Notes -- Ethernet bridging, Windows client, Linux Server
Ethernet bridging is a powerful networking capability that allows remote systems (such as "Road Warriors") to connect over a VPN to an ethernet LAN in such a way that their system appears to be directly connected to the LAN, i.e. they have an IP address taken right from the LAN's subnet and they are able to interact with other hosts on the LAN including sending and receiving broadcasts and being able to conveniently browse and access the Windows network neighborhood.
I have tested ethernet bridging with Windows clients connecting to a Linux server. On the linux side, basically follow the instructions in the Ethernet bridging Mini-Howto on the OpenVPN web site.
On the Linux side you must first set up ethernet bridging. Here is a configuration which I use:
#!/bin/bash
modprobe tun
modprobe bridge
openvpn --mktun --dev tap0
openvpn --mktun --dev tap1
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 tap0
brctl addif br0 tap1
ifconfig tap0 0.0.0.0 promisc up
ifconfig tap1 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
ifconfig br0 10.5.0.1 netmask 255.255.255.0 broadcast 10.5.0.255
# end of script
This script will set up ethernet bridging between eth1, tap0, and tap1. Change the br0 ifconfig to match the ifconfig that would be used for eth1 under normal, non-bridged configuration. Use as many tapX virtual adapters as you will have remote clients connecting.
In the firewall, add these entries to allow TAP devices and ethernet bridges to operate:
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
Now make an OpenVPN configuration on the server side to receive incoming connections such as:
###################################
# OpenVPN bridge config, Linux side
local [public IP address or hostname]
# IP settings
port 8888
dev tap0
# crypto config
secret key.txt
# restart control
persist-key
persist-tun
ping-timer-rem
ping-restart 60
ping 10
# compression
comp-lzo
# UID
user nobody
group nobody
# verbosity
verb 3
# end of config
###################################
For additional clients, copy the configuration above, but use a different port number, tapX unit number, and secret key.
Now on the windows client side:
############################################
# OpenVPN bridge config, windows client side
remote [public IP address or hostname of server]
port 8888
dev tap
# This is the address the client will
# "appear as" when it connects to the
# bridged LAN.
ifconfig 10.5.0.5 255.255.255.0
ifconfig-nowarn
secret key.txt
ping 10
comp-lzo
verb 3
# end of config
###################################
Now run OpenVPN on both sides with the appropriate configuration file, using the --config option.
On the Linux side, you probably want to run as a daemon, so include --daemon and --cd [dir], where dir is the directory that contains the key file.
If everything worked correctly, the Linux server or any host on its subnet should be able to ping 10.5.0.5 and see the remote VPN connected client.
The Windows client should be able to ping any address on the 10.5.0.x subnet, including addresses of other remote, OpenVPN-bridged clients.
If Windows machines or Samba servers exist on the LAN bridged by the Linux server (including Samba running on the Linux server itself), the Windows client should see them in its network neighborhood, and vice versa.
Furthermore, ethernet bridging allows for the transport of all protocols which are compatible with Ethernet, including IPv6 and IPX.
Ethernet bridging is a great way to work when on the road, and I personally use it for securely connecting to home or office from WiFi Internet cafes.