CentOS 8 && OpenVPN Bridge - xxooxxooxx/xxooxxooxx.github.io GitHub Wiki
- info
10.1.96.3/20
140.82.45.183/23
*setup
nmcli con add ifname br0 type bridge
nmcli con add type bridge-slave ifname ens3 master bridge-br0
nmcli con add type bridge-slave ifname ens7 master bridge-br0
nmcli con down "System ens3" && nmcli con down "System ens7" && nmcli con up bridge-br0
nmcli con edit bridge-br0
set ipv4.addresses 10.1.96.3/20
Do you also want to set 'ipv4.method' to 'manual'? [yes]: no
print ipv4
save
quit
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
link/ether 56:00:02:ae:bb:30 brd ff:ff:ff:ff:ff:ff
3: ens7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc fq state UP group default qlen 1000
link/ether 5a:00:02:ae:bb:30 brd ff:ff:ff:ff:ff:ff
26: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 56:00:02:ae:bb:30 brd ff:ff:ff:ff:ff:ff
inet 10.1.96.3/20 brd 10.1.111.255 scope global noprefixroute br0
valid_lft forever preferred_lft forever
inet 140.82.45.183/23 brd 140.82.45.255 scope global dynamic noprefixroute br0
valid_lft 86327sec preferred_lft 86327sec
inet6 2001:19f0:5:48b0:cd84:ef15:2e1b:b4b5/64 scope global dynamic noprefixroute
valid_lft 2591929sec preferred_lft 604729sec
inet6 fe80::eaa2:6cd8:700c:97b8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
- cat /etc/openvpn/server/server.conf
local 140.82.45.183
port 2222
proto udp
;dev tun
dev tap
up /etc/openvpn/server/up.sh
down /etc/openvpn/server/down.sh
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
;server 10.8.0.0 255.255.255.0
;server-ipv6 fddd:1194:1194:1194::/64
server-bridge 10.1.96.3 255.255.240.0 10.1.96.100 10.1.96.200
;server-bridge
;push "redirect-gateway def1 ipv6 bypass-dhcp"
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
script-security 2
duplicate-cn
crl-verify crl.pem
explicit-exit-notify
- cat /etc/openvpn/server/up.sh
#!/bin/sh
tap="tap0"
for t in $tap; do
/usr/sbin/openvpn --mktun --dev $t
done
for t in $tap; do
/usr/bin/nmcli d set $t managed yes
done
for t in $tap; do
/usr/bin/nmcli c add type tun mode tap ifname $t master bridge-br0
done
- cat /etc/openvpn/server/down.sh
#!/bin/sh
tap="tap0"
for t in $tap; do
/usr/bin/nmcli c del bridge-slave-$t
/usr/sbin/openvpn --rmtun --dev $t
done
ExecStopPost=+/etc/openvpn/server/down.sh
- rekeying
--reneg-sec n
n 秒后重新协商数据通道密钥(默认值 = 3600)。使用双因素身份验证时,请注意此默认值可能会导致最终用户每小时被挑战一次重新授权。
另外,请记住,此选项可用于客户端和服务器,使用较低值的将触发重新协商。 一个常见的错误是在客户端或服务器上将 --reneg-sec 设置为更高的值,而连接的另一端仍然使用默认值 3600 秒,这意味着重新协商仍然会每 3600 秒发生一次 . 解决方案是在客户端和服务器上增加 --reneg-sec,或者在连接的一侧将其设置为 0(禁用),并在另一侧设置为您选择的值。
- 覆盖客户端配置中推送的“路由” (注意route-nopull选项的的位置)
# Options
client
route 10.1.0.0 255.255.255.128
route-metric 50
route-nopull