This recipe will demonstrate how to set up a bridged OpenVPN server on Windows. Bridging on Windows is slightly different from Linux or UNIX, but the concept is the same.
This recipe is very similar to the previous recipe, apart from the different methods used to set up bridging.
We use the following network layout:
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only networks.
For this recipe, the server computer was running Windows XP and OpenVPN 2.1.1. The client computer was running Fedora 12 Linux and OpenVPN 2.1.1. For the Linux client, keep the client configuration file example3-1-client.conf at hand.
- Create the server configuration file:
proto udp port 1194 dev tap dev-node tap-bridge server-bridge 172.30.0.50 255.255.255.0 172.30.0.80 170.32.0.250 ca "c:/program files/openvpn/config/ca.crt" cert "c:/program files/openvpn/config/server.crt" key "c:/program files/openvpn/config/server.key" dh "c:/program files/openvpn/config/dp024.pem" tls-auth "c:/program files/openvpn/config/ta.key" 0 push "route 172.30.0.0 255.255.255.0" persist-key persist-tun keepalive 10 60
Save it as
example-3-4-server.conf. - Next, create the network bridge:
- Each TAP-Win32 adapter on Windows is assigned a name like Local Area Connection 2. Go to the Network Connections control panel and rename it to tap-bridge.
- Next, select tap-bridge and your Ethernet adapter with the mouse, right click, and then select Bridge Connections:
This will create a new bridge adapter icon in the control panel, usually named Network Bridge (…).
- The network bridge is now ready to be configured:
- In a command window, verify that the bridge is configured correctly:
[winserver]C:> netsh interface ip show address "Network Bridge" Configuration for interface "Network Bridge" DHCP enabled: No IP Address: 172.30.0.50 SubnetMask: 255.255.255.128 Default Gateway: 172.30.0.1 GatewayMetric: 5 InterfaceMetric: 0 - Start the OpenVPN server:
[winserver]C:> cd \program files\openvpn\config [winserver]C:> ..\bin\openvpn --config example3-4-server.ovpn
- Start the client:
[root@client]# openvpn --config example3-1-client.conf - Now, check the assigned VPN address and verify that we can ping a machine on the remote server LAN:
[client]$ /sbin/ifconfig tap1 tap1 Link encap:Ethernet HWaddr A2:F4:D4:E7:99:CF inet addr:172.30.0.80 Bcast:172.30.0.255 Mask:255.255.255.0 […] [client]$ ping -c 2 172.30.0.12 PING 172.30.0.12 (172.30.0.12) 56(84) bytes of data. 64 bytes from 172.30.0.12: icmp_seq=1 ttl=128 time=24.0 ms 64 bytes from 172.30.0.12: icmp_seq=2 ttl=128 time=26.0 ms
Apart from the way the bridge is created and configured, this recipe is very similar to the previous one. The one thing to keep in mind is how the adapter is selected in the server configuration file:
dev tap dev-node tap-bridge
On Linux and other UNIX variants, this could be achieved using a single line:
dev tap0
But the naming scheme for the TAP adapters on Windows is different. To overcome this, the dev-node directive needs to be added.