How to setup a bridged OpenVPN VM on Windows 2012 R2 using Ubuntu 16.04.1 LTS
Tags: Windows 2012 R2 Standard | Hyper-V | Ubuntu 16.04.1 LTS | Bridged OpenVPN
Last update: May 2017
1. Foreword / Setting / Requirements
Sometimes we are travelling through the globe and imagine that on a particular day we are working onsite with our mobile device. Suddenly we recognize there are files missing which are quite important and we believe them to be on a shared drive in the office. Would be great to have a solution now – kind of remote access to our files…
As of today virtualization is in fashion because VM’s are quite easy to handle and they support nice things like snapshots and an easy migration for instance. So the possibility is quite high we have already a machine which is running an hypervisor somewhere at home or in the office. Therefore this cheatsheet is dealing with a VM.
Mandatory for this tutorial:
• installed Ubuntu 16.04.1 LTS Server
• installed Microsoft Server with Hyper-V (hypervisor for virtual machines)
• basic knowledge about Linux, Windows Server and IP networks, because we won’t explain every step too detailed
2. Creating the VM
• Create a second generation virtual machine with the following specs: 1 GB vRAM, 1 vCore, at least 10GB vSpace.
• Create a virtual switch which is associated to the external network, so your ethernet adapter of your server.
• Choosing a static MAC address for this VM will make it easier to remember. We need is in the following step.
• activate MAC spoofing for this virtual switch (important!)
3. Router configuration
• Bind your static MAC in the router to a parmanent IP address.
• You can already configure needed port forward to this IP. In this tutorial we are using ports 1194 and 5000.
• Choosing a static MAC address for this VM will make it easier to remember. We need it in the following step.
4. Ubuntu server
• Usual installation from image, tick just the SSH server in order to allow us to connect.
• We want to make sure all updates are installed:
sudo apt-get update && sudo apt-get upgrade
- You can do a distribution upgrade if applicable:
sudo apt-get dist-upgrade
- Now we need the packages for OpenVPN and the certs
sudo apt-get install openvpn easy-rsa
5. Generating certificates
• easy-rsa can be found at one of the following directories:
– /etc/openvpn/easy-rsa
– /usr/share/openvpn/easy-rsa
– /usr/share/easy-rsa
• Let’s generate a keyset for our server. Change into the prior mentioned easy-rsa directory and follow the instructions to generate our keys:
./build-ca ./build-dh ./build-key-server HOSTNAME_OF_YOUR_SERVER
- Now we need a cert for the client:
./build-key HOSTNAME_OF_YOUR_CLIENT
You should find a subfolder “keys” with all just now generated files inside.
6. Setting up the bridge
• Create a new file: /etc/openvpn/openvpn-bridge
#!/bin/sh # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth0" eth_ip="YOUR_SERVER_IP" eth_netmask="YOUR_SERVER_NETMASK" eth_broadcast="YOUR_NETWORK_BROADCAST_IP" eth_gateway="YOUR_GATEWAY_IP" case "$1" in start) for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done # sleep ? ifconfig $eth 0.0.0.0 promisc up # sleep ? ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast sleep 1 route add default gw $eth_gateway ;; stop) ifconfig $br down brctl delbr $br for t in $tap; do openvpn --rmtun --dev $t done ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast route add default gw $eth_gateway ;; *) echo "Usage: openvpn-bridge {start|stop}" exit 1 ;; esac exit 0
- Make it executable
chmod +x openvpn-bridge
7. Adding service to autostart
• Create or open file /lib/systemd/system/openvpn@.service and add two lines at the end of [Services] to make the service run at boot time:
ExecStartPre=/etc/openvpn/openvpn-bridge start ExecStopPost=/etc/openvpn/openvpn-bridge stop
• OpenVPN status can now be checked by:
systemctl status openvpn@server.service
- Restarting the service is of course possible via:
service openvpn restart
or:
systemctl restart openvpn@server.service
8. OpenVPN server configuration
• Create /etc/openvpn/server.conf with the following content:
# # BASICS # mode server tls-server port 993 proto tcp dev tap0 # # CERTS # ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/vpn.crt key /etc/openvpn/keys/vpn.key # # ENCRYPTION # # Der zweite Parameter zu tls-auth lautet 0 beim Server und 1 beim Client tls-auth /etc/openvpn/keys/static.key 0 dh /etc/openvpn/keys/dh2048.pem # # DHCP INFORMATION # server-bridge YOUR_SERVER_IP YOUR_NETWORK_MASK 192.168.1.201 192.168.1.210 push "dhcp-option DNS YOUR_GATEWAY_IP" max-clients 3 #max concurrent connections # # OTHER # comp-lzo #should transfer be compressed? cipher AES-256-CBC #choose encryption algorithm keepalive 10 120 #keeping connection alive client-to-client #authorises client to client connectivity verb 3 #verbosity
9. Symbolic link to folder “keys”
• The syntax is: ln -s TARGET SOURCE
ln -s /usr/share/easy-rsa/keys keys
10. Reboot the VM
sudo reboot
11. Configuration of a windows client
• Config files of OpenVPN are located at C:\Program Files\OpenVPN\config
• Create a file in this folder called client.ovpn
• Fill it with the following:
# setting client or server mode client # providing IP of your VPN server (and a port if needed) # if no port is set the default is UDP 5000 remote IP_OF_YOUR_VPN_SERVER YOUR_PORT # port of your client. if nobind is set, default port 1194 will be used nobind # using the UDP or TCP protocol proto tcp # setting up the working mode: bridging (TAP device) oder routing (TUN device) dev tap # which adapter should be used? please provide the correct windows' name of the # adapter to use. in this case we renamed it to "tap-bridge" before. #dev-node tap-bridge # which IP address should be used within our bridged VPN network? #ifconfig 192.168.1.222 255.255.255.0 # where are the keys located? # please keep in mind to use double-backslashes for a windows environment! # for windows 7 additional quotation marks are required! ca ca.crt cert HOSTNAME_OF_YOUR_CLIENT.crt key HOSTNAME_OF_YOUR_CLIENT.key # the second parameter is: 0 = server, 1 = client tls-auth static.key 1 # shall compression be used? if yes: comp-lzo # which encryption cipher has to be used? cipher AES-256-CBC persist-key persist-tun # accept data pushed by the server pull # setting a verbose level of 1 verb 1
• Copy your generated cert files from the server (/usr/share/easy-rsa/keys) into the client folder (C:\Program Files\OpenVPN\config), since they are needed for the client profile to work:
ca.crt
client.crt
client.key
static.key
Leave a Reply
Want to join the discussion?Feel free to contribute!