OpenVPN configuration

Question

Preamble: I am lucky to have an IP subnet which has real IPs, so no NAT. I have a network from 1.2.3.0 to 1.2.3.128.

I have a Debian server with an eth0 interface say 1.2.4.9. Now I want to have an openVPN to bridge to this interface and give addresses to clients say from address 1.2.3.80 to 1.2.3.90.

Do I need some br0 interfaces?

All the tutorials introduce NATing at some point, but I do not need it.

Answer 1

This is something that's actually covered in the openvpn documentation and should be pretty trivial to do. You're going to need to alter the scripts provided for your own settings. Since you have 128 IP addresses, I believe your netmask is 25 - from here

From that we can derive a fair amount of information on your system - I used this IP address calculator to work this out and it gives the following information

Address:   1.2.4.9               00000001.00000010.00000100.0 0001001
Netmask:   255.255.255.128 = 25  11111111.11111111.11111111.1 0000000
Wildcard:  0.0.0.127             00000000.00000000.00000000.0 1111111
=>
Network:   1.2.4.0/25            00000001.00000010.00000100.0 0000000 (Class A)
Broadcast: 1.2.4.127             00000001.00000010.00000100.0 1111111
HostMin:   1.2.4.1               00000001.00000010.00000100.0 0000001
HostMax:   1.2.4.126             00000001.00000010.00000100.0 1111110
Hosts/Net: 126 

Plugging those numbers into the steps given in openvpn's documentation would get you started.

You will need to create a startup and shutdown file for the server bridge to use a bridged interface. You will also need bridge utils. While I've included the essential steps, RTFM too in case I missed anything #!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

    # Define physical ethernet interface to be bridged
    # with TAP interface(s) above.
    eth="eth0"
    eth_ip="1.2.4.9"
    eth_netmask="255.255.255.128"
    eth_broadcast="1.2.4.127"

    for t in $tap; do
        openvpn --mktun --dev $t
    done

    brctl addbr $br
    brctl addif $br $eth

    for t in $tap; do
        brctl addif $br $t
    done

    for t in $tap; do
        ifconfig $t 0.0.0.0 promisc up
    done

    ifconfig $eth 0.0.0.0 promisc up

    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

and the shutdown file as per the documentation - note the change in eth_ip, eth_netmask and eth_broadcast

You need to alter your openvpn configuration file to comment out the line reading dev tun and add a new line reading dev tap0 and replace the line reading server and replace it with server-bridge 1.2.4.9 255.255.255.128 1.2.3.80 1.2.3.90 - the IP address of the server, the netmask as per that calculator and the start and end of the IP address range you want.