OpenVPN server configuration for a Linux server like a Raspberry Pi
- Linux (tested on Raspbian 10 Buster and 11 Bullseye)
- OpenVPN (tested on
2.4.7-1
and2.5.1-3
from apt) - bridge-utils (tested on
1.6-2
and1.7-1
from apt)
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
auto br0
iface br0 inet static
address 192.168.1.16 # local IP address of OpenVPN server on the home network
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1 # router IP address
bridge_ports eth0
bridge_fd 0
bridge_hello 2
bridge_maxage 12
bridge_stp on
bridge_prio 1000
Add or uncomment
net.ipv4.ip_forward=1
This requires a restart to take effect, or you can run echo 1 > /proc/sys/net/ipv4/ip_forward
as root to temporarily enable packet forwarding until the next restart
mode server
proto udp
port 1194
dev tap0
server-bridge 192.168.1.16 255.255.255.0 192.168.1.200 192.168.1.250
client-to-client
dh /etc/openvpn/keys/dh2048.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/erebus.crt
key /etc/openvpn/keys/erebus.key
client-config-dir /etc/openvpn/Erebus-clients
script-security 2
cipher AES-256-CBC
#tls-version-min 1.0 # uncomment if you have older OpenVPN clients without TLS 1.2 support
keepalive 10 120
persist-key
persist-tun
mute-replay-warnings
verb 3
mute 20
log /var/log/openvpn/erebus.log
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
Ensure this file has its executable bit set.
#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV
Ensure this file has its executable bit set.
#!/bin/sh
BR=$1
DEV=$2
/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
This directory should contain one plaintext file per client, where the filename is the client's host, like sigyn
.
The contents of the file allow you to set a static local IP address of the client when it joins the VPN.
This is the IP address that you can use to reach the VPN client from a computer on the home network.
ifconfig-push 192.168.1.10 255.255.255.0
This is the directory with all of the key files, like ca.crt
, dh2048.pem
, erebus.crt
, and erebus.key
.
Make sure you make it owner-readable only (chmod 0600 /etc/openvpn/keys/*
).
Restart, or run
sudo service openvpn stop; sudo ifdown br0; sudo ifdown eth0; sudo ifup eth0; sudo ifup br0; sudo service openvpn start; sudo ifconfig; sudo tail -f /var/log/openvpn/*.log
- "Bridging OpenVPN." CyberPunk, Synex, 21 July 2015, 2:54, n0where.net/bridging-openvpn.
This thing actually survives restarts, amazing.