do is install OpenVPN and Linux bridging utilities.

pacman -S openvpn bridge-utils


Earlier versions of guides for OpenVPN provided by the OpenVPN team or various Linux packagers give example scripts for constructing a bridge when starting OpenVPN and destroying it when shutting OpenVPN down.

However, this is a somewhat deprecated approach, since OpenVPN as of 2.1.1 defaults to not allowing itself to call external scripts or programs unless explicitly enabled to, for security reasons.

Also, constructing the bridge is relatively slow compared to all other parts of the network initialization process. (In fact, so slow that dhcpcd will time out before the bridge is ready. See #Troubleshooting.) Also, when restarting OpenVPN after configuration changes, there is no reason to rebuild a working bridge, interrupting all your other network applications. So, setting up a static bridge configuration as follows is one recommended method.


Add a tap interface for OpenVPN to use in /etc/conf.d/openvpn-tapdev

# /etc/conf.d/openvpn-tapdev
# Place openvpn-tapdev before network into your DAEMONS array
# This will create permanent tap devices which you can use for bridging
# Example:
# TAPDEVS="work home"
# Will create two tap devices "work" and "home"

Add a rule for bridging this tap interface, and your other interfaces, to a bridge interface in /etc/conf.d/bridges

# Settings for layer-2 bridges
# For each bridge interface declared in INTERFACES (in rc.conf), declare
# a bridge_${IF} variable that contains the real ethernet interfaces that
# should be bridged together.
# Then list the bridge interface name in the BRIDGE_INTERFACES array.
# example:
# in /etc/rc.conf:
#    eth0="eth0 up"
#    eth1="eth1 up"
#    br0="br0 netmask up"
#    INTERFACES=(lo eth0 eth1 br0)
# in /etc/conf.d/bridges
#    bridge_br0="eth0 eth1"
bridge_br0="tap0 eth0"

Now, if using the default network daemon, invoke your bridge in /etc/rc.conf

tap0="tap0 up"
eth0="eth0 up"
#alias example
br0_0="br0:0 netmask up"
INTERFACES=(tap0 eth0 br0 br0_0)


There are a few example server configurations located in /usr/share/openvpn/examples to look at.

Here is a server configuration that uses dhcp, and some features only available since 2.1.1, saved as /etc/openvpn/server.conf

Note: Setting multihome allows OpenVPN to listen on multiple interfaces with UDP but respond only on the one it first received a request from. Otherwise, if listening on multiple interfaces, OpenVPN may switch from one to the other during communication with a client, and clients would not accept packets originating from something other than the original endpoint. Lowering the value for script-security is necessary to write and invoke scripts that call external programs during OpenVPN operation
# /etc/openvpn/server.conf
# 2009.12.31
# address to bind to, instead of all available
# new features, as of v2.1.1
#can listen on multiple ips over udp
# needed to allow internally called scripts like up/down
#  to call external programs like ifup, etc
;script-security 2

# tcp might work better on certain "dev tun" setups
#  but not for wrapping more tcp or further encrypted
#  streams, as that would be redundant, and very slow
# "port 1194" and "proto udp" are defaults
port 1194
proto udp

# could specify interface, like tap0 or tap1
#  or use up/down routing scripts to handle
#  more than one, if needed
dev tap0

# simple scripts
#  for adding/removing  to tap
;up "up.sh br0:0"
;down "down.sh br0:0"

# identical certificate on server & client
ca config/keys/ca.crt
# server's own cert/key
cert config/keys/server.crt
key config/keys/server.key  # keep secret
# for certificate handshake
dh config/keys/dh1024.pem

# no arguments will use this subnet's dhcp server
#  not openvpn dynamic/static assigment
# either way is good, but if you know you're not conflicting
#  with any other IP addressing schemes on your subnet,
#  this is much faster
# this directive expands to include "mode server" and "tls-server"
#  so including them elsewhere is redundant
# like what dhcp does, reuses IPs
;ifconfig-pool-persist ipp.txt

# this one uses a dhcp server, server-side
#  potentially better for controlling ip addresses from one location
#  clients must support binding their dhcp client to their tap adapter
server-bridge nogw # 'nogw' is optional

# openvpn server routes client packets to each other itself
#  should happen anyway in 'dev tap' mode, but this saves time

# ping clients to auto close server side connection
keepalive 10 60

# 0 for server, 1 for client
tls-auth config/keys/ta.key 0 # This file is secret

# cryptographic cipher.
;cipher BF-CBC        # Blowfish (default)
cipher AES-128-CBC   # AES

# compression is useful for xfer of
#  not already compressed files, like database
#  files, otherwise add needless overhead
# comp-lzo [mode] ; yes|no|adaptive, adaptive default

# not needed yet
;max-clients 100

# drop root priveledges once connected
#  good idea, for servers running on linux
user nobody
group nobody

# avoid accessing things you no longer can

# short status file showing current connections
#  rewritten every minute.
status openvpn-status.log

# use one or the other, useful for managing multiple
#  concurrent servers on a system
;log         openvpn.log
;log-append  openvpn.log

# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# silence repeating messages past certain number, in log
;mute 20

The following modules will be automatically loaded, but you could specify them by editing /etc/rc.conf

MODULES=(... tun bridge ...)

Now, add the following daemons to /etc/rc.conf

Note: openvpn-tapdev must come before network
DAEMONS=(... openvpn-tapdev network openvpn ...)


The following is a matching client.ovpn for the options used in server.conf above, tested in Windows.

