OpenVPN_Layer_2_Server.md 3.3 KB

OpenVPN Layer 2 Server

Introduction

Librecmc can operate as an OpenVPN server. OpenVPN technology connects two networks via an encrypted tunnel. With proper server, network, and client configuration, OpenVPN allows a client outside of your LAN to see the LAN as though it were physically connected to the LAN.

OpenVPN can run in layer 2 or layer 3 mode. In layer 3 mode, the remote client sees your LAN as though it is on the other side of an IP router. In layer 2 mode, the remote client sees your LAN as though they are both on the same Data Link segment (e.g., the same Ethernet link). Layer 3 mode is easier to set up, but layer 2 mode is sometimes desired to give clients a more direct exposure to services on the LAN.

Warnings

This information is provided for educational purposes only and is not meant to be a guide to best network security practices. Readers are advised to study all relevant OpenVPN and network security documentation.

Required LibreCMC packages

  • openvpn-openssl
  • openvpn-easy-rsa
  • luci-app-openvpn

Interface Setup

In LuCi, select Network >> Interfaces and then Add New Interface.

  • Set Name of the new interface to myvpn or anything else you would like.
  • Set Protocol of the new interface to unmanaged.
  • Set Cover the following interface to Custom Interface: vpn0.
  • In my current working system, the firewall-zone for the interface is set to lan, but I don't think that really matters in this case.

In my working configuration, I added tap0 into the LAN bridge interface, and deleted the WAN interface. However, my vpn server is a separate unit on my network, intended to operate in "bridge mode", where if you server is your gateway router, a different configuration might be necessary.

Certificate and Key Setup Instructions

cd /etc/easy-rsa
source vars
clean-all
build-ca
build-dh
build-key-server myvpn
openvpn --genkey --secret /etc/easy-rsa/keys/ta.key
mkdir -m 700 /etc/openvpn/keys
mv ca.crt myvpn.crt myvpn.key dh2018.pem /etc/openvpn/keys

N.B.: Using easy-rsa is a straightforward approach, but it may be possible to produce more secure certificates using openssl directly.

Server configuration

For the server bridge option: The first two parameters are the ip and netmask of the gateway on the bridged subnet. The next two parameters indicate the pool-start-IP and pool-end-IP, which is the part of your IP address pool that you have reserved just for VPN clients. You must to make sure that the DHCP server for your LAN is not leasing out those IP addresses to local (non-vpn) clients.

/etc/config/openvpn

config openvpn 'myvpn'
	option enabled '1'
	option dev 'tap0'
	option port '1194'
	option proto 'udp'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option group 'nogroup'
	option ca '/etc/openvpn/keys/ca.crt'
	option cert '/etc/openvpn/keys/myvpn.crt'
	option key '/etc/openvpn/keys/myvpn.key'
	option dh '/etc/openvpn/keys/dh2048.pem'
	option tls_server '1'
	option tls_auth '/etc/openvpn/keys/ta.key 0'
	option server_bridge '10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.220'
	option client_to_client '1'
	list push 'persist-key'
	list push 'persist-tun'
	list push 'redirect-gateway def1'
	list push 'route 10.0.0.0 255.255.255.0'
	list push 'dhcp-option DNS 10.0.0.1'
	option mute '15'
	option verb '3'

Client setup information

TODO