本文参考

1.https://www.emaculation.com/doku.php/bridged_openvpn_server_setup

2.https://serverfault.com/questions/622657/configure-firewalld-for-openvpn-server-bridge-in-fedora-20

3.https://www.linux.org.ru/forum/admin/10631949

1. 软件版本

CentOS – 7.9.2009

easy-rsa – 3.0.8

OpenVPN – 2.4.10

bridge-utils

2.安装

根据前面NAT模式的安装教程，大部分步骤能复用，这里只说区别

2.1配置桥接

安装bridge-utils

yum install bridge-utils

ip addr 查看本机ip

[root@localhost ~]# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

      valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

      valid_lft forever preferred_lft forever

2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 00:50:56:8f:c0:dd brd ff:ff:ff:ff:ff:ff

    inet 10.24.11.243/24 brd 10.24.11.255 scope global noprefixroute ens32

      valid_lft forever preferred_lft forever

    inet6 fe80::f4f5:b7e6:943d:fd26/64 scope link noprefixroute

      valid_lft forever preferred_lft forever

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100

    link/none

    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

      valid_lft forever preferred_lft forever

    inet6 fe80::80e4:f8c5:e4fe:cf1/64 scope link flags 800

      valid_lft forever preferred_lft forever

可以获取如下信息

IP地址：10.24.11.243

子网掩码：255.255.255.0（/24 CIDR表示法）

广播地址：10.24.11.255

路由IP地址：10.24.11.254

配置桥接脚本

nano /etc/openvpn/openvpn-bridge

内容如下

#!/bin/sh

# Define Bridge Interface

br="br0"

# Define list of TAP interfaces to be bridged,

# for example tap="tap0 tap1 tap2".

tap="tap0"

# Define physical ethernet interface to be bridged

# with TAP interface(s) above. 根据实际内容修改下面四项

eth="ens32"

eth_ip_netmask="10.24.11.243/24"

eth_broadcast="10.24.11.255"

eth_gateway="10.24.11.254"

case "$1" in

start)

    for t in $tap; do

        openvpn --mktun --dev $t

    done

    brctl addbr $br

    brctl addif $br $eth

    for t in $tap; do

        brctl addif $br $t

    done

    for t in $tap; do

        ip addr flush dev $t

        ip link set $t promisc on up

    done

    ip addr flush dev $eth

    ip link set $eth promisc on up

    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br

    ip link set $br up

    ip route add default via $eth_gateway

    ;;

stop)

    ip link set $br down

    brctl delbr $br

    for t in $tap; do

        openvpn --rmtun --dev $t

    done

    ip link set $eth promisc off up

    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth

    ip route add default via $eth_gateway

    ;;

*)

    echo "Usage:  openvpn-bridge {start|stop}"

    exit 1

    ;;

esac

exit 0

赋权限

chmod 700 /etc/openvpn/openvpn-bridge

chown openvpn:openvpn /etc/openvpn/openvpn-bridge

2.2编辑服务端配置

dev tun注释掉，改成 dev tap0

server行注释掉，改成server-bridge，server-bridge语法如下

server-bridge [gw] [mask] [start-IP] [end-IP]

注意，这里的[gw] 有的教程是本机ip，有的教程是实际网关，两个都试验后，填本机网关的只能访问本网段的，如果存在多个vlan，那就无法访问

所以正确的填发应该是填实际网关。

编辑

nano /etc/openvpn/server/server.conf

内容如下

port 1194

proto tcp

#dev tun

dev tap0

#dev-node tap-bridge

user openvpn

group openvpn

#配置证书信息

ca /etc/openvpn/server/easy-rsa/pki/ca.crt

cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt

key /etc/openvpn/server/easy-rsa/pki/private/server.key

dh /etc/openvpn/server/easy-rsa/pki/dh.pem

tls-auth /etc/openvpn/server/easy-rsa/ta.key 0

#配置账号密码的认证方式

script-security 3

auth-user-pass-verify "/etc/openvpn/server/user/checkpsw.sh" via-env

verify-client-cert none

username-as-common-name

client-to-client

duplicate-cn

#配置网络信息

#server 10.8.0.0 255.255.255.0

server-bridge 10.24.11.254 255.255.255.0 10.24.11.10 10.24.11.190

client-to-client

push "dhcp-option DNS 10.24.11.250"

push "dhcp-option DNS 114.114.114.114"

push "route 10.24.11.0 255.255.255.0"

push "route 10.24.0.0 255.255.0.0"

push "route 172.20.0.0 255.255.0.0"

push "route 10.244.0.0 255.255.0.0"

compress lzo

cipher AES-256-CBC

keepalive 10 120

persist-key

persist-tun

verb 3

log /var/log/openvpn/server.log

log-append /var/log/openvpn/server.log

status /var/log/openvpn/status.log

2.3编辑启动脚本

编辑openvpn-server@.service

nano /usr/lib/systemd/system/openvpn-server@.service

在Service内容后添加两行

[Service]

ExecStartPre=/etc/openvpn/openvpn-bridge start

ExecStopPost=/etc/openvpn/openvpn-bridge stop

重载service

systemctl daemon-reload

重启服务端

systemctl restart openvpn-server@.service.service

2.4 配置防火墙

官网只给了iptables版本的，iptable如下

iptables -A INPUT -i tap0 -j ACCEPT

iptables -A INPUT -i br0 -j ACCEPT

iptables -A FORWARD -i br0 -j ACCEPT

执行后需要保存

service iptables save

对应的firewall版本如下

firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i tap0 -j ACCEPT

firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i br0 -j ACCEPT

firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT

执行后需执行重载生效

firewall-cmd --reload

2.5配置客户端

dev tun改成dev tap0

编辑C:\Program Files\OpenVPN\config\client.ovpn如下

client

proto tcp

dev tap0

auth-user-pass

remote 10.24.11.243 1194

ca ca.crt

tls-auth ta.key 1

remote-cert-tls server

cipher AES-256-CBC

auth-nocache

persist-tun

persist-key

comp-lzo

verb 3

mute 10

3.常见问题

1.能分配同网段ip，能ping通其他网段和服务器IP,但无法ping通同网段其他ip

如果服务器在虚拟机（如ESXI，hyper-V)上，先检查是否开启”允许MAC地址欺骗”功能

EXSI对应配置如下

开启之后，检查防火墙是否开启NAT配置，取消掉。