Note: Windows supports authenticating via a dhcp server located on the OpenVPN server's side automatically because of how the TCP stack works on Windows; a Linux client may take more steps to get dhcp to work
# /%openvpn%/config/client.conf
# 2009.12.31

# defines order of certificate authentification
# this directive expands to "pull" "tls-client"
#  so including them elsewhere is redundant

# type of server
dev tap

# windows needs tap name, if more than one
;dev-node OpenVPN Bridge Connection

# remote <hostname> [port] [proto]
remote remote 1194 udp

# only works for peers using the "remote" option
# ok if the ip address for remote changes during session
# uses a random port client-side

# this is for laptops or internet conditions
#  where openvpn server hostname cannot be resolved easily,
#  or changes often, etc
# infinte is the default, or value for seconds
resolv-retry infinite

# public
ca keys/ca.crt
cert keys/satellite.crt
# private
key keys/satellite.key
# needed when specified in server
# 0 = server, 1 = client
tls-auth keys/ta.key 1

# verify that the server has certificate field "server"
# protects against certain attacks
ns-cert-type server

;cipher BF-CBC
cipher AES-128-CBC

# comp-lzo [mode] ; yes|no|adaptive, adaptive default

# try to preserve some states across restarts

verb 3

Tips and Tricks

Warning: This script doesn't always correctly report [FAIL] or [DONE] so output can't be relied upon and may be confusing. Also, it is very old and should probably be revisited and revised

You may not always want a static bridge, as there may be cases that you don't always want OpenVPN on, and when off you would prefer not having the bridge in place. In that case you have multiple options to achieve this. You could do this by replacing /etc/rc.d/openvpn with


# /etc/rc.d/openvpn
# An init script to start and stop OpenVPN daemons

. /etc/rc.conf
. /etc/rc.d/functions


make_bridge ()
	#echo "# mkbr $1"
	# for example $1 = "br0" and
	# $br0 = ("br0 netmask broadcast" eth1)	
	eval brvar="(\"\${${1}[@]}\")"

	brctl addbr $brdev
	add_to_bridge ${brvar[1]} $brdev

        ifconfig ${brvar[0]}
	return $?

add_to_bridge ()
	#echo "# addbr $1 $2"
	# for example $1=tap0 and $2=br0
	ifconfig $1 down >/dev/null 2>&1
	brctl addif $2 $1
	ifconfig $1 promisc up

destroy_bridge ()
	eval brvar="(\"\${${1}[@]}\")"
	ifconfig $brdev down
	brctl delbr $brdev

make_vpn ()
	#echo  "# mkvpn $1"
	# for example $1 = vpn0 and
	# $vpn0 = ("default.conf" tap0 br0)
	eval vpnvar="(\"\${${1}[@]}\")"
	openvpn --mktun --dev ${vpnvar[1]} > /dev/null
	if [ "${vpnvar[2]}" != "" ]; then
		add_to_bridge ${vpnvar[1]} ${vpnvar[2]}

	openvpn --cd $openvpn_config_dir --daemon --config ${vpnvar[0]}
	return $?

destroy_vpn ()
	eval vpnvar="(\"\${${1}[@]}\")"
	openvpn --rmtun --dev ${vpnvar[1]} > /dev/null
	return $?

case "$1" in
        stat_busy "Starting OpenVPN daemons"

        # enable IP forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward

	# create bridge(s)
       	for brconf in ${BRIDGES[@]}; do
               	if echo $brconf | grep '^[^\!]' >/dev/null 2>&1; then
                       	make_bridge $brconf || error=1

	# create vpn(s)
       	for vpnconf in ${VPNS[@]}; do
               	if echo $vpnconf | grep '^[^\!]' >/dev/null 2>&1; then
                       	make_vpn $vpnconf || error=1

	if [ $error -eq 0 ]; then
        stat_busy "Stopping OpenVPN daemons"

        killall `which openvpn` 2> /dev/null

	# destroy bridge(s)
       	for brconf in ${BRIDGES[@]}; do
               	if echo $brconf | grep '^[^\!]' >/dev/null 2>&1; then
                       	destroy_bridge $brconf || error=1

	# destroy vpn(s)
       	for vpnconf in ${VPNS[@]}; do
               	if echo $vpnconf | grep '^[^\!]' >/dev/null 2>&1; then
                       	destroy_vpn $vpnconf || error=1

	if [ $error -eq 0 ]; then
                $0 stop
		sleep 1
                $0 start
                echo $"Usage: $0 {start|stop|restart}"

and then make the script executable.

chmod 755 /etc/rc.d/openvpn

Or, you can create scripts OpenVPN can use with up and down options to create and destroy tap interfaces dynamically, rather than using the provided openvpn-tapdev daemon, to add more options when adding it to a bridge. Here are some generic ones; make sure they are executable.


#!/bin/bash -e


/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

exit 0


#!/bin/bash -e


/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

exit 0


Q: Why does starting the network [FAIL] ?

A: If you followed the server.conf example above, it is because you are using dhcp on the bridge and setting up the bridge takes longer than dhcpcd is willing to wait. You can fix this by dropping the forwarding delay when adding the bridge to a lower number by adding the following line to /etc/rc.d/network

.. /usr/sbin/brctl addbr $br
+  /usr/sbin/brctl setfd $br 5
.. eval brifs="\$bridge_${br}"

More Resources

OpenVPN | General page on configuring OpenVPN, including setting up authentication methods.

Any additions, clarifications, reorganizations, feedback etc. etc. are more than appreciated.