Notes -- Ethernet bridging, Windows client, Linux Server
Ethernet bridging is a powerful networking capability that allows remote systems (such as "Road Warriors") to connect over a VPN to an ethernet LAN in such a way that their system appears to be directly connected to the LAN, i.e. they have an IP address taken right from the LAN's subnet and they are able to interact with other hosts on the LAN including sending and receiving broadcasts and being able to conveniently browse and access the Windows network neighborhood.
I have tested ethernet bridging with Windows clients connecting to a Linux server. On the linux side, basically follow the instructions in the Ethernet bridging Mini-Howto on the OpenVPN web site.
On the Linux side you must first set up ethernet bridging. Here is a configuration which I use:
#!/bin/bash modprobe tun modprobe bridge openvpn --mktun --dev tap0 openvpn --mktun --dev tap1 brctl addbr br0 brctl addif br0 eth1 brctl addif br0 tap0 brctl addif br0 tap1 ifconfig tap0 0.0.0.0 promisc up ifconfig tap1 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up ifconfig br0 10.5.0.1 netmask 255.255.255.0 broadcast 10.5.0.255 # end of script
This script will set up ethernet bridging between eth1, tap0, and tap1. Change the br0 ifconfig to match the ifconfig that would be used for eth1 under normal, non-bridged configuration. Use as many tapX virtual adapters as you will have remote clients connecting.
In the firewall, add these entries to allow TAP devices and ethernet bridges to operate:
iptables -A INPUT -i tap+ -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT
Now make an OpenVPN configuration on the server side to receive incoming connections such as:
################################### # OpenVPN bridge config, Linux side local [public IP address or hostname] # IP settings port 8888 dev tap0 # crypto config secret key.txt # restart control persist-key persist-tun ping-timer-rem ping-restart 60 ping 10 # compression comp-lzo # UID user nobody group nobody # verbosity verb 3 # end of config ###################################
For additional clients, copy the configuration above, but use a different port number, tapX unit number, and secret key.
Now on the windows client side:
############################################ # OpenVPN bridge config, windows client side remote [public IP address or hostname of server] port 8888 dev tap # This is the address the client will # "appear as" when it connects to the # bridged LAN. ifconfig 10.5.0.5 255.255.255.0 ifconfig-nowarn secret key.txt ping 10 comp-lzo verb 3 # end of config ###################################
Now run OpenVPN on both sides with the appropriate configuration file, using the --config option.
On the Linux side, you probably want to run as a daemon, so include --daemon and --cd [dir], where dir is the directory that contains the key file.
If everything worked correctly, the Linux server or any host on its subnet should be able to ping 10.5.0.5 and see the remote VPN connected client.
The Windows client should be able to ping any address on the 10.5.0.x subnet, including addresses of other remote, OpenVPN-bridged clients.
If Windows machines or Samba servers exist on the LAN bridged by the Linux server (including Samba running on the Linux server itself), the Windows client should see them in its network neighborhood, and vice versa.
Furthermore, ethernet bridging allows for the transport of all protocols which are compatible with Ethernet, including IPv6 and IPX.
Ethernet bridging is a great way to work when on the road, and I personally use it for securely connecting to home or office from WiFi Internet cafes.