http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html
http://openvpn.net/index.php/documentation/manuals/openvpn-21.html
http://wiki.archlinux.org/index.php/OpenVPN_Bridge

2/11/2003 – 5:21 pm

OK, have been working on this for days, and find that the main UML site is wrong, wrong, wrong. Here is the scoop to do tun/tap over the linux bridge.

1. Make a bridge on the host, I used br0 as an that is what was used on the original doc. You only need one, I think. But you can use whatever you want (br1, br2, br3, …).

host# brctl addbr br0

2. Now add the real ethernet interface device (eth0) to the brdge group. Make sure that is does not have an IP address, cause we are just riding on top of it. The bridge interface (br0) will have the IP.

host# ifconfig eth0 0.0.0.0 up
host# brctl addif br0 eth0
host# ifconfig br0 up

3. Start your tap interface.

host# modprobe tun
host# ifconfig tap0 up
host# brctl addif br0 tap0

I have about 5 (tap0 → tap4) running on my system, and just do this command for each one.

4. Activate Spanning Tree Protocol on the bridge

host# brctl stp br0 on

5. Run your uml session with “eth0=tuntap,tap0,fe:fd:f0:00:00:01″ remember no ip!

host# /home/uml/linux eth0=tuntap,tap0,fe:fd:f0:00:00:01

I use fe:fd: this almost guarantees that I won”t repeat the same MAC on two systems.

6. In your uml bring up the the eth0 interface

uml# ifconfig eth0 10.20.30.50 up

or Use dhcp to get an ethernet address.

You should get a perfectly working ethernet bridge so your UML can behave like a real box on the LAN.

edit]

edit]

These are from notes that I took while setting up a bridged mode OpenVPN server on Debian sarge. For the purposes of this document, I mention configuring a second Debian machine as a client for testing.

edit]

1. http://openvpn.net/howto.html
2. > apt-get install openvpn
3. > cp /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn
4. > cd /etc/openvpn
5. > gunzip openssl.cnf.gz
6. > vi vars
   1. set KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL
7. > . ./vars
8. > ./clean-all
9. > ./build-ca
   1. set the common name to the name of the vpn server
10. > ./build-key-server server
    1. accept defaults except for common name which should be „server“
11. > ./build-key client1
    1. again, accept defaults except for common name which should be „client1'
12. > ./build-dh
13. > cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
14. > gunzip /etc/openvpn/server.conf
15. > vi server.conf
    1. follow the comments to edit the file for bridging (set dev tap0, comment out server subnet set server-bridge to the server private ip and net range)
    2. Set the ca cert and key directives to point to the full file names
16. forward udp port 1194 to through the firewall to the vpn server

edit]

1. > apt-get install openvpn
2. > cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
3. copy client1.* from /etc/openvpn/keys/ on the server to /etc/openvpn/keys/ on the client
4. copy ca.crt from /etc/openvpn/keys/ on the server to /etc/openvpn/keys/ on the client
5. > vi /etc/openvpn/client/conf
   1. follow the comments to edit the file for bridging
   2. Set the crt, key and ca locations

edit]

1. On both client and server
   1. > vi /etc/group
      1. Add an account named „nobody“, I set the gid equal to the uid of the „nobody“ user
      2. copy my openvpn-bridge script(in this directory) to /usr/local/bin
2. On the server
   1. > openvpn /etc/openvpn/server.conf
3. On the client
   1. > openvpn /etc/openvpn/client.conf
4. test that the vpn initializes on both client and server

edit]

1. http://openvpn.net/bridge.html#linuxscript
2. > apt-get install bridgeutils
3. > vi /usr/local/bin/openvpn-bridge
   1. Set the eth, eth_ip, eth_netmask, eth_broadcast, and gw parameters to those used on the network
4. >/usr/local/bin/openvpn-bridge start
5. test network connectivity
6. >/usr/local/bin/openvpn-bridge stop
7. test network connectivity
8. copy my openvpn_init-script to /etc/init.d/openvpn
9. >/etc/init.d/openvpn start
10. test vpn
11. >/etc/init.d/openvpn stop

edit]

edit]

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"

eth_ip="10.1.1.31"

eth_netmask="255.0.0.0"
eth_broadcast="10.255.255.255"
gw="10.1.1.1"

case "$1" in
  start)
  for t in $tap; do
      openvpn --mktun --dev $t
  done

  brctl addbr $br
  brctl addif $br $eth

  for t in $tap; do
      brctl addif $br $t
  done

  for t in $tap; do
      ifconfig $t 0.0.0.0 promisc up
  done

  ifconfig $eth 0.0.0.0 promisc up

  ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
  route add default gw $gw
 �;;
  stop)
  ifconfig $br down
  brctl delbr $br

  for t in $tap; do
      openvpn --rmtun --dev $t
  done
  ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
  route add default gw $gw
 �;;
  *)
  echo "usage openvpn-bridge {start|stop}"

  exit 1
 �;;
esac
exit 0

edit]

#!/bin/sh -e
#
# Original version by Robert Leslie
# <rob@mars.org>, edited by iwj and cs
# Modified for openvpn by Alberto Gonzalez Iniesta <agi@inittab.org>
# Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net>

