Changes between Initial Version and Version 1 of BridgingOverview


Ignore:
Timestamp:
07/24/14 13:20:17 (4 years ago)
Author:
samuli
Comment:

Migrated contents from http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html

Legend:

Unmodified
Added
Removed
Modified
  • BridgingOverview

    v1 v1  
     1[[TOC(inline, depth=1)]]
     2
     3= Bridging Overview =
     4
     5In addition this article have a look at these:
     6
     7* [wiki:BridgingAndRouting Bridging and routing]
     8* [wiki:307-what-is-bridging FAQ: What is bridging?]
     9* [wiki:309-what-is-the-difference-between-bridging-and-routing FAQ: What is the difference between bridging and routing?]
     10
     11Ethernet bridging essentially involves combining an ethernet interface with one or more virtual TAP interfaces and bridging them together under the umbrella of a single bridge interface. Ethernet bridges represent the software analog to a physical ethernet switch. The ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple ethernet interfaces (either physical or virtual) on a single machine while sharing a single IP subnet.
     12
     13By bridging a physical ethernet NIC with an OpenVPN-driven TAP interface at two separate locations, it is possible to logically merge both ethernet networks, as if they were a single ethernet subnet.
     14
     15= Bridging Setup =
     16
     17This example will guide you in configuring an OpenVPN server-side ethernet bridge. Multiple clients will be able to connect to the bridge, and each client's TAP interface will be assigned an IP address that is part of the server's LAN.
     18
     19There are two methods for handling client IP address allocation:
     20
     21 * Let OpenVPN manage its own client IP address pool using the server-bridge directive, or
     22 * configure the DHCP server on the LAN to also grant IP address leases to VPN clients.
     23
     24In this example, we will use the first method where the OpenVPN server manages its own IP address pool on the LAN subnet, separate from the pool used by the DHCP server (if one exists). Both methods are described more fully in this FAQ item.
     25
     26For our example, we will use these bridge settings:
     27
     28||'''Setting'''||'''bridge-start parameter'''||'''Value'''||
     29||Ethernet Interface||eth||eth0||
     30||Local IP Address||ip||192.168.8.4||
     31||Local Netmask||eth_netmask||255.255.255.0||
     32||Local Broadcast Address||eth_broadcast||192.168.8.255||
     33||VPN client address pool||-||192.168.8.128 to 192.168.8.254||
     34||Virtual Bridge Interface||br||br0||
     35||Virtual TAP Interface||tap||tap0||
     36
     37The first step is to follow the [wiki:HOWTO HOWTO] up to the "Starting up the VPN and testing for initial connectivity" section. Next, proceed below according to whether you are setting up the bridge on Linux or Windows.
     38
     39= Bridge Server on Linux =
     40
     41First, make sure you have the bridge-utils package installed.
     42
     43Edit the bridge-start script below. Set the br, tap, eth, eth_ip, eth_netmask, and eth_broadcast parameters according to the physical ethernet interface you would like to bridge. Make sure to use an interface which is private and which is connected to a LAN which is protected from the internet by a firewall. You can use the Linux ifconfig command to get the necessary information about your network interfaces to fill in the bridge-start parameters.
     44
     45Now run the bridge-start script. It will create a persistent tap0 interface and bridge it with the active ethernet interface.
     46
     47Next, we will edit the OpenVPN server configuration file to enable a bridging configuration.
     48
     49Comment out the line which says dev tun and replace it instead with:
     50{{{
     51dev tap0
     52}}}
     53Comment out the line that begins with server and replace it with:
     54{{{
     55server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
     56}}}
     57Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0 interfaces:
     58{{{
     59iptables -A INPUT -i tap0 -j ACCEPT
     60iptables -A INPUT -i br0 -j ACCEPT
     61iptables -A FORWARD -i br0 -j ACCEPT
     62}}}
     63The OpenVPN bridge can now be started and stopped using this sequence:
     64
     65* run bridge-start
     66* run openvpn
     67* stop openvpn
     68* run bridge-stop
     69
     70At this point, the bridging-specific aspects of the configuration are complete, and you can continue where you left off in the [wiki:HOWTO HOWTO].
     71
     72= Bridge Server on Windows XP =
     73
     74This configuration requires Windows XP or higher on the bridge side. To my knowledge, Windows 2000 does not support bridging, however a Windows 2000 machine can be a client on a bridged network, where the other end of the OpenVPN connection where the bridging is occurring is a Linux or Windows XP machine.
     75
     76When OpenVPN is installed on Windows, it automatically creates a single TAP-Win32 adapter which will be assigned a name like "Local Area Connection 2". Go to the Network Connections control panel and rename it to "tap-bridge".
     77
     78Next select tap-bridge and your ethernet adapter with the mouse, right click, and select Bridge Connections. This will create a new bridge adapter icon in the control panel.
     79
     80Set the TCP/IP properties on the bridge adapter to an IP of 192.168.8.4 and a subnet mask of 255.255.255.0.
     81
     82Next, edit the OpenVPN server configuration file to enable a bridging configuration.
     83
     84Comment out the line which says dev tun and replace it instead with:
     85{{{
     86dev tap
     87dev-node tap-bridge
     88}}}
     89Comment out the line that begins with server and replace it with:
     90{{{
     91server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
     92}}}
     93If you are running XP SP2, go to the firewall control panel, and disable firewall filtering on the bridge and TAP adapters.
     94
     95At this point, the bridging-specific aspects of the configuration are complete, and you can continue where you left off in the [wiki:HOWTO HOWTO].
     96
     97= Bridge Client configuration =
     98
     99Use the sample OpenVPN client configuration as a starting point. Comment out the line which says dev tun and replace it instead with:
     100{{{
     101dev tap
     102}}}
