OpenVPN ブリッジのソースを表示

[[Category:Virtual Private Network]]
[[en:OpenVPN Bridge]]
このページでは Arch Linux でネットワークブリッジを作成し、IP layer-3 ベースの IP トンネル (TUN) ではなく、IP layer-2 ベースの Ethernet ブリッジ (TAP) を使って OpenVPN サーバをホストする方法を説明します。一般的な [[OpenVPN]] ページでは、PAM 認証や OpenSSL セキュリティ証明書の設定についてより詳しく説明しています。

== イントロダクション ==

[http://openvpn.net/index.php/open-source/documentation.html OpenVPN のドキュメント]ページでは、OpenVPN がサポートするサーバーサイドとクライアントサイドのオプションの完全な概要が提供されています。トンネリングモードで OpenVPN を設定し、トラフィックのルーティングを制御する方が簡単であり、目的に合っている場合は一般的にそのようにすることが推奨されます。ただし、Windows のファイル共有などのネットワークアプリケーションは、イーサネットレベルでのネットワークブロードキャストに依存し、同じサブネット上に物理的に配置されていると考えることで利益を得るため、ソフトウェアブリッジングがこの目的に役立ちます。

ブリッジングを設定する方法は複数あります。動的な方法では、OpenVPN がシステム上で独自のブリッジを管理し、それを開始、停止、および設定します。これはブリッジングを設定する最も迅速な方法ですが、OpenVPN の起動および停止時に他のネットワークサービスが中断されます。システムが独自のブリッジを管理する場合、OpenVPN の他にも他の仮想ネットワークアダプタがブリッジに接続するため、静的な方法を使用する方が好ましいです。

== Dynamic Bridge Installation ==

You will need to [[install]] OpenVPN and Linux bridging utilities which are available in the {{Pkg|openvpn}} and {{Pkg|bridge-utils}} packages.

== Dynamic Bridge Configuration ==

OpenVPN will create/destroy the TAP device automatically for the name specified in the config file. OpenVPN settings common to TUN or TAP are not shown in the example config file below, only settings that affect TAP mode. Make sure the {{ic|up}} and {{ic|down}} scripts are executable with {{ic|chmod +x}} after you write them.

(sections common to TUN and TAP omitted)

{{hc|/etc/openvpn/server.conf|
# this uses a dhcp server, server-side
#  clients must support binding their dhcp client to their tap adapter
# do not append 'nogw' if using dhcp
server-bridge
# can specify interface, like tap0 or tap1
#  or use up/down routing scripts to handle
#  more than one, if needed
dev tap0
# needed to call scripts like up/down
#  which call external programs within the scripts
script-security 2
# user defined scripts for adding/removing tap to bridge
#  'dev mtu link_mtu ifconfig_local_ip ifconfig_remote_ip' are appended if set
# make sure 'user' has permission to run 'down' ('up' will be root)
up "up br0 eth0"
down "down br0 eth0"
# call 'down' before TUN/TAP close
down-pre
# drop root priveledges once connected
#  good idea, for servers running on linux
# 'up' script not affected, 'down' script is
;user nobody
;group nobody
}}

{{hc|/etc/openvpn/up|2=
#!/bin/bash
br=$1
eth=$2
dev=$3
mtu=$4
cd /usr/bin/

# only if you start dhcpcd and leave it
#  running for eth
#dhcpcd -k $eth

# needed if script is run independently
# but when run through openvpn
# openvpn will do this automatically
#  could also use 'ip tuntap ..'
#openvpn --mktun --dev $dev

brctl addbr $br
# set forwarding delay to 0
#  otherwise dhcp called below would timeout
brctl setfd $br 0
brctl addif $br $eth
# order matters here.. right now there is only
#  one mac in the bridge's table
# if there were two.. there is no guarantee
#  which would be passed to the dhcp server
dhcpcd $br
brctl addif $br $dev

ip link set $eth up promisc on mtu $mtu
ip link set $dev up promisc on mtu $mtu
}}

{{hc|/etc/openvpn/down|2=
#!/bin/bash
br=$1
eth=$2
cd /usr/bin/

dhcpcd -k $br

ip link set $br down
brctl delbr $br

# needed if script is run independently
# but when run through openvpn
# openvpn will do this automatically
#  could also use 'ip tuntap ..'
#openvpn --rmtun --dev $dev

# only if you start dhcpcd and leave it
#  running for eth
#dhcpcd $eth
}}

These examples are for using dhcp. If you are going to use static IP addresses, you will need to adjust accordingly.

