[Fwd: Re: [TriLUG] OpenVPN: TAP vs TUN]
Josh Vickery
vickeryj at gmail.com
Mon Nov 21 12:21:49 EST 2005
I'm glad to hear that I'm not the only one who got stuck with the
default route going away!
I didn't see anything obvious in your config, but that doesn't mean
there isn't anything there.
It might be easier to troubleshoot your problems with the log files.
If you start openvpn not as a daemon, you can send the output to a
file. I don't know how to capture the log on a Windows client, but
the Linux client spews its output to the console by default.
Josh
On 11/21/05, Paul G. Szabady <Paul at thyservice.com> wrote:
> Greetings Josh, et al:
>
> Well, I feel like I'm getting closer, but still no cigar. :(
>
> I can at least start openvpn and bridging without losing connection to the
> server (always a plus when it's remote), and I can connect to it with a
> client, but I can't seem to talk either way through the tunnel. Here are
> my config files. Does anything jump out at anyone as being wrong? Maybe
> I'm doing things in the wrong order?
>
> I apologize in advance for the length of this email, but I wanted to
> include as much detail as possible.
>
> ============
> server.conf:
> ============
> port 1194
> proto udp
> dev tap
> ca ca.crt
> cert server.crt
> key server.key
> dh dh1024.pem
> ifconfig-pool-persist ipp.txt
> server-bridge 192.168.0.2 255.255.255.0 192.168.0.200 192.168.0.249
> keepalive 10 120
> cipher BF-CBC
> comp-lzo
> user nobody
> group nobody
> persist-key
> persist-tun
> status openvpn-status.log
> verb 4
> mute 20
>
> =============================
> (windows XP) client_001.opvn:
> =============================
> remote <FQDN for openvpn server - changed for privacy> 1194
> dev tap
> tls-client
> client
> proto udp
> nobind
> comp-lzo
> verb 3
> mute 20
> ca ca.crt
> cert client_001.crt
> key client_001.key
> ns-cert-type server
> cipher BF-CBC
>
> Almost stock server start-up script (/etc/rc.d/init.d/openvpn) which
> also calls bridge-start:
>
> #!/bin/sh
> #
> # openvpn This shell script takes care of starting and stopping
> # openvpn on RedHat or other chkconfig-based system.
> #
> # chkconfig: 345 24 76
> #
> # description: OpenVPN is a robust and highly flexible tunneling
> application that
> # uses all of the encryption, authentication, and
> certification features
> # of the OpenSSL library to securely tunnel IP networks over
> a single
> # UDP port.
> #
>
> # Contributed to the OpenVPN project by
> # Douglas Keller <doug at voidstar.dyndns.org>
> # 2002.05.15
>
> # To install:
> # copy this file to /etc/rc.d/init.d/openvpn
> # shell> chkconfig --add openvpn
> # shell> mkdir /etc/openvpn
> # make .conf or .sh files in /etc/openvpn (see below)
>
> # To uninstall:
> # run: chkconfig --del openvpn
>
> # Author's Notes:
> #
> # I have created an /etc/init.d init script and enhanced openvpn.spec to
> # automatically register the init script. Once the RPM is installed you
> # can start and stop OpenVPN with "service openvpn start" and "service
> # openvpn stop".
> #
> # The init script does the following:
> #
> # - Starts an openvpn process for each .conf file it finds in
> # /etc/openvpn.
> #
> # - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
> # it before starting openvpn (useful for doing openvpn --mktun...).
> #
> # - In addition to start/stop you can do:
> #
> # service openvpn reload - SIGHUP
> # service openvpn reopen - SIGUSR1
> # service openvpn status - SIGUSR2
> #
> # Modifications:
> #
> # 2003.05.02
> # * Changed == to = for sh compliance (Bishop Clark).
> # * If condrestart|reload|reopen|status, check that we were
> # actually started (James Yonan).
> # * Added lock, piddir, and work variables (James Yonan).
