User`s manual
TC-6110 Linux User's Manual Managing Communications
3-27
On each OpenVPN machine, you should carry out configurations in the /etc/openvpn directory, where script
files and key files reside. Once established, all operations will be performed in that directory.
Ethernet Bridges Linking Indepdent Subnets Over the Internet
This setup will link at two independent subnets over the Internet. It will use at least four machines, as shown
in the following diagram. OpenVPN designates a dedicated VPN server (perhaps also a firewall), while Host
designates a client computer located behind the VPN server.
Host A represents the machine that belongs to the subnet served by the VPN server, OpenVPN A, and Host
B represents a machine that belongs to the subnet served by the VPN server, OpenVPN B. The two remote
subnets are configured for distinct ranges of IP addresses on separate subnets. When this configuration
is moved to a public network, the external interfaces of the OpenVPN machines must be configured for static
IPs, or connected to another device (such as a firewall or DSL box) that uses a static address. To set up a
bridged Ethernet tunnel following this basic architecture, follow the instructions below:
1. Generate a preset shared key by typing the following command:
moxa@MOXA:~# openvpn --genkey --secret secrouter.key
2. Copy the keyfile that you have just generated to the OpenVPN machines:
moxa@MOXA:~# scp /etc/openvpn/secrouter.key XXX.XXX.X.XXX:/etc/openvpn
ATTENTION
Select cipher and authentication algorithms by specifying cipher and auth. To see which algorithms
and ciphers
are available, type:
moxa@MOXA:~# openvpn --show-ciphers
moxa@MOXA:~# openvpn --show-auths
For testing purposes, a
preshared key is provided at /etc/openvpn/secrouter.key.
This is adequate for
testing
, but users must create a new key when going live or their network will be insecure..
Configuring OpenVPN A
1. Modify the remote address in the configuration file /etc/openvpn/tap0-br.conf by adding the IP
address for the remote server (in this case, OpenVPN B).
# point to the peer
remote 192.168.8.174
dev tap0
port 1194
secret /etc/openvpn/secrouter.key