Настройка OpenVPN в Bridged варианте

emerge openvpn brctl easy-rsa

mode server
tls-server
port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server-bridge
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
mute 20
management localhost 7505
script-security 2
up /etc/openvpn/upbr.sh

client
dev tap
proto udp
remote 10.0.10.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3

##### certs
<ca>
${FILE_CA}
</ca>
<cert>
${FILE_CERT}
</cert>
<key>
${FILE_KEY}
</key>

#! /bin/bash

# Set where we're working from
OPENVPN_RSA_DIR=/etc/openvpn/easy-rsa
OPENVPN_KEYS=$OPENVPN_RSA_DIR/keys
KEY_DOWNLOAD_PATH=/etc/openvpn/keys

# Either read the CN from $1 or prompt for it
if [ -z "$1" ]
        then echo -n "Enter new client common name (CN): "
        read -e CN
else
        CN=$1
fi

# Ensure CN isn't blank
if [ -z "$CN" ]
        then echo "You must provide a CN."
        exit
fi

# Check the CN doesn't already exist
if [ -f $OPENVPN_KEYS/$CN.crt ]
        then echo "Error: certificate with the CN $CN alread exists!"
                echo "    $OPENVPN_KEYS/$CN.crt"
        exit
fi

# Enter the easy-rsa directory and establish the default variables
cd $OPENVPN_RSA_DIR
source ./vars > /dev/null

# Copied from build-key script (to ensure it works!)
export EASY_RSA="${EASY_RSA:-.}"
if [ ! -z "$2" ]
then
export KEY_EMAIL="$2"
fi
"$EASY_RSA/pkitool" --batch $CN

# Take the new cert and place it somewhere it can be downloaded securely
zip -q $KEY_DOWNLOAD_PATH/$CN-`date +%d%m%y`.zip keys/$CN.crt keys/$CN.key keys/ca.crt
FILE_CA=$(cat keys/ca.crt)
FILE_KEY=$(cat keys/$CN.key)
FILE_CERT=$(cat keys/$CN.crt)

while read -r line ; do
    while [[ "$line" =~ (\$\{[a-zA-Z_][a-zA-Z_0-9]*\}) ]] ; do
        LHS=${BASH_REMATCH[1]}
        RHS="$(eval echo "\"$LHS\"")"
        line=${line//$LHS/$RHS}
    done
    echo "$line">> $KEY_DOWNLOAD_PATH/$CN.conf
done < /etc/openvpn/scripts/template.conf

# Celebrate!