     103Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files.
     104
     105= Ethernet Bridging Notes =
     106
     107When using an ethernet bridging configuration, the first step is to construct the ethernet bridge -- a kind of virtual network interface which is a container for other ethernet interfaces, either real as in physical NICs or virtual as in TAP interfaces. The ethernet bridge interface must be set up before OpenVPN is actually started.
     108
     109There is no portable method for generating an ethernet bridge interface -- each OS has its own method (see below for examples).
     110
     111Once the bridge interface has been created, and appropriate ethernet interfaces have been added to it, OpenVPN may be started.
     112
     113 * A bridge interface is a kind of virtual network interface which is formed by combining one or more ethernet interfaces, each of which may be a physical NIC or a virtual TAP interface used for VPN tunneling.
     114 * When you set up an ethernet bridge, you should manually set the IP address and subnet of the bridge interface and not use an ifconfig directive in the OpenVPN config. This is because unlike a TUN/TAP interface, OpenVPN cannot programmatically set the IP address and netmask of a bridge interface.
     115 * The OpenVPN config should specify the TAP interface component of the bridge interface in its dev directive, not the name of the bridge interface itself.
     116 * On Windows, use the dev-node directive to name the TAP-Win32 adapter which was added to the bridge (the dev-node name refers to the adapter name as shown in the Network Connections panel).
     117 * On Linux/BSD/Unix, for the dev tap directive, use the explicit TUN/TAP unit number which you added to the bridge such as dev tap0.
     118 * If you are running OpenVPN in point-to-point mode, omit an ifconfig directive, and if you are using client/server mode, use the server-bridge directive on the server.
     119 * When bridging, you must manually set the TCP/IP settings on the bridge interface. For example on Linux, this can be done with an ifconfig command while on Windows XP it can be done by setting the TCP/IP properties of the bridge interface in the Network Connections panel (the Network Connections panel on Windows XP and higher allows for point-and-click bridging).
     120 * Make sure to only bridge TAP interfaces with private ethernet interfaces which are protected behind a firewall. Never bridge a TAP interface with the same ethernet interface you use to connect to the internet, as that would create a potential security hole.
     121 * The addresses used for local and remote should not be part of the bridged subnet -- otherwise you will end up with a routing loop.
     122 * An important point to understand with Ethernet bridging is that each network interface which is added to the bridge will lose its individual identity in terms of specific settings such as IP address and netmask. Only the TCP/IP settings of the bridge interface itself will be relevent.
     123 * A common mistake that people make when manually configuring an Ethernet bridge is that they add their primary ethernet adapter to the bridge before they have set the IP and netmask of the bridge interface. The result is that the primary ethernet interface "loses" its settings, but the equivalent bridge interface settings have not yet been defined, so the net effect is a loss of connectivity on the ethernet interface.
     124 * In most cases, it is possible to set up a usable bridge configuration with the ethernet-bridge itself only configured on the server side, not the client side. If this is done, the client machines will become multi-homed when they connect to the server, i.e. they will still have their regular ethernet interface, but upon connection to the OpenVPN server, they will now have a new TAP interface which is bridged with the server's ethernet interface (and possibly all of the TAP interfaces of other connecting clients as well if the client-to-client directive is used on the server).
     125
     126= Notes -- Ethernet Bridging on Windows =
     127
     128[wiki:WindowsNotes The Windows Notes page] has additional information on ethernet bridging.
     129
     130= Notes -- Ethernet Bridging on Linux, Setup Scripts =
     131
     132These scripts will handle bridge setup and shutdown on Linux. They are available in the sample-scripts subdirectory of the OpenVPN tarball.
     133
     134== sample-scripts/bridge-start ==
     135
     136{{{
     137    #!/bin/bash
     138
     139    #################################
     140    # Set up Ethernet bridge on Linux
     141    # Requires: bridge-utils
     142    #################################
     143
     144    # Define Bridge Interface
     145    br="br0"
     146
     147    # Define list of TAP interfaces to be bridged,
     148    # for example tap="tap0 tap1 tap2".
     149    tap="tap0"
     150
     151    # Define physical ethernet interface to be bridged
     152    # with TAP interface(s) above.
     153    eth="eth0"
     154    eth_ip="192.168.8.4"
     155    eth_netmask="255.255.255.0"
     156    eth_broadcast="192.168.8.255"
     157
     158    for t in $tap; do
     159        openvpn --mktun --dev $t
     160    done
     161
     162    brctl addbr $br
     163    brctl addif $br $eth
     164
     165    for t in $tap; do
     166        brctl addif $br $t
     167    done
     168
     169    for t in $tap; do
     170        ifconfig $t 0.0.0.0 promisc up
     171    done
     172
     173    ifconfig $eth 0.0.0.0 promisc up
     174
     175    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
     176}}}
     177
     178== sample-scripts/bridge-stop ==
     179
     180{{{
     181    #!/bin/bash
     182
     183    ####################################
     184    # Tear Down Ethernet bridge on Linux
     185    ####################################
     186
     187    # Define Bridge Interface
     188    br="br0"
     189
     190    # Define list of TAP interfaces to be bridged together
     191    tap="tap0"
     192
     193    ifconfig $br down
     194    brctl delbr $br
     195
     196    for t in $tap; do
     197        openvpn --rmtun --dev $t
     198    done
     199
     200}}}
     201
     202Also see our article on [http://openvpn.net/index.php/access-server/howto-openvpn-as/214-how-to-setup-layer-2-ethernet-bridging.html Ethernet Bridging for OpenVPN-AS].