I wanted to have as much of the configuration on the server as possible so that I could easily add more clients and wouldn't have a need to update client configuration when ever the server preferences change.
Here is my OpenVPN server configuration:
mode server tls-server dev tap0 server-bridge 10.5.6.1 255.255.255.0 10.5.6.200 10.5.6.209 ifconfig-pool-persist /var/run/openvpn-ip.txt keepalive 10 60 ping-timer-rem persist-tun push "route 10.5.6.0 255.255.255.0" push "dhcp-option DNS 10.5.6.1" ca /root/easy-rsa-2.0/keys/ca.crt key /root/easy-rsa-2.0/keys/ressukka.net.key cert /root/easy-rsa-2.0/keys/ressukka.net.crt dh /root/easy-rsa-2.0/keys/dh1024.pem client-to-client up /etc/openvpn/ovpn-ressukka.sh
and the up script:
#!/bin/sh # Bind the tunnel interface to the bridge BRIDGE=br0 ifup $1 brctl addif $BRIDGE $1
There is nothing really special about that configuration. The
server is in TLS mode configures a bridge. The keys are generated
with easy-rsa by following a openvpn howto entry. The up
script just binds the
tap0 device to the network
bridge after bringing up the device.
Next I created the interface configuration by adding the
iface br0 inet static address 10.5.6.17 gateway 10.5.6.1 netmask 255.255.255.0 bridge-ports eth0
The trick here is to create a single bridge with just the
eth0 device. We use the up script for openvpn to add
the tunnel device to the bridge. Otherwise the bridge would never
contain the proper devices.
As for the client, you simply set the client to use the CA-certificate and Host key created with easy-rsa, set the hostname and tunnel type. Tunnel type is assumed to be a tun-device instead of tap, so in my case I needed to change it too.
There is no need to tell the client anything else. Everything else will be negotiated through the tunnel. And since I use NetworkManager to set up my tunnels I didn't have a need to drop in to a shell even once at the client.