OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Notes — Ethernet bridging, Windows client, Linux Server

Ethernet bridging is a powerful networking capability that allows remote systems (such as “Road Warriors”) to connect over a VPN to an ethernet LAN in such a way that their system appears to be directly connected to the LAN, i.e. they have an IP address taken right from the LAN’s subnet and they are able to interact with other hosts on the LAN including sending and receiving broadcasts and being able to conveniently browse and access the Windows network neighborhood.

I have tested ethernet bridging with Windows clients connecting to a Linux server. On the linux side, basically follow the instructions in the Ethernet bridging Mini-Howto on the OpenVPN web site.

On the Linux side you must first set up ethernet bridging. Here is a configuration which I use:

    #!/bin/bash

    modprobe tun
    modprobe bridge

    openvpn --mktun --dev tap0
    openvpn --mktun --dev tap1

    brctl addbr br0
    brctl addif br0 eth1
    brctl addif br0 tap0
    brctl addif br0 tap1

    ifconfig tap0 0.0.0.0 promisc up
    ifconfig tap1 0.0.0.0 promisc up
    ifconfig eth1 0.0.0.0 promisc up

    ifconfig br0 10.5.0.1 netmask 255.255.255.0 broadcast 10.5.0.255

    # end of script

This script will set up ethernet bridging between eth1tap0, and tap1. Change the br0 ifconfig to match the ifconfig that would be used for eth1 under normal, non-bridged configuration. Use as many tapX virtual adapters as you will have remote clients connecting.

In the firewall, add these entries to allow TAP devices and ethernet bridges to operate:

    iptables -A INPUT -i tap+ -j ACCEPT
    iptables -A INPUT -i br0 -j ACCEPT
    iptables -A FORWARD -i br0 -j ACCEPT

Now make an OpenVPN configuration on the server side to receive incoming connections such as:

    ###################################
    # OpenVPN bridge config, Linux side

    local [public IP address or hostname]

    # IP settings
    port 8888
    dev tap0

    # crypto config
    secret key.txt

    # restart control
    persist-key
    persist-tun
    ping-timer-rem
    ping-restart 60
    ping 10

    # compression
    comp-lzo

    # UID
    user nobody
    group nobody

    # verbosity
    verb 3

    # end of config
    ###################################

For additional clients, copy the configuration above, but use a different port number, tapX unit number, and secret key.

Now on the windows client side:

    ############################################
    # OpenVPN bridge config, windows client side

    remote [public IP address or hostname of server]
    port 8888
    dev tap

    # This is the address the client will
    # "appear as" when it connects to the
    # bridged LAN.
    ifconfig 10.5.0.5 255.255.255.0
    ifconfig-nowarn

    secret key.txt
    ping 10
    comp-lzo
    verb 3

    # end of config
    ###################################

Now run OpenVPN on both sides with the appropriate configuration file, using the –config option.

On the Linux side, you probably want to run as a daemon, so include –daemon and –cd [dir], where dir is the directory that contains the key file.

If everything worked correctly, the Linux server or any host on its subnet should be able to ping 10.5.0.5 and see the remote VPN connected client.

The Windows client should be able to ping any address on the 10.5.0.x subnet, including addresses of other remote, OpenVPN-bridged clients.

If Windows machines or Samba servers exist on the LAN bridged by the Linux server (including Samba running on the Linux server itself), the Windows client should see them in its network neighborhood, and vice versa.

Furthermore, ethernet bridging allows for the transport of all protocols which are compatible with Ethernet, including IPv6 and IPX.

Ethernet bridging is a great way to work when on the road, and I personally use it for securely connecting to home or office from WiFi Internet cafes.

Share