Today's topic will be the GRE OVER VPN tunnel.
This tunnel is useful when for some reason we must have the same address in both locations and we also need L2.
The example will be on Debian 11, which I used in this case.
Configuration
Debian 11 with two network cards is installed on both VM. After configuring static addresses on the first interface, we install modules:
apt install bridge-utils -y
apt install openvpn -y
After installing packages, we configure the OpenVPN server. Automatic start and initialization of PKi:
sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn ;
systemctl daemon-reload
cd /etc/openvpn/
/usr/share/easy-rsa/easyrsa clean-all
/usr/share/easy-rsa/easyrsa init-pk
After completing the commands, information will appear (enter "yes"):
WARNING!!!
You are about to remove the EASYRSA_PKI at: /etc/openvpn/pkiand initialize a fresh PKI here.
Type the word 'yes' to continue, or any other input to abort.
Confirm removal: yes
We generate "Certificate Authority":
/usr/share/easy-rsa/easyrsa build-ca nopass
Enter the host name:
Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
............................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
HQ-server
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Then we generate a server certificate and key and Deffie-Hellman:
/usr/share/easy-rsa/easyrsa build-server-full server nopass
/usr/share/easy-rsa/easyrsa gen-dh
We generate a client certificate and key:
/usr/share/easy-rsa/easyrsa build-client-full vm-client nopass
After generating the necessary files, we go to the creation of server and customer configuration files for OpenVPN.
Server configuration file (/etc/openvpn/server.conf):
port 1194
proto udp
dev tun
#fragment 1400
ca /etc/openvpn/pki/ca.crt # generated keys
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key # keep secret
dh /etc/openvpn/pki/dh.pem
server 10.50.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt
keepalive 5 30
comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun
push "route 192.168.100.1 255.255.255.255"
status /var/log/openvpn-status.log
verb 3 # verbose mode
tun-mtu 2000
Customer VPN configuration file client.conf
client
dev tun
proto udp
remote MY-HQ-IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
CA
CERT
KEY
comp-lzo
verb 3
The next stage is the creation of a Gretap tunnel. Here, the configuration file comes to the rescue, which we place w /tc/openvpn/gretap.sh on both machines.
This is a file only for HQ site. I recommend thinking for client site :)
#!/bin/bash
ip link add tunnel type gretap remote 10.50.8.6 local 10.50.8.1
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 tunnel
ip link set br0 up
ip link set eth1 up
ip link set tunnel up
ip link set br0 mtu 2000
ip link set tunnel mtu 2000
ip link set tun0 mtu 2000
We create a service at systemd, which will be responsible for launching the above script after the OpenVPN service launches. File location /etc/systemd/system/gretunnel.service
[Unit]
After=openvpn.service
[Service]
ExecStart=/etc/openvpn/gretap.sh
[Install]
WantedBy=default.target
Then we change files and run the service in systemd.
chmod 744 /etc/openvpn/gretap.sh
chmod 664 /etc/systemd/system/gretunnel.service
systemctl daemon-reloadsystemctl enable gretunnel.service
systemctl start gretunnel.servic
Finally, we copy the client.conf customer client file to the customer machine to the /etc/openvpn directory and start the service at the start.
systemctl enable openvpn
systemctl start openvpn
In addition, Mac Address Spoofing should be enabled in the case of Hyper-V and VMware. Otherwise bridge will not function properly.
That's all! A simple configuration that can help with many migrations.