Настройка OpenVPN в Bridged варианте

Установка пакетов

1emerge openvpn brctl easy-rsa

Конфигурация сервера

 1mode server
 2tls-server
 3port 1194
 4proto udp
 5dev tap0
 6ca ca.crt
 7cert server.crt
 8key server.key
 9dh dh2048.pem
10server-bridge
11keepalive 10 120
12comp-lzo
13persist-key
14persist-tun
15status openvpn-status.log
16log-append /var/log/openvpn.log
17verb 3
18mute 20
19management localhost 7505
20script-security 2
21up /etc/openvpn/upbr.sh

Скрипт для удобной генерации конфигов клиентов

Шаблон конфига

 1client
 2dev tap
 3proto udp
 4remote 10.0.10.1 1194
 5resolv-retry infinite
 6nobind
 7persist-key
 8persist-tun
 9comp-lzo
10verb 3
11
12##### certs
13<ca>
14${FILE_CA}
15</ca>
16<cert>
17${FILE_CERT}
18</cert>
19<key>
20${FILE_KEY}
21</key>

Скрип для генерации

 1#! /bin/bash
 2
 3# Set where we're working from
 4OPENVPN_RSA_DIR=/etc/openvpn/easy-rsa
 5OPENVPN_KEYS=$OPENVPN_RSA_DIR/keys
 6KEY_DOWNLOAD_PATH=/etc/openvpn/keys
 7
 8# Either read the CN from $1 or prompt for it
 9if [ -z "$1" ]
10        then echo -n "Enter new client common name (CN): "
11        read -e CN
12else
13        CN=$1
14fi
15
16# Ensure CN isn't blank
17if [ -z "$CN" ]
18        then echo "You must provide a CN."
19        exit
20fi
21
22# Check the CN doesn't already exist
23if [ -f $OPENVPN_KEYS/$CN.crt ]
24        then echo "Error: certificate with the CN $CN alread exists!"
25                echo "    $OPENVPN_KEYS/$CN.crt"
26        exit
27fi
28
29# Enter the easy-rsa directory and establish the default variables
30cd $OPENVPN_RSA_DIR
31source ./vars > /dev/null
32
33# Copied from build-key script (to ensure it works!)
34export EASY_RSA="${EASY_RSA:-.}"
35if [ ! -z "$2" ]
36then
37export KEY_EMAIL="$2"
38fi
39"$EASY_RSA/pkitool" --batch $CN
40
41# Take the new cert and place it somewhere it can be downloaded securely
42zip -q $KEY_DOWNLOAD_PATH/$CN-`date +%d%m%y`.zip keys/$CN.crt keys/$CN.key keys/ca.crt
43FILE_CA=$(cat keys/ca.crt)
44FILE_KEY=$(cat keys/$CN.key)
45FILE_CERT=$(cat keys/$CN.crt)
46
47while read -r line ; do
48    while [[ "$line" =~ (\$\{[a-zA-Z_][a-zA-Z_0-9]*\}) ]] ; do
49        LHS=${BASH_REMATCH[1]}
50        RHS="$(eval echo "\"$LHS\"")"
51        line=${line//$LHS/$RHS}
52    done
53    echo "$line">> $KEY_DOWNLOAD_PATH/$CN.conf
54done < /etc/openvpn/scripts/template.conf
55
56# Celebrate!