== Using Systemd ==

The OpenVPN systemd script looks for <name>.conf files in the /etc/openvpn folder by default. So assuming you have a file named server.conf, you can [[enable]] and start {{ic|openvpn@server}}.

Be careful about having dhcpcd enabled separately (ie. dhcpcd@eth0.service) at the same time. It is possible, though unlikely, for it to complete after OpenVPN and ruin your dhcp setup for OpenVPN. You could probably disable dhcpcd@eth0.service since you know openvpn@server.service will be resetting dhcp anyway.

{{Warning| The Static Bridge section does not describe a method using systemd at all. In addition, it may contain outdated information. It should be revised at some point.}}

== Static Bridge Installation ==

The first thing you want to do is [[install]] these packages: {{Pkg|openvpn}}, {{Pkg|bridge-utils}}, {{Pkg|netctl}}.

== Static Bridge Configuration ==

Earlier versions of guides for OpenVPN provided by the OpenVPN team or various Linux packagers give example scripts for constructing a bridge when starting OpenVPN and destroying it when shutting OpenVPN down. 

However, this is a somewhat deprecated approach, since OpenVPN as of 2.1.1 defaults to not allowing itself to call external scripts or programs unless explicitly enabled to, for security reasons.

Also, constructing the bridge is relatively slow compared to all other parts of the network initialization process. (In fact, so slow that dhcpcd will time out before the bridge is ready. See [[#Static Bridge Troubleshooting]].) Also, when restarting OpenVPN after configuration changes, there is no reason to rebuild a working bridge, interrupting all your other network applications. So, setting up a static bridge configuration as follows is the recommended method.

To create an OpenVPN bridge for your server, you are going to have to use [[netctl]] and create two network profiles - one for the tap interface and one for the bridge.

Go to {{ic|/etc/netctl}} and copy the tuntap example file to the directory:

 # cd /etc/netctl/
 # cp examples/tuntap openvpn_tap

Now edit {{ic|openvpn_tap}} to create a tap interface. It may look like this:

{{hc|/etc/netctl/openvpn_tap|2=
Description='tuntap connection'
Interface=tap0
Connection=tuntap
Mode='tap'
User='nobody'
Group='nobody'
}}

Do not configure the IP address here, this is going to be done for the bridge interface!

To create the {{ic|bridge}} profile, copy the example file:

 # cp examples/bridge openvpn_bridge

Now edit {{ic|openvpn_bridge}}. It may look like this:

{{hc|/etc/netctl/openvpn_bridge|2=
Description="Bridge connection"
Interface=br0
Connection=bridge
BindsToInterfaces=(eth0 tap0)
IP=static
Address=('192.168.11.1/24')
Gateway='192.168.11.254'
DNS=('192.168.11.254')
}}

For more information, for example how to use DHCP instead, check the [[netctl]] article.

Now enable and start both profiles with:

 # netctl enable openvpn_tap
 # netctl enable openvpn_bridge
 # netctl start openvpn_tap
 # netctl start openvpn_bridge

== Static Bridge Troubleshooting ==

=== Failed to start the network ===

This is probably because you are using DHCP on the bridge and setting up the bridge takes longer than dhcpcd is willing to wait. You can fix this by setting the FWD_DELAY parameter in your bridge network profile (openvpn_bridge). Start with a value of 5 and decrease it until it works.

=== No IP Address on bridge when using DHCP ===

You may need to release the IP address that is assigned to your ethernet interface before requesting an IP through via DHCP.  To do this:

{{bc|
dhcpcd -k
}}

Then, modify the dhcpcd conf file to ensure that an ip address is not assigned to the ethernet interface (in this case, {{ic|enp3s0}}):

{{hc|/etc/dhcpcd.conf|
denyinterfaces enp3s0
}}

Towards the end of the file (assuming your bridge is named {{ic|br0}}):

{{hc|/etc/dhcpcd.conf|
interface br0}}

Now create the network bridge as described above, then run {{ic|dhcpcd}} to assign the ip address to your interface.  Check to see that {{ic|ip addr}} shows a valid ip address assigned to the bridge (i.e. {{ic|br0}}).

== More Resources ==

* [[OpenVPN]] - General page on configuring OpenVPN, including setting up authentication methods.