# Modified to add bridge control by **Josh** **Vickery** <vickeryj@freeshell.org>

test $DEBIAN_SCRIPT_DEBUG && set -v -x

DAEMON=/usr/sbin/openvpn
DESC="virtual private network daemon"
CONFIG_DIR=/etc/openvpn
BRIDGE_CTL=/usr/local/bin/openvpn-bridge
test -x $DAEMON || exit 0
test -d $CONFIG_DIR || exit 0

# Source defaults file; edit that file to configure this script.
AUTOSTART="all"

STATUSREFRESH=10
if test -e /etc/default/openvpn�; then
  . /etc/default/openvpn
fi

start_vpn () {
    if grep -q '^[	 ]*daemon' $CONFIG_DIR/$NAME.conf�; then
      # daemon already given in config file
      DAEMONARG=
    else
      # need to daemonize
      DAEMONARG="--daemon ovpn-$NAME"

    fi

    if grep -q '^[	 ]*status ' $CONFIG_DIR/$NAME.conf�; then
      # status file already given in config file
      STATUSARG=""
    elif test $STATUSREFRESH -eq 0�; then
      # default status file disabled in /etc/default/openvpn
      STATUSARG=""
    else
      # prepare default status file
      STATUSARG="--status /var/run/openvpn.$NAME.status $STATUSREFRESH"

    fi
    $BRIDGE_CTL start
    $DAEMON --writepid /var/run/openvpn.$NAME.pid \
            $DAEMONARG $STATUSARG --cd $CONFIG_DIR \
            --config $CONFIG_DIR/$NAME.conf || echo -n " FAILED->"

    echo -n " $NAME"
}
stop_vpn () {
   kill `cat $PIDFILE` || true
  rm $PIDFILE
  [ -e /var/run/openvpn.$NAME.status ] \
    && rm /var/run/openvpn.$NAME.status
  $BRIDGE_CTL stop
}

case "$1" in
start)
  echo -n "Starting $DESC:"

  # autostart VPNs
  if test -z "$2"�; then
    # check if automatic startup is disabled by AUTOSTART=none
    if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART"�; then
      echo " Autostart disabled."

      exit 0
    fi
    if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall"�; then
      # all VPNs shall be started automatically
      for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
        NAME=${CONFIG%%.conf}
        start_vpn
      done
    else
      # start only specified VPNs
      for NAME in $AUTOSTART�; do
        if test -e $CONFIG_DIR/$NAME.conf�; then
          start_vpn
        else
          echo -n " (failure: No such VPN: $NAME)"

        fi
      done
    fi
  #start VPNs from command line
  else
    while shift�; do
      [ -z "$1" ] && break
      if test -e $CONFIG_DIR/$1.conf�; then
        NAME=$1
        start_vpn
      else
        echo -n " (failure: No such VPN: $1)"
      fi
    done
  fi
  echo "."

 �;;
stop)
  echo -n "Stopping $DESC:"

  if test -z "$2"�; then
    for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
      NAME=`echo $PIDFILE | cut -c18-`
      NAME=${NAME%%.pid}
      stop_vpn
      echo -n " $NAME"
    done
  else
    while shift�; do
      [ -z "$1" ] && break
      if test -e /var/run/openvpn.$1.pid�; then
        PIDFILE=`ls /var/run/openvpn.$1.pid 2> /dev/null`
        NAME=`echo $PIDFILE | cut -c18-`
        NAME=${NAME%%.pid}
        stop_vpn
        echo -n " $NAME"

      else
        echo -n " (failure: No such VPN is running: $1)"
      fi
    done
  fi
  echo "."
 �;;
# We only 'reload' for running VPNs. New ones will only start with 'start' or 'restart'.
reload|force-reload)
  echo -n "Reloading $DESC:"
  for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
    NAME=`echo $PIDFILE | cut -c18-`
    NAME=${NAME%%.pid}
# If openvpn if running under a different user than root we'll need to restart
    if egrep '^( |\t)*user' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1�; then
      stop_vpn
      sleep 1
      start_vpn
      echo -n "(restarted)"

    else
      kill -HUP `cat $PIDFILE` || true
    echo -n " $NAME"
    fi
  done
  echo "."
 �;;

restart)
  shift
  $0 stop ${@}
  sleep 1
  $0 start ${@}
 �;;
cond-restart)
  echo -n "Restarting $DESC:"
  for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
    NAME=`echo $PIDFILE | cut -c18-`
    NAME=${NAME%%.pid}
    stop_vpn
    sleep 1
    start_vpn
  done
  echo "."

 �;;
*)
  echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart}" >&2
  exit 1
 �;;
esac

exit 0

# vim:set ai sts=2 sw=2 tw=0:

Retrieved from „http://openvpn.net/wiki/Bridged_Mode_OpenVPN_Server_on_Debian_HOWTO“

• Article
• Discussion
• Edit
• History

• Create an account or log in

Main_Page

• Main Page
• Community portal
• Current events
• Recent changes
• Random page
• Help

• What links here
• Related changes
• Special pages

• This page was last modified 13:50, 9 Sep 2005.
• This page has been accessed 18 times.
• Content is available under Attribution-ShareAlike.
• About OpenVPN
• Disclaimers