> # * If start is attempted twice, without an intervening stop, or
> # if start is attempted when previous start was not properly
> # shut down, then kill any previously started processes, before
> # commencing new start operation (James Yonan).
> # * Do a better job of flagging errors on start, and properly
> # returning success or failure status to caller (James Yonan).
> #
> # 2005.04.04
> # * Added openvpn-startup and openvpn-shutdown script calls
> # (James Yonan).
> #
>
> # Location of openvpn binary
> openvpn=""
> openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
> for location in $openvpn_locations
> do
> if [ -f "$location" ]
> then
> openvpn=$location
> fi
> done
>
> # Lockfile
> lock="/var/lock/subsys/openvpn"
>
> # PID directory
> piddir="/var/run/openvpn"
>
> # Our working directory
> work=/etc/openvpn
>
> # Source function library.
> . /etc/rc.d/init.d/functions
>
> # Source networking configuration.
> . /etc/sysconfig/network
>
> # Check that networking is up.
> if [ ${NETWORKING} = "no" ]
> then
> echo "Networking is down"
> exit 0
> fi
>
> # Check that binary exists
> if ! [ -f $openvpn ]
> then
> echo "openvpn binary not found"
> exit 0
> fi
>
> # See how we were called.
> case "$1" in
> start)
> echo -n $"Starting openvpn: "
>
> /sbin/modprobe tun >/dev/null 2>&1
>
> # From a security perspective, I think it makes
> # sense to remove this, and have users who need
> # it explictly enable in their --up scripts or
> # firewall setups.
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> /etc/rc.d/init.d/bridge-start
>
> # Run startup script, if defined
> if [ -f $work/openvpn-startup ]; then
> $work/openvpn-startup
> fi
>
> if [ ! -d $piddir ]; then
> mkdir $piddir
> fi
>
> if [ -f $lock ]; then
> # we were not shut down correctly
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill `cat $pidf` >/dev/null 2>&1
> fi
> rm -f $pidf
> done
> rm -f $lock
> sleep 2
> fi
>
> rm -f $piddir/*.pid
> cd $work
>
> # Start every .conf in $work and run .sh if exists
> errors=0
> successes=0
> for c in `/bin/ls *.conf 2>/dev/null`; do
> bn=${c%%.conf}
> if [ -f "$bn.sh" ]; then
> . $bn.sh
> fi
> rm -f $piddir/$bn.pid
> $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd
> $work
> if [ $? = 0 ]; then
> successes=1
> else
> errors=1
> fi
> done
>
> if [ $errors = 1 ]; then
> failure; echo
> else
> success; echo
> fi
>
> if [ $successes = 1 ]; then
> touch $lock
> fi
> ;;
> stop)
> echo -n $"Shutting down openvpn: "
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill `cat $pidf` >/dev/null 2>&1
> fi
> rm -f $pidf
> done
>
> # Run shutdown script, if defined
> if [ -f $work/openvpn-shutdown ]; then
> $work/openvpn-shutdown
> fi
>
> success; echo
> rm -f $lock
> ;;
> restart)
> $0 stop
> sleep 2
> $0 start
> ;;
> reload)
> if [ -f $lock ]; then
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill -HUP `cat $pidf` >/dev/null 2>&1
> fi
> done
> else
> echo "openvpn: service not started"
> exit 1
> fi
> ;;
> reopen)
> if [ -f $lock ]; then
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill -USR1 `cat $pidf` >/dev/null 2>&1
> fi
> done
> else
> echo "openvpn: service not started"
> exit 1
> fi
> ;;
> condrestart)
> if [ -f $lock ]; then
> $0 stop
> # avoid race
> sleep 2
> $0 start
> fi
> ;;
> status)
> if [ -f $lock ]; then
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill -USR2 `cat $pidf` >/dev/null 2>&1
> fi
> done
> echo "Status written to /var/log/messages"
> else
> echo "openvpn: service not started"
> exit 1
> fi
> ;;
> *)
> echo "Usage: openvpn
> {start|stop|restart|condrestart|reload|reopen|status}"
> exit 1
> ;;
> esac
> exit 0
>
> =========================
> ifconfig output (server):
> =========================
> br0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
> inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1603 errors:0 dropped:0 overruns:0 frame:0
> TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:127991 (124.9 KiB) TX bytes:107444 (104.9 KiB)
>
> eth0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
> inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:1619 errors:0 dropped:0 overruns:0 frame:0
> TX packets:671 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:158296 (154.5 KiB) TX bytes:110458 (107.8 KiB)
> Interrupt:169
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:1002 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1002 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:2528944 (2.4 MiB) TX bytes:2528944 (2.4 MiB)
>
> tap0 Link encap:Ethernet HWaddr 00:FF:02:F4:5C:60
> inet6 addr: fe80::2ff:2ff:fef4:5c60/64 Scope:Link
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:900 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> =====================================================
> route -n (server: (local = 192.168.0.2/255.255.255.0)
> =====================================================
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
> 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 br0
>
> ==============================================
> ipconfig (windows client - TAP-Win32 Adapter):
> ==============================================
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : TAP-Win32 Adapter V8
> Physical Address. . . . . . . . . : 00-FF-F1-4B-A4-C6
> Dhcp Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IP Address. . . . . . . . . . . . : 192.168.0.200
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . :
> DHCP Server . . . . . . . . . . . : 192.168.0.0
> Lease Obtained. . . . . . . . . . : Monday, November 21, 2005 11:29:23 AM
> Lease Expires . . . . . . . . . . : Tuesday, November 21, 2006 11:29:23 AM
>
> =============================
> route print (windows client):
> =============================
> C:\>route print (local = 192.168.2.100/255.255.255.0)
> ===========================================================================
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x10005 ...00 06 5b ca e2 74 ...... Intel(R) PRO/1000 MT Network Connection
> 0x30006 ...00 ff f1 4b a4 c6 ...... TAP-Win32 Adapter V8
> ===========================================================================
> ===========================================================================
> Active Routes:
> Network Destination Netmask Gateway Interface Metric
> 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.100 10
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
> 192.168.2.0 255.255.255.0 192.168.2.100 192.168.2.100 10
> 192.168.2.100 255.255.255.255 127.0.0.1 127.0.0.1 10
> 192.168.2.255 255.255.255.255 192.168.2.100 192.168.2.100 10
> 192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.200 20
> 192.168.0.200 255.255.255.255 127.0.0.1 127.0.0.1 20
> 192.168.0.255 255.255.255.255 192.168.0.200 192.168.0.200 20
> 224.0.0.0 240.0.0.0 192.168.2.100 192.168.2.100 10
> 224.0.0.0 240.0.0.0 192.168.0.200 192.168.0.200 20
> 255.255.255.255 255.255.255.255 192.168.2.100 192.168.2.100 1
> 255.255.255.255 255.255.255.255 192.168.0.200 192.168.0.200 1
> Default Gateway: 192.168.2.1
> ===========================================================================
> Persistent Routes:
> None
>
>
>
> --
> Paul
> @ Thy Service
>
>
> ---------------------------- Original Message ----------------------------
> Subject: Re: [TriLUG] OpenVPN: TAP vs TUN
> From: "Paul G. Szabady" <Paul at ThyService.com>
> Date: Fri, November 18, 2005 4:38 pm
> To: "Triangle Linux Users Group discussion list" <trilug at trilug.org>
> --------------------------------------------------------------------------
>
> Josh,
>
> I owe you a beer! That's the *key* piece I was missing:
>
> setup the default gateway, since it gets lost when eth0 is
> deconfigured (this step I had to add myself, since it is not mentioned in
> the ethernet bridging howto):
> > route add default gw $gw
>
> I've set this up on my laptop at home and it works. Now to implement in
> production. However, I think I'll go onsite, just to be safe. ;)
>
> Thanks for your help!
>
> --
> Paul
> @ Thy Service
>
> > You can assign an IP to a bridge interface in linux, this makes it not
> exactly a bridge, but its what I did to get bridge mode working with
> OpenVPN with a single NIC.
