本文参考
1.https://www.emaculation.com/doku.php/bridged_openvpn_server_setup
2.https://serverfault.com/questions/622657/configure-firewalld-for-openvpn-server-bridge-in-fedora-20
3.https://www.linux.org.ru/forum/admin/10631949
注意:安卓和IOS客户端对TAP网卡的支持有缺陷,所以安卓和IOS理论上不支持OpenVPN桥接。
安卓的不完全支持 VPN Client Pro(收费,无需root),OpenVPN Installer / OpenVPN Settings(免费,需要root)
安卓和IOS可能的方案是VAP:参考这个链接
1. 软件版本
CentOS – 7.9.2009
easy-rsa – 3.0.8
OpenVPN – 2.4.10
bridge-utils
2.安装
根据前面NAT模式的安装教程,大部分步骤能复用,这里只说区别
2.1配置桥接
安装bridge-utils
yum install bridge-utils
ip addr 查看本机ip
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:8f:c0:dd brd ff:ff:ff:ff:ff:ff
inet 10.24.11.243/24 brd 10.24.11.255 scope global noprefixroute ens32
valid_lft forever preferred_lft forever
inet6 fe80::f4f5:b7e6:943d:fd26/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::80e4:f8c5:e4fe:cf1/64 scope link flags 800
valid_lft forever preferred_lft forever
可以获取如下信息
IP地址:10.24.11.243 子网掩码:255.255.255.0(/24 CIDR表示法) 广播地址:10.24.11.255 路由IP地址:10.24.11.254
配置桥接脚本
nano /etc/openvpn/openvpn-bridge
内容如下
#!/bin/sh
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above. 根据实际内容修改下面四项
eth="ens32"
eth_ip_netmask="10.24.11.243/24"
eth_broadcast="10.24.11.255"
eth_gateway="10.24.11.254"
case "$1" in
start)
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ip addr flush dev $t
ip link set $t promisc on up
done
ip addr flush dev $eth
ip link set $eth promisc on up
ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br
ip link set $br up
ip route add default via $eth_gateway
;;
stop)
ip link set $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ip link set $eth promisc off up
ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth
ip route add default via $eth_gateway
;;
*)
echo "Usage: openvpn-bridge {start|stop}"
exit 1
;;
esac
exit 0
赋权限
chmod 700 /etc/openvpn/openvpn-bridge chown openvpn:openvpn /etc/openvpn/openvpn-bridge
2.2编辑服务端配置
dev tun注释掉,改成 dev tap0
server行注释掉,改成server-bridge,server-bridge语法如下
server-bridge [gw] [mask] [start-IP] [end-IP]
注意,这里的[gw] 有的教程是本机ip,有的教程是实际网关,两个都试验后,填本机网关的只能访问本网段的,如果存在多个vlan,那就无法访问
所以正确的填发应该是填实际网关。
编辑
nano /etc/openvpn/server/server.conf
内容如下
port 1194 proto tcp #dev tun dev tap0 #dev-node tap-bridge user openvpn group openvpn #配置证书信息 ca /etc/openvpn/server/easy-rsa/pki/ca.crt cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt key /etc/openvpn/server/easy-rsa/pki/private/server.key dh /etc/openvpn/server/easy-rsa/pki/dh.pem tls-auth /etc/openvpn/server/easy-rsa/ta.key 0 #配置账号密码的认证方式 script-security 3 auth-user-pass-verify "/etc/openvpn/server/user/checkpsw.sh" via-env verify-client-cert none username-as-common-name client-to-client duplicate-cn #配置网络信息 #server 10.8.0.0 255.255.255.0 server-bridge 10.24.11.254 255.255.255.0 10.24.11.10 10.24.11.190 client-to-client push "dhcp-option DNS 10.24.11.250" push "dhcp-option DNS 114.114.114.114" push "route 10.24.11.0 255.255.255.0" push "route 10.24.0.0 255.255.0.0" push "route 172.20.0.0 255.255.0.0" push "route 10.244.0.0 255.255.0.0" compress lzo cipher AES-256-CBC keepalive 10 120 persist-key persist-tun verb 3 log /var/log/openvpn/server.log log-append /var/log/openvpn/server.log status /var/log/openvpn/status.log
2.3编辑启动脚本
编辑openvpn-server@.service
nano /usr/lib/systemd/system/openvpn-server@.service
在Service内容后添加两行
[Service] ExecStartPre=/etc/openvpn/openvpn-bridge start ExecStopPost=/etc/openvpn/openvpn-bridge stop
重载service
systemctl daemon-reload
重启服务端
systemctl restart openvpn-server@.service.service
2.4 配置防火墙
官网只给了iptables版本的,iptable如下
iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT
执行后需要保存
service iptables save
对应的firewall版本如下
firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i tap0 -j ACCEPT firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i br0 -j ACCEPT firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT
执行后需执行重载生效
firewall-cmd --reload
2.5配置客户端
dev tun改成dev tap0
编辑C:\Program Files\OpenVPN\config\client.ovpn如下
client proto tcp dev tap0 auth-user-pass remote 10.24.11.243 1194 ca ca.crt tls-auth ta.key 1 remote-cert-tls server cipher AES-256-CBC auth-nocache persist-tun persist-key comp-lzo verb 3 mute 10
3.常见问题
1.能分配同网段ip,能ping通其他网段和服务器IP,但无法ping通同网段其他ip
如果服务器在虚拟机(如ESXI,hyper-V)上,先检查是否开启”允许MAC地址欺骗”功能
EXSI对应配置如下
开启之后,检查防火墙是否开启NAT配置,取消掉。
不错
谢谢支持