Welcome in my mind!

Home Nest Links About

GRE over OPENVPN

Today's topic will be the GRE OVER VPN tunnel.

This tunnel is useful when for some reason we must have the same address in both locations and we also need L2.

The example will be on Debian 11, which I used in this case.

Configuration

Debian 11 with two network cards is installed on both VM. After configuring static addresses on the first interface, we install modules:

apt install bridge-utils -y
apt install openvpn -y
    

After installing packages, we configure the OpenVPN server. Automatic start and initialization of PKi:

sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn ;
systemctl daemon-reload
cd /etc/openvpn/
/usr/share/easy-rsa/easyrsa clean-all
/usr/share/easy-rsa/easyrsa init-pk
    

After completing the commands, information will appear (enter "yes"):

WARNING!!!
You are about to remove the EASYRSA_PKI at: /etc/openvpn/pkiand initialize a fresh PKI here.
Type the word 'yes' to continue, or any other input to abort.
Confirm removal: yes
    

We generate "Certificate Authority":

/usr/share/easy-rsa/easyrsa build-ca nopass
    

Enter the host name:

Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
............................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
HQ-server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
    

Then we generate a server certificate and key and Deffie-Hellman:

/usr/share/easy-rsa/easyrsa build-server-full server nopass
/usr/share/easy-rsa/easyrsa gen-dh
    

We generate a client certificate and key:

/usr/share/easy-rsa/easyrsa build-client-full vm-client nopass
    

After generating the necessary files, we go to the creation of server and customer configuration files for OpenVPN.

Server configuration file (/etc/openvpn/server.conf):

port 1194
proto udp
dev tun

#fragment 1400

ca /etc/openvpn/pki/ca.crt # generated keys
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key # keep secret
dh /etc/openvpn/pki/dh.pem

server 10.50.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 5 30

comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun

push "route 192.168.100.1 255.255.255.255"

status /var/log/openvpn-status.log

verb 3 # verbose mode
tun-mtu 2000
    

Customer VPN configuration file client.conf

client
dev tun
proto udp
remote MY-HQ-IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun

CA 
CERT
KEY

comp-lzo
verb 3
    

The next stage is the creation of a Gretap tunnel. Here, the configuration file comes to the rescue, which we place w /tc/openvpn/gretap.sh on both machines.

This is a file only for HQ site. I recommend thinking for client site :)

#!/bin/bash
ip link add tunnel type gretap remote 10.50.8.6 local 10.50.8.1
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 tunnel
ip link set br0 up
ip link set eth1 up
ip link set tunnel up
ip link set br0 mtu 2000
ip link set tunnel mtu 2000
ip link set tun0 mtu 2000
    

We create a service at systemd, which will be responsible for launching the above script after the OpenVPN service launches. File location /etc/systemd/system/gretunnel.service

[Unit]
After=openvpn.service
[Service]
ExecStart=/etc/openvpn/gretap.sh
[Install]
WantedBy=default.target
    

Then we change files and run the service in systemd.

chmod 744 /etc/openvpn/gretap.sh
chmod 664 /etc/systemd/system/gretunnel.service
systemctl daemon-reloadsystemctl enable gretunnel.service
systemctl start gretunnel.servic
    

Finally, we copy the client.conf customer client file to the customer machine to the /etc/openvpn directory and start the service at the start.

systemctl enable openvpn
systemctl start openvpn
    

In addition, Mac Address Spoofing should be enabled in the case of Hyper-V and VMware. Otherwise bridge will not function properly.

That's all! A simple configuration that can help with many migrations.