Raspberry Pi OpenVPN Server via ethernet bridge

[ruebenramirez]

Even after following the OpenVPN Ethernet Bridging tutorial I was still having problems connecting remote clients to the VPN. The login seemed to hang and was eventually timing out.

This blog post provided 2 bits of config to try: http://prssrp.blogspot.com/2014/02/raspberry-pi-openvpn-server-bridge-mode.html

• set the OpenVPN protocol to TCP
  • this wasn't actually necessary - connecting to OpenVPN over UDP has worked flawlessly in my testing so far
• set a default gateway once the bridge is active
  • once the bridge became active, pinging IPs from the raspberry pi console stopped working
  • route add default gw 192.168.10.254
  • I found that the default gateway was somehow being removed when creating the bridge. I updated the bridge-start script to add the default gateway back, and it's now working without issue.
• [x] configure some startup scripts
  • [x] at boot - configure firewall
  • in my testing, the OpenVPN connection is passing UDP traffic through without issue
  • [ ] test firewall config on site
  • [x] at OpenVPN start - start bridge
  • I've modified the /etc/init.d/openvpn init script's start function to first stop and then start the bridge
  • [x] at OpenVPN start - stop bridge
  • I've modified the /etc/init.d/openvpn init script's stop function to stop the bridge
• [x] testing
  • [x] what happens if VPN is active and the power goes out?
  • OpenVPN remote client continues to display VPN connection status as "connected"
  • If the UDP dependent application becomes unresponsive, it is possible that either power and/or electricity is at least temporarily unavailable.
  • User will have to manually right click the OpenVPN client in the taskbar and click to reconnect
  • [x] when the power comes back on, is the OpenVPN able to start without issue?
  • when power is restored the device boots it runs the openvpn init script's start function which I've modified to auto-create the bridge. No manual process on the raspberry pi console is required to make OpenVPN available to remote users again.

[ruebenramirez]

OpenVPN is a lot easier to configure via routing/tunnel mode, but doesn't forward udp traffic.

In bridge mode, we are actually placing the remote VPN clients directly on the same network as all our local machines. This allows remote vpn clients to "see" the UDP multicast traffic on the local network.

[ruebenramirez]

Running the bridge-start script to create an ethernet bridge for openvpn to use was killing the default gateway route. At the end of the bridge-start script, I've added a route add for the default gateway so that traffic can find it's way out to the network through the bridge.

Using this new bridge-start config, I was able to confirm UDP traffic is flowing over OpenVPN in bridge mode:

ipconfig on windows:

PS C:\Users\ruebenramirez\Downloads> ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::a4dd:8303:2512:61be%17
   IPv4 Address. . . . . . . . . . . : 192.168.11.20
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::f014:d30f:6aa6:d991%10
   IPv4 Address. . . . . . . . . . . : 172.16.168.128
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.168.2

Tunnel adapter isatap.{2DCD97DE-9140-4B9B-9225-D5D1CD7650A6}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:c669:f468:3c8d:1d2d:53ef:577f
   Link-local IPv6 Address . . . . . : fe80::3c8d:1d2d:53ef:577f%12
   Default Gateway . . . . . . . . . : ::

Tunnel adapter isatap.{ED8EDDAA-173A-4B24-BCA6-F31D3CD0A49C}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.localdomain:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain

I have a FreeNAS box on my home network that generates UDP traffic for some upnp functionality.

I ran windump to display the traffic it could passively pick up on once logged into the VPN from a remote network. (t-mobile via my ipad)

.\WinDump.exe -vv -X
12:21:19.878784 IP (tos 0x0, ttl   1, id 60866, offset 0, flags [none], proto: UDP (17), length: 200) FREENAS.11779 > 23
9.255.255.250.1900: UDP, length 172
        0x0000:  4500 00c8 edc2 0000 0111 0fb8 c0a8 0b08  E...............
        0x0010:  efff fffa 2e03 076c 00b4 4dda 4d2d 5345  .......l..M.M-SE
        0x0020:  4152 4348 202a 2048 5454 502f 312e 310d  ARCH.*.HTTP/1.1.
        0x0030:  0a4d 583a 2031 0d0a 5354 3a20 7570 6e70  .MX:.1..ST:.upnp
        0x0040:  3a72 6f6f 7464 6576 6963 650d 0a4d 414e  :rootdevice..MAN
        0x0050:  3a20                                     :.
12:21:19.878923 IP (tos 0x0, ttl   1, id 60867, offset 0, flags [none], proto: UDP (17), length: 200) FREENAS.11779 > 23
9.255.255.250.1900: UDP, length 172
        0x0000:  4500 00c8 edc3 0000 0111 0fb7 c0a8 0b08  E...............
        0x0010:  efff fffa 2e03 076c 00b4 4dda 4d2d 5345  .......l..M.M-SE
        0x0020:  4152 4348 202a 2048 5454 502f 312e 310d  ARCH.*.HTTP/1.1.
        0x0030:  0a4d 583a 2031 0d0a 5354 3a20 7570 6e70  .MX:.1..ST:.upnp
        0x0040:  3a72 6f6f 7464 6576 6963 650d 0a4d 414e  :rootdevice..MAN
        0x0050:  3a20                                     :.