I had a problem – perhaps a luxury one: A customer of mine hired me to do some administrative work at his site. Since his facilities are about 600kms away, remote access was agreed upon.
Usually you would think of a customer provided laptop with some Cisco VPN client on it. Not exactly. Yes, he sent me a laptop….together with a consumer router configured for VPN access. All rrrright.
Usually I separate customer devices from my home installation by means of putting them in a separate VLAN with its own accompanying WIFI and firewall rules. Not possible with that thing.
How did I solve that ? By putting an OrangePI (nifty little machines btw) between my firewall and external router and another one in a separate WIFI with its Ethernet interface connected to the customer’s router. Then I set up an ethernet bridge between those two machines via OpenVPN. This means that I now do have direct access to the transfer network (which physically sits in the basement) from my desk (which is at 2nd floor), DHCP and all. Nice eh ?
So how did I do it and what does it all have to do with Linux ? Both OrangePI machines do run Armbian, which is a specialized Linux distro for this kind of machine, similar to Raspbian for the Raspberry PI.
As a starting point I used the following description: https://www.aaflalo.me/2015/01/openvpn-tap-bridge-mode/
I do leave things like SSL certificate creation and stuff as an excercise to the reader.
Apart from Armbian, at least bridge-utils has to be installed, as well as any troubleshooting-tools you may fancy.
Some addresses and stuff (not the real ones of course)
|18.104.22.168||VPN client, bridge address|
|22.214.171.124-126.96.36.199||DHCP range for clients in the transfer net
Has to match the values in your internet router’s DHCP
Config, server side
dev tap0 tls-server proto udp port 1194 ca /etc/openvpn/root.pem cert /etc/openvpn/openvpn.pem key /etc/openvpn/openvpn.key dh /etc/openvpn/dh1024.pem topology subnet user nobody group nogroup server-bridge 188.8.131.52 255.255.255.0 184.108.40.206 220.127.116.11 mssfix persist-key persist-tun status /var/log/openvpn-status.log verb 3 client-to-client keepalive 10 120 mute 50 push "dhcp-option DNS 18.104.22.168" log-append /var/log/openvpn comp-lzo
#!/bin/bash eth="eth0" eth_ip="22.214.171.124" eth_netmask="255.255.255.0" eth_broadcast="126.96.36.199" eth_gateway="188.8.131.52" eth_mac="aa:bb:cc:dd:ee:ff" br="br0" tap="tap0"
Config, client side
client dev tap0 proto udp remote 184.108.40.206 1194 resolv-retry infinite nobind persist-key persist-tun ca root.pem cert client.pem key client.key ns-cert-type server comp-lzo verb 3
#!/bin/bash eth="eth0" eth_ip="220.127.116.11" eth_netmask="255.255.255.0" eth_broadcast="18.104.22.168" eth_gateway="22.214.171.124" eth_mac="ff:ee:dd:cc:bb:aa"" br="br0" tap="tap0"
With some quick googling and some scripts I was able to set up an Ethernet-Bridge which solves my problem. However, since we are dealing with an insecure net by definition (and NO, your DSL or broadband router is not to be trusted), some consideration has to be put into securing both devices network-wise. I am talking iptables, limiting the amount of services on the boxes, securing OpenSSH and stuff. Those would be out of scope for this article, so look’em up.