#VPN site-to-site cu OpenVPN in mod bridge Ionel Mocanu VPN site-to-site cu OpenVPN in mod bridge — Ionel Mocanu
Skip to content
 

VPN site-to-site cu OpenVPN in mod bridge

OpenVPN suporta doua moduri diferite de interconectare a locatiilor: routing si bridging

Realizarea bridge-ului sub OpenVPN, presupune combinarea unei interfete fizice cu o interfata virtuala TAP. Astfel, se pot interconecta doua retele din sit-uri diferite, dar care folosec acelasi subnet.

In continuare se prezinta realizarea unui VPN site-to-site intre doua servere Ubuntu 10.04 folosind openvpn in mode bridge.

Pe cele doua servere se instaleaza openvpn si pachetul bridge-utils, folosit pentru realizarea podului:

root@EAST:~# apt-get install openvpn bridge-utils

Interfata de retea la care se conecteaza reteaua locala, eth2, va face parte din bridge si nu va avea asignata adresa IP. Fisierul de configurare al interfetelor de retea, /etc/network/interfaces, se va edita astfel:

– pentru EAST:

auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
address 10.0.8.10
netmask 255.255.255.252
network 10.0.8.8
broadcast 10.0.8.11
gateway 10.0.8.9
dns-nameserver 8.8.8.8
auto br0
iface br0 inet static
address 172.16.40.25
netmask 255.255.255.248
network 172.16.40.24
broadcast 172.16.40.31
pre-up ifconfig eth2 down
pre-up brctl addbr br0
pre-up brctl addif br0 eth2
pre-up ifconfig eth2 0.0.0.0
post-down ifconfig eth2 down
post-down ifconfig br0 down
post-down brctl delif br0 eth2
post-down brctl delbr br0

– pentru WEST:

auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
address 10.6.17.254
netmask 255.255.255.252
network 10.6.17.252
broadcast 10.6.17.255
gateway 10.6.17.253
dns-nameserver 8.8.8.8
auto br0
iface br0 inet static
address 172.16.40.30
netmask 255.255.255.248
network 172.16.40.24
broadcast 172.16.40.31
pre-up ifconfig eth2 down
pre-up brctl addbr br0
pre-up brctl addif br0 eth2
pre-up ifconfig eth2 0.0.0.0
post-down ifconfig eth2 down
post-down ifconfig br0 down
post-down brctl delif br0 eth2
post-down brctl delbr br0

Fisierul de configurare pentru OpenVPN se gaseste in /etc/openvpn. Acesta poate avea orice denumire, dar trebuie sa aiba extensia .conf. Voi folosi ca fiser de configurare /etc/openvpn/bridge.conf. OpenVPN permite executarea de scripturi la pornire, respectiv la oprire. Pentru adaugarea interfetei virtuale TAP la bridge, la ridicarea VPN-ului, se va creea un fisier up.sh in /etc/openvpn pe ambele servere, cu urmatorul continut:

#! /bin/sh
BR=br0
DEV=tap0
/sbin/ifconfig $DEV promisc up
/usr/sbin/brctl addif $BR $DEV

Similar, pentru eliminarea din bridge a interfatei TAP, la oprirea VPN-ului, se va creea un fisier down.sh in /etc/openvpn:
#!/bin/sh
BR=br0
DEV=tap0
/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Cheia pre-partajată se genereaza pe un server, urmând ca aceasta să fie copiată şi pe celălat, folosind un canal sigur:

root@EAST:/etc/openvpn# openvpn --genkey --secret bridge.key

Fiserul de configurare /etc/openvpn/bridge.conf va arata astfel:

– pentru EAST

dev tap0
remote 10.6.17.254
up "/etc/openvpn/up.sh"
down "/etc/openvpn/down.sh"
secret /etc/openvpn/bridge.key
daemon
lport 10000
rport 20000
user nobody
group nogroup
persist-key
persist-tun
chroot chroot
status /var/log/openvpn/bridge-status.log
log-append /var/log/openvpn/bridge.log
ping-restart 60
ping 20

– pentru WEST

dev tap0
remote 10.0.8.10
up "/etc/openvpn/up.sh"
down "/etc/openvpn/down.sh"
secret /etc/openvpn/bridge.key
daemon
lport 20000
rport 10000
user nobody
group nogroup
persist-key
persist-tun
chroot chroot
status /var/log/openvpn/bridge-status.log
log-append /var/log/openvpn/bridge.log
ping-restart 60
ping 20

Pe cele doua severe se ridica VPN-ul, folosind comanda /etc/init.d/openvpn start.

Daca de pe statia XP1 se executa ping catre XP3 si XP4, se va observa ca tabela arp se va popula cu adresele mac ale acestora:
C:\Documents and Settings\ionel2>ping 172.16.40.28 -n 1
Pinging 172.16.40.28 with 32 bytes of data:
Reply from 172.16.40.28: bytes=32 time=2ms TTL=64
Ping statistics for 172.16.40.28:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
C:\Documents and Settings\ionel2>ping 172.16.40.29 -n 1
Pinging 172.16.40.29 with 32 bytes of data:
Reply from 172.16.40.29: bytes=32 time=5ms TTL=128
Ping statistics for 172.16.40.29:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 5ms, Average = 5ms
C:\Documents and Settings\ionel2>arp -a
Interface: 172.16.40.27 --- 0x2
Internet Address Physical Address Type
172.16.40.28 00-00-27-c4-3f-0c dynamic
172.16.40.29 00-00-27-0f-4d-9e dynamic

Leave a Reply