■구성도
+-------------------+
| |
| Firewall |
| |
| eth0:10.10.10.254 |
| eth1:192.168.64.1 |
| |
+--------+----------+
|
v
+-------------------+
| |
| OpenVPN Server |
| |
|br0:192.168.64.254 |
|eth0:10.10.10.122 |
| |
+---+---------------+
| ^
v |
+--------------+----+
| |
| OpenVPN Client |
| (Game PC) |
| 192.168.64.xx |
| |
+-------------------+
위 환경에서 OpenVPN을 Bridge로 구성하여 게임의 UDP 브로드캐스팅이 VPN을 통해 전달되도록 셋팅한다.
VPN에 연결된 클라이언트는 192.168.64.x 내부 네트워크 환경과 동일하게 동작한다.
적용을 위해서는 OpenVPN을 아래 openvpn-bridge.sh를 통해 실행/중지 시킨다.
openvpn-bridge.sh
#!/bin/bash
############################################################
#
# OpenVPN Bridge 설정 스크립트
# OpenVPN 서비스 실행전에 실행되어야 한다.
#
############################################################
# Define Bridge Interface
BRIDGE_IF="br0"
# Define list of TAP interfaces to be bridged,
# for example TAP_IF="TAP_IF0 TAP_IF1 TAP_IF2".
TAP_IF="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
ETH_IF="eth0"
ETH_IP_NETMASK="192.168.64.254/24"
ETH_BROADCAST="192.168.64.255"
ETH_GATEWAY="192.168.64.1"
ETH_MACADDR="aa:c4:1c:7b:86:48"
case "$1" in
start)
systemctl stop openvpn
for TMPVAL in ${TAP_IF}; do
openvpn --mktun --dev ${TMPVAL}
done
brctl addbr ${BRIDGE_IF}
brctl addif ${BRIDGE_IF} ${ETH_IF}
for TMPVAL in ${TAP_IF}; do
brctl addif ${BRIDGE_IF} ${TMPVAL}
done
for TMPVAL in ${TAP_IF}; do
ip addr flush dev ${TMPVAL}
ip link set ${TMPVAL} promisc on up
done
ip addr flush dev ${ETH_IF}
ip link set ${ETH_IF} promisc on up
ip addr add ${ETH_IP_NETMASK} broadcast ${ETH_BROADCAST} dev ${BRIDGE_IF}
ip link set ${BRIDGE_IF} address ${ETH_MACADDR}
ip link set ${BRIDGE_IF} up
ip route add default via ${ETH_GATEWAY}
systemctl start openvpn
;;
stop)
systemctl stop openvpn
ip link set ${BRIDGE_IF} down
brctl delbr ${BRIDGE_IF}
for TMPVAL in ${TAP_IF}; do
openvpn --rmtun --dev ${TMPVAL}
done
ip link set ${ETH_IF} promisc off up
ip addr add ${ETH_IP_NETMASK} broadcast ${ETH_BROADCAST} dev ${ETH_IF}
ip route add default via ${ETH_GATEWAY}
;;
*)
echo "Usage: openvpn-bridge.sh {start|stop}"
exit 1
;;
esac
exit 0
/etc/openvpn/server.conf
# OpenVPN Port, Protocol and the tun port 1194 proto udp # ** 이 부분 변경해야 함 !! # Bridge는 반드시 tap인터페이스로 설정한다. dev tap0 # OpenVPN Server Certificate - CA, server key and certificate ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/local.esvali.com-openvpn-server.crt key /etc/openvpn/server/local.esvali.com-openvpn-server.key #DH and CRL key dh /etc/openvpn/server/dh.pem crl-verify /etc/openvpn/server/crl.pem # ** 이 부분 변경해야 함 !! # 기존 server 대신 아래 server-bridge를 사용한다. # 연결된 클라이언트들의 Gateway를 192.168.64.1로 하고 # 클라이언트들은192.168.64.100~200까지의 IP주소를 할당한다. server-bridge 192.168.64.1 255.255.255.0 192.168.64.100 192.168.64.200 # 모든 트래픽을 OpenVPN을 통하게 한다. push "redirect-gateway def1 bypass-dhcp" # Using the DNS from https://dns.watch push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-to-client topology subnet mode server cipher AES-256-CBC #Enable multiple client to connect with same Certificate key #duplicate-cn # TLS Security tls-server tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache # Other Configuration keepalive 10 60 persist-key persist-tun compress lz4 daemon # 클라이언트에게 중복된 IP를 할당하지 않는다. duplicate-cn user nobody group nogroup # OpenVPN Log log /var/log/openvpn.log status /var/log/openvpn-status.log verb 3
client.ovpn
client # ** 이 부분 변경해야 함 !! # Bridge는 반드시 tap인터페이스로 설정한다. dev tap proto udp remote vpn.test.com 1194 ca ca.crt cert client.crt key client.key cipher AES-256-CBC data-ciphers AES-256-CBC auth SHA512 auth-nocache remote-cert-tls server tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lz4 nobind persist-key persist-tun mute-replay-warnings verb 3 <ca> -----BEGIN CERTIFICATE----- ......