Install and Configure OpenVPN using a TAP interface

With this procedure we will configure OpenVPN server using TAP instead of TUN.

You will find this option useful when you want your LAN and VPN clients to be in the same broadcast domain.

We will use a scenario where:

192.168.1.0/24 –> Is your network

192.168.1.1 –> Is your Gateway and DNS server

192.168.1.2 –> Is your OpenVPN Server

Let’s start.

1 – Install prerequisities.

 In Debian you will not find the “easy-rsa” package but don’t worry we will take care of that later.

2 – Configure the bridge adapter.

This adapter will be the bridge in between the physical interface and the tap interface and it will pass the traffic from one to the other.

First get the necessary scripts:

Edit the bridge-start script:

Configure your interfaces configuration file:

 and configure it as follows:

Save and exit.

3 – Enable the routing function on the server.

Uncomment the line  containing:

net.ipv4.ip_forward=1

4 – Create the easy-rsa directory.

In Ubuntu run this command:

 In Debian you have to create the directory and copy the files into it.

5 – Edit the variables.

Go into /etc/openvpn/easy-rsa/ and edit the vars file to your needs:

Change the key size from 1024 to 2048.

And comment the line:

6 – Generate the server keys.

While inside /etc/openvpn/easy-rsa/ run the following commands:

Now enter the keys directory:

generate the server keys:

and copy the necessary files to the openvpn directory

7 – Configure the server configuration file.

First copy the example configuration file:

Extract it:

Edit it:

Add the following to the beginning of the file:

Change

port 1194

to

port 8294

I like to change the default port.

Change

;proto tcp
proto udp

to

proto tcp
;proto udp

Change

;dev tap
dev tun

to

dev tap0
;dev tun

Change

dh dh1024.pem

to

dh dh2048.pem

Change

server 10.8.0.0 255.255.255.0

to

;server 10.8.0.0 255.255.255.0

Change

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

to

server-bridge 192.168.1.2 255.255.255.0 192.168.1.100 192.168.1.250

(This is the IP of your OpenVPN server and the DHCP Pool for the clients. They will get an address in the range 192.168.1.100 192.168.1.250)

Change

;push “dhcp-option DNS 208.67.222.222”
;push “dhcp-option DNS 208.67.220.220”

to

push “dhcp-option DNS 192.168.1.1”

This is your DNS server IP address.

You can also push your domain with:

push “dhcp-option DOMAIN example.com”

Change

;client-to-client

to

client-to-client

Change

;user nobody
;group nogroup

to

user nobody
group nogroup

Look for the line containing log-append and edit it to look like this:

log-append  /var/log/openvpn/openvpn.log

Save and exit

Create the openvpn log folder:

9 – Create the client keys.

Change to the easy-rsa folder:

Load the variables defined in the vars file:

Generate the key and certificate:

Set the PEM pass phrase (this is the password required when the openvpn client tries to connect )

Accept all the others options until you get to “A challenge password

When asked for “A challenge password” just press Enter

When asked for “An optional company name” just press Enter

When asked for “Sign the certificate? [y/n]:” say “yes

When asked for “1 out of 1 certificate requests certified, commit? [y/n]” say “yes

The files will be created in the /etc/openvpn/easy-rsa/keys folder

10 – Restart the server.

Now restart the server and check your network interfaces:

Your output should look similar to this:

IMPORTANT!!

If you are installing OpenVPN as a virtual machine, read this.

Leave a Reply