本文參考

1.https://www.emaculation.com/doku.php/bridged_openvpn_server_setup

2.https://serverfault.com/questions/622657/configure-firewalld-for-openvpn-server-bridge-in-fedora-20

3.https://www.linux.org.ru/forum/admin/10631949

1. 軟件版本

CentOS – 7.9.2009

easy-rsa – 3.0.8

OpenVPN – 2.4.10

bridge-utils

2.安裝

根據(jù)前面NAT模式的安裝教程风钻，大部分步驟能復(fù)用，這里只說區(qū)別

2.1配置橋接

安裝bridge-utils

yum install bridge-utils

ip addr 查看本機ip

[root@localhost ~]# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

? ? inet 127.0.0.1/8 scope host lo

? ? ? valid_lft forever preferred_lft forever

? ? inet6 ::1/128 scope host

? ? ? valid_lft forever preferred_lft forever

2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

? ? link/ether 00:50:56:8f:c0:dd brd ff:ff:ff:ff:ff:ff

? ? inet 10.24.11.243/24 brd 10.24.11.255 scope global noprefixroute ens32

? ? ? valid_lft forever preferred_lft forever

? ? inet6 fe80::f4f5:b7e6:943d:fd26/64 scope link noprefixroute

? ? ? valid_lft forever preferred_lft forever

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100

? ? link/none

? ? inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

? ? ? valid_lft forever preferred_lft forever

? ? inet6 fe80::80e4:f8c5:e4fe:cf1/64 scope link flags 800

? ? ? valid_lft forever preferred_lft forever

可以獲取如下信息

IP地址：10.24.11.243

子網(wǎng)掩碼：255.255.255.0（/24 CIDR表示法）

廣播地址：10.24.11.255

路由IP地址：10.24.11.254

配置橋接腳本

nano /etc/openvpn/openvpn-bridge

內(nèi)容如下

#!/bin/sh

# Define Bridge Interface

br="br0"

# Define list of TAP interfaces to be bridged,

# for example tap="tap0 tap1 tap2".

tap="tap0"

# Define physical ethernet interface to be bridged

# with TAP interface(s) above. 根據(jù)實際內(nèi)容修改下面四項

eth="ens32"

eth_ip_netmask="10.24.11.243/24"

eth_broadcast="10.24.11.255"

eth_gateway="10.24.11.254"

case "$1" in

start)

? ? for t in $tap; do

? ? ? ? openvpn --mktun --dev $t

? ? done

? ? brctl addbr $br

? ? brctl addif $br $eth

? ? for t in $tap; do

? ? ? ? brctl addif $br $t

? ? done

? ? for t in $tap; do

? ? ? ? ip addr flush dev $t

? ? ? ? ip link set $t promisc on up

? ? done

? ? ip addr flush dev $eth

? ? ip link set $eth promisc on up

? ? ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br

? ? ip link set $br up

? ? ip route add default via $eth_gateway

? ? ;;

stop)

? ? ip link set $br down

? ? brctl delbr $br

? ? for t in $tap; do

? ? ? ? openvpn --rmtun --dev $t

? ? done

? ? ip link set $eth promisc off up

? ? ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth

? ? ip route add default via $eth_gateway

? ? ;;

*)

? ? echo "Usage:? openvpn-bridge {start|stop}"

? ? exit 1

? ? ;;

esac

exit 0

賦權(quán)限

chmod 700 /etc/openvpn/openvpn-bridge

chown openvpn:openvpn /etc/openvpn/openvpn-bridge

2.2編輯服務(wù)端配置

dev tun注釋掉城榛，改成 dev tap0

server行注釋掉贡必，改成server-bridge梁钾，server-bridge語法如下

server-bridge [gw] [mask] [start-IP] [end-IP]

注意武契，這里的[gw] 有的教程是本機ip栈源，有的教程是實際網(wǎng)關(guān)挡爵，兩個都試驗后，填本機網(wǎng)關(guān)的只能訪問本網(wǎng)段的甚垦，如果存在多個vlan茶鹃，那就無法訪問

所以正確的填發(fā)應(yīng)該是填實際網(wǎng)關(guān)。

編輯

nano /etc/openvpn/server/server.conf

內(nèi)容如下

port 1194

proto tcp

#dev tun

dev tap0

#dev-node tap-bridge

user openvpn

group openvpn

#配置證書信息

ca /etc/openvpn/server/easy-rsa/pki/ca.crt

cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt

key /etc/openvpn/server/easy-rsa/pki/private/server.key

dh /etc/openvpn/server/easy-rsa/pki/dh.pem

tls-auth /etc/openvpn/server/easy-rsa/ta.key 0

#配置賬號密碼的認證方式

script-security 3

auth-user-pass-verify "/etc/openvpn/server/user/checkpsw.sh" via-env

verify-client-cert none

username-as-common-name

client-to-client

duplicate-cn

#配置網(wǎng)絡(luò)信息

#server 10.8.0.0 255.255.255.0

server-bridge 10.24.11.254 255.255.255.0 10.24.11.10 10.24.11.190

client-to-client

push "dhcp-option DNS 10.24.11.250"

push "dhcp-option DNS 114.114.114.114"

push "route 10.24.11.0 255.255.255.0"

push "route 10.24.0.0 255.255.0.0"

push "route 172.20.0.0 255.255.0.0"

push "route 10.244.0.0 255.255.0.0"

compress lzo

cipher AES-256-CBC

keepalive 10 120

persist-key

persist-tun

verb 3

log /var/log/openvpn/server.log

log-append /var/log/openvpn/server.log

status /var/log/openvpn/status.log

2.3編輯啟動腳本

編輯openvpn-server@.service

nano /usr/lib/systemd/system/openvpn-server@.service

在Service內(nèi)容后添加兩行

[Service]

ExecStartPre=/etc/openvpn/openvpn-bridge start

ExecStopPost=/etc/openvpn/openvpn-bridge stop

重載service

systemctl daemon-reload

重啟服務(wù)端

systemctl restart openvpn-server@.service.service

2.4 配置防火墻

官網(wǎng)只給了iptables版本的艰亮，iptable如下

iptables -A INPUT -i tap0 -j ACCEPT

iptables -A INPUT -i br0 -j ACCEPT

iptables -A FORWARD -i br0 -j ACCEPT

執(zhí)行后需要保存

service iptables save

對應(yīng)的firewall版本如下

firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i tap0 -j ACCEPT

firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i br0 -j ACCEPT

firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT

執(zhí)行后需執(zhí)行重載生效

firewall-cmd --reload

2.5配置客戶端

dev tun改成dev tap0

編輯C:\Program Files\OpenVPN\config\client.ovpn如下

client

proto tcp

dev tap0

auth-user-pass

remote 10.24.11.243 1194

ca ca.crt

tls-auth ta.key 1

remote-cert-tls server

cipher AES-256-CBC

auth-nocache

persist-tun

persist-key

comp-lzo

verb 3

mute 10

3.常見問題

1.能分配同網(wǎng)段ip闭翩，能ping通其他網(wǎng)段和服務(wù)器IP,但無法ping通同網(wǎng)段其他ip

如果服務(wù)器在虛擬機（如ESXI，hyper-V)上迄埃，先檢查是否開啟”允許MAC地址欺騙”功能

EXSI對應(yīng)配置如下

開啟之后疗韵，檢查防火墻是否開啟NAT配置，取消掉侄非。