[Openvpn-users] questions - setting up an open vpn Linux server in bridging mode

["Gary Funck" <gary@xxxxxxxxxxxx>]

Have been reading the docs., and the various sample
scripts, and have a few questions.

configuration:
  openvpn-2.0.7
  bridge-utils-1.0.4
  kernel-2.6.12
  (Fedora Core 3, i386)

The server currently sits behind a hardware firewall router, on a
class C network.  The server has only one NIC, which talks to
both the Internet via the router, as well as the local network.
No NAT is in place.  The firewall blocks all accesses from
the Internet to local machines, except for the server.  Thus,
conceptually, the server is firewalled, but can access the
local network via the server's NIC.  The internal servers
and workstations use iptables and software firewalls to block all
traffic except local accesses to ssh, http, sftp, samba, and cvs.
The local network is a mixed Linux, Windows, Mac environment.

The FAQ says the following:

"Make sure to only bridge TAP interfaces with private ethernet interfaces
which are protected behind a firewall. Never bridge a TAP interface with the
same ethernet interface you use to connect to the internet, as that would
create a potential security hole."

I'm wondering in our set up, whether there is any particular vulnerability
if we bridge the incoming vpn traffic with the single NIC?
We can easily add another NIC, but I'd like to experiment with deploying
the VPN soon -- but don't want to do that if there are security
implications.

On an unrelated note, the FAQ says:

"An important point to understand with Ethernet bridging is that each
network interface which is added to the bridge will lose its individual
identity in terms of specific settings such as IP address and netmask. Only
the TCP/IP settings of the bridge interface itself will be relevent.

A common mistake that people make when manually configuring an Ethernet
bridge is that they add their primary ethernet adapter to the bridge before
they have set the IP and netmask of the bridge interface. The result is that
the primary ethernet interface "loses" its settings, but the equivalent
bridge interface settings have not yet been defined, so the net effect is a
loss of connectivity on the ethernet interface."

This would seem to recommend defining the bridge and its IP address
before adding the ethernet interface to the adaptor, and clobbering
the internet adaptor's IP address/mask settings.  However, the
bridge-start script does things this way:

for t in $tap; do
    openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
    brctl addif $br $t
done
for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

Can the sequence above be rewritten as follows, avoiding the common
mistake not defining the bridge's ip address first (as well as
removing a few extra for loops)?

brctl addbr $br
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
for t in $tap; do
    openvpn --mktun --dev $t
    brctl addif $br $t
    ifconfig $t 0.0.0.0 promisc up
done
brctl addif $br $eth
ifconfig $eth 0.0.0.0 promisc up

My goal here is to be able to run bridge-start when initially manually
enabling the bridge and testing openvpn.  However, looking at the sequence
above, I see the last step is to bring $eth "up"?  Does this imply
that $eth must be down before attempting to add it to the bridge?
Won't that break the connection anyway?

The 'how to' wasn't too clear on how/where to put the various
pieces, which might (1) ensures $eth is down (or isn't by default
transitioned into "up" mode until it is later bridged, (2) sets
port forwarding on $eth, (2) sets IP tables on the TAP and the
bridge, (3) runs bridge-start.  /etc/init.d/openvpn has the
following:

  start)
        echo -n $"Starting openvpn: "

        /sbin/modprobe tun >/dev/null 2>&1

        # From a security perspective, I think it makes
        # sense to remove this, and have users who need
        # it explictly enable in their --up scripts or
        # firewall setups.

        #echo 1 > /proc/sys/net/ipv4/ip_forward

        # Run startup script, if defined
        if [ -f $work/openvpn-startup ]; then
            $work/openvpn-startup
        fi

Is the idea to pile everything into /etc/opvenvpn/openvpn-startup?
And can someone add a bit more detail regarding the suggestion
in the comments below?

        # From a security perspective, I think it makes
        # sense to remove this, and have users who need
        # it explictly enable in their --up scripts or
        # firewall setups.

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users