Today's topic will be the GRE OVER VPN tunnel.
This tunnel is useful when for some reason we must have the same address in both locations and we also need L2.
The example will be on Debian 11, which I used in this case.
Configuration
Debian 11 with two network cards is installed on both VM. After configuring static addresses on the first interface, we install modules:
apt install bridge-utils -y apt install openvpn -y
After installing packages, we configure the OpenVPN server. Automatic start and initialization of PKi:
sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn ; systemctl daemon-reload cd /etc/openvpn/ /usr/share/easy-rsa/easyrsa clean-all /usr/share/easy-rsa/easyrsa init-pk
After completing the commands, information will appear (enter "yes"):
WARNING!!! You are about to remove the EASYRSA_PKI at: /etc/openvpn/pkiand initialize a fresh PKI here. Type the word 'yes' to continue, or any other input to abort. Confirm removal: yes
We generate "Certificate Authority":
/usr/share/easy-rsa/easyrsa build-ca nopass
Enter the host name:
Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021 Generating RSA private key, 2048 bit long modulus (2 primes) .........+++++ ............................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: HQ-server CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/pki/ca.crt
Then we generate a server certificate and key and Deffie-Hellman:
/usr/share/easy-rsa/easyrsa build-server-full server nopass /usr/share/easy-rsa/easyrsa gen-dh
We generate a client certificate and key:
/usr/share/easy-rsa/easyrsa build-client-full vm-client nopass
After generating the necessary files, we go to the creation of server and customer configuration files for OpenVPN.
Server configuration file (/etc/openvpn/server.conf):
port 1194 proto udp dev tun #fragment 1400 ca /etc/openvpn/pki/ca.crt # generated keys cert /etc/openvpn/pki/issued/server.crt key /etc/openvpn/pki/private/server.key # keep secret dh /etc/openvpn/pki/dh.pem server 10.50.8.0 255.255.255.0 # internal tun0 connection IP ifconfig-pool-persist ipp.txt keepalive 5 30 comp-lzo # Compression - must be turned on at both end persist-key persist-tun push "route 192.168.100.1 255.255.255.255" status /var/log/openvpn-status.log verb 3 # verbose mode tun-mtu 2000
Customer VPN configuration file client.conf
client dev tun proto udp remote MY-HQ-IP 1194 resolv-retry infinite nobind persist-key persist-tun CA CERT KEY comp-lzo verb 3
The next stage is the creation of a Gretap tunnel. Here, the configuration file comes to the rescue, which we place w /tc/openvpn/gretap.sh on both machines.
This is a file only for HQ site. I recommend thinking for client site :)
#!/bin/bash ip link add tunnel type gretap remote 10.50.8.6 local 10.50.8.1 brctl addbr br0 brctl addif br0 eth1 brctl addif br0 tunnel ip link set br0 up ip link set eth1 up ip link set tunnel up ip link set br0 mtu 2000 ip link set tunnel mtu 2000 ip link set tun0 mtu 2000
We create a service at systemd, which will be responsible for launching the above script after the OpenVPN service launches. File location /etc/systemd/system/gretunnel.service
[Unit] After=openvpn.service [Service] ExecStart=/etc/openvpn/gretap.sh [Install] WantedBy=default.target
Then we change files and run the service in systemd.
chmod 744 /etc/openvpn/gretap.sh chmod 664 /etc/systemd/system/gretunnel.service systemctl daemon-reloadsystemctl enable gretunnel.service systemctl start gretunnel.servic
Finally, we copy the client.conf customer client file to the customer machine to the /etc/openvpn directory and start the service at the start.
systemctl enable openvpn systemctl start openvpn
In addition, Mac Address Spoofing should be enabled in the case of Hyper-V and VMware. Otherwise bridge will not function properly.
That's all! A simple configuration that can help with many migrations.