Tutorial: Bridged OpenVPN Virtual Machine Server Setup

Windows 2012 R2 Standard | Hyper-V | Ubuntu 16.04.1 LTS | Bridged OpenVPN

1. Foreword / Setting / Requirements

Sometimes we are travelling through the globe and imagine that on a particular day we are working onsite with our mobile device. Suddenly we recognize there are files missing which are quite important and we believe them to be on a shared drive in the office. Would be great to have a solution now – kind of remote access to our files…

As of today virtualization is in fashion because VM’s are quite easy to handle and they support nice things like snapshots and an easy migration for instance. So the possibility is quite high we have already a machine which is running an hypervisor somewhere at home or in the office. Therefore this cheatsheet is dealing with a VM.

Mandatory for this tutorial:
• installed Ubuntu 16.04.1 LTS Server
• installed Microsoft Server with Hyper-V (hypervisor for virtual machines)
• basic knowledge about Linux, Windows Server and IP networks, because we won’t explain every step too detailed

 

2. Creating the VM

• Create a second generation virtual machine with the following specs: 1 GB vRAM, 1 vCore, at least 10GB vSpace.
• Create a virtual switch which is associated to the external network, so your ethernet adapter of your server.
• Choosing a static MAC address for this VM will make it easier to remember. We need is in the following step.
• activate MAC spoofing for this virtual switch (important!)

 

3. Router configuration

• Bind your static MAC in the router to a parmanent IP address.
• You can already configure needed port forward to this IP. In this tutorial we are using ports 1194 and 5000.
• Choosing a static MAC address for this VM will make it easier to remember. We need it in the following step.

 

4. Ubuntu server

• Usual installation from image, tick just the SSH server in order to allow us to connect.
• We want to make sure all updates are installed:

sudo apt-get update && sudo apt-get upgrade

• You can do a distribution upgrade if applicable:

sudo apt-get dist-upgrade

• Now we need the packages for OpenVPN and the certs

sudo apt-get install openvpn easy-rsa

 

5. Generating certificates

• easy-rsa can be found at one of the following directories:
– /etc/openvpn/easy-rsa
– /usr/share/openvpn/easy-rsa
– /usr/share/easy-rsa
• Let’s generate a keyset for our server. Change into the prior mentioned easy-rsa directory and follow the instructions while running:

./build-ca
./build-dh
./build-key-server HOSTNAME_OF_YOUR_SERVER

• Now we need a cert for the client:

./build-key HOSTNAME_OF_YOUR_CLIENT

You should find a subfolder “keys” with all just now generated files inside.

 

6. Setting up the bridge

• Create a new file: /etc/openvpn/openvpn-bridge

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="YOUR_SERVER_IP"
eth_netmask="YOUR_SERVER_NETMASK"
eth_broadcast="YOUR_NETWORK_BROADCAST_IP"
eth_gateway="YOUR_GATEWAY_IP"

case "$1" in
start)
    for t in $tap; do
        openvpn --mktun --dev $t
    done

    brctl addbr $br
    brctl addif $br $eth

    for t in $tap; do
        brctl addif $br $t
    done

    for t in $tap; do
        ifconfig $t 0.0.0.0 promisc up
    done

#    sleep ?
    ifconfig $eth 0.0.0.0 promisc up
#    sleep ?
    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
    sleep 1
    route add default gw $eth_gateway
    ;;

stop)
    ifconfig $br down
    brctl delbr $br

    for t in $tap; do
        openvpn --rmtun --dev $t
    done

    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
    route add default gw $eth_gateway
    ;;

*)
    echo "Usage:  openvpn-bridge {start|stop}"
    exit 1
    ;;

esac
exit 0

• Make it executable

chmod +x openvpn-bridge

 

7. Adding service to autostart

• Create or open file /lib/systemd/system/openvpn@.service and add two lines at the end of [Services] to make the service run at boot time:

ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

• OpenVPN status can now be checked by:

systemctl status openvpn@server.service

• Restart is possible through:

service openvpn restart

or

systemctl restart openvpn@server.service

 

8. OpenVPN server configuration

• Create /etc/openvpn/server.conf with the following content:

#
# BASICS
#
mode server
tls-server
port 993
proto tcp
dev tap0

#
# CERTS
#
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn.crt
key /etc/openvpn/keys/vpn.key

#
# ENCRYPTION
#
# Der zweite Parameter zu tls-auth lautet 0 beim Server und 1 beim Client
tls-auth /etc/openvpn/keys/static.key 0
dh /etc/openvpn/keys/dh2048.pem

#
# DHCP INFORMATION
#
server-bridge YOUR_SERVER_IP YOUR_NETWORK_MASK 192.168.1.201 192.168.1.210
push "dhcp-option DNS YOUR_GATEWAY_IP"
max-clients 3 #max concurrent connections

#
# OTHER
#
comp-lzo #should transfer be compressed?
cipher AES-256-CBC #choose encryption algorithm
keepalive 10 120 #keeping connection alive
client-to-client #authorises client to client connectivity
verb 3 #verbosity

 

9. Symbolic link to folder “keys”

• The syntax is: ln -s TARGET SOURCE

ln -s /usr/share/easy-rsa/keys keys

 

10. Reboot the VM

sudo reboot

 

11. Configuration of a windows client

• Config files of OpenVPN are located at C:\Program Files\OpenVPN\config
• Create a file in this folder called client.ovpn
• Fill it with the following:

# setting client or server mode
client

# providing IP of your VPN server (and a port if needed)
# if no port is set the default is UDP 5000
remote IP_OF_YOUR_VPN_SERVER YOUR_PORT

# port of your client. if nobind is set, default port 1194 will be used
nobind

# using the UDP or TCP protocol
proto tcp

# setting up the working mode: bridging (TAP device) oder routing (TUN device)
dev tap

# which adapter should be used? please provide the correct windows' name of the
# adapter to use. in this case we renamed it to "tap-bridge" before.
#dev-node tap-bridge

# which IP address should be used within our bridged VPN network?
#ifconfig 192.168.1.222 255.255.255.0

# where are the keys located?
# please keep in mind to use double-backslashes for a windows environment!
# for windows 7 additional quotation marks are required!
ca ca.crt
cert HOSTNAME_OF_YOUR_CLIENT.crt
key HOSTNAME_OF_YOUR_CLIENT.key

# the second parameter is: 0 = server, 1 = client
tls-auth static.key 1

# shall compression be used? if yes:
comp-lzo

# which encryption cipher has to be used?
cipher AES-256-CBC
persist-key
persist-tun

# accept data pushed by the server
pull

# setting a verbose level of 1
verb 1

• Copy your generated cert files from the server (/usr/share/easy-rsa/keys) into the client folder (C:\Program Files\OpenVPN\config), since they are needed for the client profile to work:

ca.crt
client.crt
client.key
static.key

 

12. Et voila!

 

Credits

Bauser Enterprises (german)
OpenVPN
ServerFault
GitHubGist