> >
> > I wrote up a nice HOWTO and stuck in on the OpenVPN wiki, but their wiki
> has now been down for months. You can get my (hard to read) notes here:
> >
> > http://vickeryj.freeshell.org/notes/
> >
> > In short, I brought up the tap device like so:
> >
> >> openvpn --mktun --dev tap0
> >
> > and bridge it with the ethernet device like this:
> >
> >> brctl addbr br0
> >> brctl addif br0 eth0
> >> brctl addif br0 tap0
> >
> > then stick everything in promiscuous mode:
> >
> >> ifconfig tap0 0.0.0.0 promisc up
> >> ifconfig eth0 0.0.0.0 promisc up
> >
> > then assign the ip that eth0 used to have to the bridge device (this
> might be what is missing if you are loosing network connectivity to the
> box):
> >
> >> ifconfig br0 $eth_ip netmask $eth_netmask broadcast $eth_broadcast
> >
> > setup the default gateway, since it gets lost when eth0 is
> > deconfigured (this step I had to add myself, since it is not mentioned
> in the ethernet bridging howto):
> >> route add default gw $gw
> >
> > if you want to do this remotely, all those lines need to be in a script,
> as you will lose network connectivity to the box until the last ifconfig
> line is run.
> >
> > Josh
> >
> > On 11/18/05, Paul G. Szabady <Paul at thyservice.com> wrote:
> >> Jim,
> >>
> >> Done that, but note, I'm not even at the point of connecting a client yet.
> >>
> >> --
> >> Paul
> >> @ Thy Service
> >>
> >> > make sure source and destination IP addresses are *not* on the same
> network address.
> >> >
> >> > regards,
> >> >
> >> > jim
> >> >
> >> > Jim Ray, President
> >> > Neuse River Network, Inc.
> >> >
> >> > tel: 919-838-1672 x111
> >> > toll free: 800-617-7652
> >> > cell: 919-606-1772
> >> > http://www.Neuse.Net
> >> >
> >> > Ask about our Clean Technologies. Established in the Carolinas 1997.
> >> >
> >> >
> >> >
> >> > Paul G. Szabady wrote:
> >> >
> >> >>Greetings,
> >> >>
> >> >>I am trying to set up a TAP style VPN but I'm apparently missing a
> key piece of information and was hoping someone could clarify this
> for me.
> >> >>
> >> >>I have a linux (CentOS 4.2) server w/OpenVPN (openvpn-2.1_beta7-1
> installed from RPM built from src), and a windows 2000 server behind
> a linksys router. I need to be able to access the windows server on
> the local LAN from the internet, with an IP address in the same
> subnet as
> >> the
> >> >>windows server, hence the desire to set up using TAP/bridge mode.
> (Setting up TUN was easy, but didn't work as I needed it to.) The
> >> linux
> >> >>machine has a single NIC, which is why this is so confusing to me.
> >> When
> >> >> I
> >> >>set up OpenVPN w/TAP, I lose all network access to the linux server.
> Having had a "home grown linux switch" (old pc w/6 NICs running in
> >> bridge
> >> >>mode), this makes sense. I believe I have followed all the
> >> >>instructions/notes/suggestions from the openVPN howto as well as the
> Ethernet-Bridge-netfilter howto. But I'm still missing something.
> >> >>
> >> >>The big question: If I am apparently invisible to the network, how
> >> does
> >> >>one make a connection (VPN or other) to the linux server?
> >> >>
> >> >>
> >> >>
> >> > --
> >> > TriLUG mailing list :
> >> http://www.trilug.org/mailman/listinfo/trilug
> >> > TriLUG Organizational FAQ : http://trilug.org/faq/
> >> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>
> >> --
> >> TriLUG mailing list :
> >> http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG Organizational FAQ : http://trilug.org/faq/
> >> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>
> > --
> > TriLUG mailing list :
> http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ
> : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >
>
>
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>
More information about the TriLUG
mailing list