Ethernetbridging over VPN revisited

 · Systeemkabouter

Recently I was discussing VPN options over coffee when the subject of ethernet bridging came up. My co-worker had no experience with VPN to move other traffic than IP packets. It was then I remembered using ethernet bridging over openvpn all the time. Like 20-15 years ago.

Would it still work? Is it still a thing? According to the openvpn documentation it is, but why not just try it out?

So with some time to spare this morning, I got an old Mac Mini from storage, installed Debian 11 and started playing around.

Sure enough, I had my openvpn running again and brctl to create virtual bridges in linux soon enough.

I just did the bare minimum setup for now:

  • Debian 11 box
  • bridge-utils and openvpn packages
  • isc-dhcp-server on this virtual network
  • glueing it together
  • profit!

Next step is connecting my co-worker and trying to send ipx/spx, NetBEUI and appletalk packets I guess. Or use old time friends like finger, rwho and talk over the network. Who know's what this will bring :-)

Some of the config:

Openvpn config using a shared secret for security: 

# OpenVPN Ethernet Bridging with shared secret security
# This should allow peer-to-peer links between multiple nodes
#

local X.X.X.X

#remote X.X.X.X
# IP settings
port 1195
dev tap0
cipher AES-256-CBC
# crypto config
secret etherbridge_shared_secret.key

# restart control
persist-key
persist-tun
ping-timer-rem
ping-restart 60
ping 10

# UID
user nobody
group nogroup

# verbosity
verb 3

And a /etc/rc.local script to setup the bridge: 

#!/bin/bash

modprobe tun
modprobe bridge

openvpn --mktun --dev tap0
openvpn --mktun --dev tap1
brctl addbr br0
brctl addif br0 enp59s0
brctl addif br0 tap0


ifconfig tap0 0.0.0.0 promisc up
ifconfig enp59s0 0.0.0.0 promisc up

ifconfig br0 X.X.X.1 netmask 255.255.255.0 broadcast X.X.X.255

For remote access I mapping UDP port 1195 to my new Debian system. The Mac mini as a couple of extra ethernet adapters that I can add to the bridge to connect (legacy) devices over VPN without these devices knowing there is no real ethernet in between :-)

Ok with this blogpost out of the way, I need to fix some basic firewalling rules to secure it better