Configuration and scripts for OpenVPN in Bridged Mode. Script to generate new client (with their keys and configuration file for OpenVPN). Script to manage the bridge. Configuration for systemd to start/stop the OpenVPN with Brige.

bridge-conf

#!/bin/bash

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.42.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.42.255"
eth_gateway="192.168.42.1"
eth_mac="XX:XX:XX:XX:XX:XX"


# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

bridge-start

#!/bin/bash

. /etc/openvpn/bridge/bridge-conf 
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
    iptables -A INPUT -i $t -j ACCEPT
done

iptables -A INPUT -i $br -j ACCEPT
iptables -A FORWARD -i $br -j ACCEPT

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ip link set $br address $eth_mac
route add default gw $eth_gateway $br

bridge-stop

#!/bin/bash

. /etc/openvpn/bridge/bridge-conf
####################################
# Tear Down Ethernet bridge on Linux
####################################


iptables -D INPUT -i $br -j ACCEPT
iptables -D FORWARD -i $br -j ACCEPT

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
    iptables -D INPUT -i $t -j ACCEPT
done

ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway $eth

build-client

#!/bin/bash
#This script generate the key for the wanted client and it's configuration file
#to be used with OpenVPN. If the key has already been generated it will only
#generate the configuration file for OpenVPN

#VARIABLES
#If you don't set a remote (the external IP of the server or the hostname)
#the script will try to gather it using dig
#You need to change the port to the one set in your server
#if you want to add new directive to client configuration use $OPENVPN_CLIENT_DIRECTIVE

PROTO="${PROTO:-udp}"
REMOTE="${REMOTE:-}"
PORT="${PORT:-5555}"
OPENVPN_EASY_RSA_PATH="/etc/openvpn/easy-rsa/"
OPENVPN_CLIENT_DIRECTIVE="${OPENVPN_CLIENT_DIRECTIVE:-}"
DEV_TYPE=${DEV_TYPE:-tap0}
COMPRESS=${COMPRESS:-compress}

#DO NOT MODIFY BELOW
function usage {
	echo "Usage: $0 clientName"
	echo "ENV Variables:"
	echo "PROTO:				protocol used"
	echo "REMOTE:				host or IP address of the server"
	echo "PORT:				port on the server"
	echo "DEV_TYPE:			device type (tun+/tap+)"
	echo "COMPRESS:			The compression algorithm used (comp-lzo, compress (if pushed by the server), compress snappy)"
	exit -1
}

function getIp {
	echo  `dig +short myip.opendns.com @resolver1.opendns.com`
}

function clientConfig {
cat <<CLIENT_CONF
client
dev $DEV_TYPE
proto $PROTO
remote $REMOTE $PORT
resolv-retry infinite
nobind	
persist-key
persist-tun
ns-cert-type server
cipher AES-256-CBC
auth SHA512
$COMPRESS
verb 3
pull
$OPENVPN_CLIENT_DIRECTIVE
<ca>
$CA
</ca>
<cert>
$CERT
</cert>
<key>
$KEY
</key>
CLIENT_CONF
}
if [ $# -eq 0 ]; then
	echo "No arguments supplied"
	usage	
fi
if [ -z "$1" ]; then
	echo "Client name not supplied"
	usage
fi

if [ -z "$REMOTE" ]; then
	REMOTE=$(getIp)
fi
CLIENT=$1
if [ ! -f $OPENVPN_EASY_RSA_PATH/keys/${CLIENT}.crt ]; then	
	pushd $OPENVPN_EASY_RSA_PATH
	source ./vars
	./build-key $CLIENT 
	popd
fi


CA=`cat $OPENVPN_EASY_RSA_PATH/keys/ca.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE"`

CERT=`cat $OPENVPN_EASY_RSA_PATH/keys/${CLIENT}.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE"`

KEY=`cat $OPENVPN_EASY_RSA_PATH/keys/${CLIENT}.key | grep -A 100 "BEGIN PRIVATE KEY" | grep -B 100 "END PRIVATE KEY"`

clientConfig > $CLIENT.ovpn
exit 0

[email protected]

[Unit]
Description=OpenVPN server %i
Wants=syslog.target
Requires=network.target
After=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
Documentation=https://www.aaflalo.me/2015/01/openvpn-tap-bridge-mode

[Service]
PrivateTmp=true
Type=forking
PermissionsStartOnly=true
RuntimeDirectory=openvpn
ExecStartPre=/etc/openvpn/bridge/bridge-start
PIDFile=/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --status /run/openvpn/status-%i.log --status-version 2 --config %i.conf --daemon --writepid /run/openvpn/%i.pid
ExecStopPost=/etc/openvpn/bridge/bridge-stop
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

server.conf

dev tap0
#tun-mtu 1500
#tun-ipv6
tls-server
proto udp
port 5555


ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh4096.pem

topology subnet

user nobody
group nogroup

server-bridge 192.168.42.2 255.255.255.0 192.168.42.128 192.168.42.254

#server-ipv6 2001:db8::/64

mssfix
persist-key
persist-tun

#log /var/log/openvpn
status /var/log/openvpn-status.log
verb 4
client-to-client

keepalive 10 120
mute 50

#set the dns servers
push "dhcp-option DNS 192.168.42.1"
#set the WINS server (SAMBA)
push "dhcp-option WINS 192.168.42.2"
#For windows, to make the network recognized
push "route 0.0.0.0 0.0.0.0 192.168.42.2"
cipher AES-256-CBC
auth SHA512

log-append /var/log/openvpn
compress lz4
#replay-window 128