| | 1 | = Introduction = |
| | 2 | |
| | 3 | For a brief introduction on bridging and routing, look at these links: |
| | 4 | |
| | 5 | * [http://openvpn.net/index.php/open-source/documentation/howto.html#vpntype Determining whether to use a routed or bridged VPN] (in OpenVPN HOWTO) |
| | 6 | * [http://openvpn.net/index.php/open-source/faq/75-general/311-what-are-the-fundamental-differences-between-bridging-and-routing-in-terms-of-configuration.html What are the fundamental differences between bridging and routing in terms of configuration?] (in OpenVPN FAQ) |
| | 7 | |
| | 8 | '''NOTE:''' The remaining sections are mostly based on [http://thread.gmane.org/gmane.network.openvpn.user/32935/ this email for dazo]. |
| | 9 | |
| | 10 | = Bridging vs. routing = |
| | 11 | |
| | 12 | Bridging looks easier than at first glance, but it brings a completely different can of worms. First of all, there are no shortcuts in making networking easier except learning how to do it properly. Basically you want TAP devices if: |
| | 13 | |
| | 14 | * You want to transport non-IP based traffic, or IPv6 traffic on OpenVPN 2.2 or older releases |
| | 15 | * You want to bridge |
| | 16 | |
| | 17 | You want bridging if: |
| | 18 | |
| | 19 | * You want your LAN and VPN clients to be in the same broadcast domain |
| | 20 | * You want your LAN DHCP server to provide DHCP addresses to your VPN client |
| | 21 | * You have Windows server(s) you want to access and require network neighbourhood discovery to work via VPN *and* WINS is not an option to implement |
| | 22 | |
| | 23 | It might be a few more reasons, but these are the most typical ones. And as you see, TAP is a requirement for bridging. Now lets see benefits and |
| | 24 | drawbacks of TAP vs TUN. |
| | 25 | |
| | 26 | TAP benefits: |
| | 27 | |
| | 28 | * behaves like a real network card |
| | 29 | * can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc, etc) |
| | 30 | |
| | 31 | TAP drawbacks |
| | 32 | |
| | 33 | * causes much more broadcast overhead on the VPN tunnel |
| | 34 | * adds the overhead of Ethernet headers on all packets transported over the VPN tunnel |
| | 35 | * Can be used in bridges |
| | 36 | |
| | 37 | TUN benefits: |
| | 38 | * A lower traffic overhead, transports only traffic which is destined for the VPN client |
| | 39 | |
| | 40 | TUN drawbacks: |
| | 41 | |
| | 42 | * Broadcast traffic is not normally transported |
| | 43 | * Can only support IPv4 (OpenVPN 2.3 will add IPv6) |
| | 44 | * '''Cannot''' be used in bridges |
| | 45 | |
| | 46 | In both setups, basic network knowledge is a must. You need to be able to understand basic routing and firewalling, no matter which one use setup. But using bridges, you also need to know how bridges work and how this changes firewalling in addition. |
| | 47 | |
| | 48 | = Using routing = |
| | 49 | |
| | 50 | {{{ |
| | 51 | <disclaimer> |
| | 52 | NONE OF THIS IS TESTED. But this is the basic theory behind it. |
| | 53 | It might be syntax errors here, or other stupid mistakes. |
| | 54 | </disclaimer> |
| | 55 | }}} |
| | 56 | |
| | 57 | Say you have a pretty standard network with a single firewall: |
| | 58 | |
| | 59 | {{{ |
| | 60 | {INTERNET}-----[FIREWALL/OpenVPN server]-----<Internal network> |
| | 61 | }}} |
| | 62 | |
| | 63 | To set up a TUN setup with routing and masquerading for the VPN subnet, one approach could be something like this. Say your VPN is 10.8.0.0/24, your "Internet interface" is configured as eth1 and your internal LAN (say, 192.168.0.0/24) is eth0 ... then the firewall rules would be something like: |
| | 64 | |
| | 65 | {{{ |
| | 66 | # Allow VPN to access LAN |
| | 67 | iptables -I FORWARD -i tun0 -o eth0 \ |
| | 68 | -s 10.8.0.0/24 -d 192.168.0.0/24 \ |
| | 69 | -m conntrack --ctstate NEW -j ACCEPT |
| | 70 | |
| | 71 | # Allow VPN to access "the world" |
| | 72 | iptables -I FORWARD -i tun0 -o eth1 \ |
| | 73 | -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT |
| | 74 | |
| | 75 | # Allow LAN to "the world" |
| | 76 | iptables -I FORWARD -i eth0 -o eth1 \ |
| | 77 | -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT |
| | 78 | |
| | 79 | # Allow established traffic to pass back and forth |
| | 80 | iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \ |
| | 81 | -j ACCEPT |
| | 82 | |
| | 83 | # Masquerade traffic from VPN to "the world" |
| | 84 | iptables -t nat -I POSTROUTING -o eth1 \ |
| | 85 | -s 10.8.0.0/24 -j MASQUERADE |
| | 86 | |
| | 87 | # Masquerade traffic from LAN to "the world" |
| | 88 | iptables -t nat -I POSTROUTING -o eth1 \ |
| | 89 | -s 192.168.0.0/24 -j MASQUERADE |
| | 90 | |
| | 91 | }}} |
| | 92 | |
| | 93 | You need in the openvpn server config these lines: |
| | 94 | |
| | 95 | {{{ |
| | 96 | dev tun |
| | 97 | topology subnet |
| | 98 | server 10.8.0.0 255.255.255.0 |
| | 99 | push "route 192.168.0.0 255.255.255.0" |
| | 100 | }}} |
| | 101 | |
| | 102 | (this is not a complete configuration file, but it should cover the network part of the configuration) |
| | 103 | |
| | 104 | This will provide the needed route for all VPN clients to the internal LAN. If you want to all your VPN clients to send all the internet |
| | 105 | traffic via the VPN as well (so it looks like they sit behind the LAN when surfing the net), you need this line in addition: |
| | 106 | |
| | 107 | {{{ |
| | 108 | push "redirect-gateway def1" |
| | 109 | }}} |
| | 110 | |
| | 111 | And that's basically it. Not much more extra trickery. Routing setups are often much easier than people generally believe. The firewall is generally a bit more tricky, but bridging doesn't make that easier. |
| | 112 | |
| | 113 | If others see obvious mistakes, typos, or there are important details which are missing, please correct my errors. |
