[Fwd: Re: [TriLUG] OpenVPN: TAP vs TUN]
Josh Vickery
vickeryj at gmail.com
Mon Nov 21 12:23:51 EST 2005
I just had a thought. Since the Windows client seems to be picking up
an IP and a route ok, have you checked your Windows firewall setttings
for the tap interface?
On 11/21/05, Josh Vickery <vickeryj at gmail.com> wrote:
> I'm glad to hear that I'm not the only one who got stuck with the
> default route going away!
>
> I didn't see anything obvious in your config, but that doesn't mean
> there isn't anything there.
>
> It might be easier to troubleshoot your problems with the log files.
> If you start openvpn not as a daemon, you can send the output to a
> file. I don't know how to capture the log on a Windows client, but
> the Linux client spews its output to the console by default.
>
> Josh
>
> On 11/21/05, Paul G. Szabady <Paul at thyservice.com> wrote:
> > Greetings Josh, et al:
> >
> > Well, I feel like I'm getting closer, but still no cigar. :(
> >
> > I can at least start openvpn and bridging without losing connection to the
> > server (always a plus when it's remote), and I can connect to it with a
> > client, but I can't seem to talk either way through the tunnel. Here are
> > my config files. Does anything jump out at anyone as being wrong? Maybe
> > I'm doing things in the wrong order?
> >
> > I apologize in advance for the length of this email, but I wanted to
> > include as much detail as possible.
> >
> > ============
> > server.conf:
> > ============
> > port 1194
> > proto udp
> > dev tap
> > ca ca.crt
> > cert server.crt
> > key server.key
> > dh dh1024.pem
> > ifconfig-pool-persist ipp.txt
> > server-bridge 192.168.0.2 255.255.255.0 192.168.0.200 192.168.0.249
> > keepalive 10 120
> > cipher BF-CBC
> > comp-lzo
> > user nobody
> > group nobody
> > persist-key
> > persist-tun
> > status openvpn-status.log
> > verb 4
> > mute 20
> >
> > =============================
> > (windows XP) client_001.opvn:
> > =============================
> > remote <FQDN for openvpn server - changed for privacy> 1194
> > dev tap
> > tls-client
> > client
> > proto udp
> > nobind
> > comp-lzo
> > verb 3
> > mute 20
> > ca ca.crt
> > cert client_001.crt
> > key client_001.key
> > ns-cert-type server
> > cipher BF-CBC
> >
> > Almost stock server start-up script (/etc/rc.d/init.d/openvpn) which
> > also calls bridge-start:
> >
> > #!/bin/sh
> > #
> > # openvpn This shell script takes care of starting and stopping
> > # openvpn on RedHat or other chkconfig-based system.
> > #
> > # chkconfig: 345 24 76
> > #
> > # description: OpenVPN is a robust and highly flexible tunneling
> > application that
> > # uses all of the encryption, authentication, and
> > certification features
> > # of the OpenSSL library to securely tunnel IP networks over
> > a single
> > # UDP port.
> > #
> >
> > # Contributed to the OpenVPN project by
> > # Douglas Keller <doug at voidstar.dyndns.org>
> > # 2002.05.15
> >
> > # To install:
> > # copy this file to /etc/rc.d/init.d/openvpn
> > # shell> chkconfig --add openvpn
> > # shell> mkdir /etc/openvpn
> > # make .conf or .sh files in /etc/openvpn (see below)
> >
> > # To uninstall:
> > # run: chkconfig --del openvpn
> >
> > # Author's Notes:
> > #
> > # I have created an /etc/init.d init script and enhanced openvpn.spec to
> > # automatically register the init script. Once the RPM is installed you
> > # can start and stop OpenVPN with "service openvpn start" and "service
> > # openvpn stop".
> > #
> > # The init script does the following:
> > #
> > # - Starts an openvpn process for each .conf file it finds in
> > # /etc/openvpn.
> > #
> > # - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
> > # it before starting openvpn (useful for doing openvpn --mktun...).
> > #
> > # - In addition to start/stop you can do:
> > #
> > # service openvpn reload - SIGHUP
> > # service openvpn reopen - SIGUSR1
> > # service openvpn status - SIGUSR2
> > #
> > # Modifications:
> > #
> > # 2003.05.02
> > # * Changed == to = for sh compliance (Bishop Clark).
> > # * If condrestart|reload|reopen|status, check that we were
> > # actually started (James Yonan).
> > # * Added lock, piddir, and work variables (James Yonan).
> > # * If start is attempted twice, without an intervening stop, or
> > # if start is attempted when previous start was not properly
> > # shut down, then kill any previously started processes, before
> > # commencing new start operation (James Yonan).
> > # * Do a better job of flagging errors on start, and properly
> > # returning success or failure status to caller (James Yonan).
> > #
> > # 2005.04.04
> > # * Added openvpn-startup and openvpn-shutdown script calls
> > # (James Yonan).
> > #
> >
> > # Location of openvpn binary
> > openvpn=""
> > openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
> > for location in $openvpn_locations
> > do
> > if [ -f "$location" ]
> > then
> > openvpn=$location
> > fi
> > done
> >
> > # Lockfile
> > lock="/var/lock/subsys/openvpn"
> >
> > # PID directory
> > piddir="/var/run/openvpn"
> >
> > # Our working directory
> > work=/etc/openvpn
> >
> > # Source function library.
> > . /etc/rc.d/init.d/functions
> >
> > # Source networking configuration.
> > . /etc/sysconfig/network
> >
> > # Check that networking is up.
> > if [ ${NETWORKING} = "no" ]
> > then
> > echo "Networking is down"
> > exit 0
> > fi
> >
> > # Check that binary exists
> > if ! [ -f $openvpn ]
> > then
> > echo "openvpn binary not found"
> > exit 0
> > fi
> >
> > # See how we were called.
> > case "$1" in
> > start)
> > echo -n $"Starting openvpn: "
> >
> > /sbin/modprobe tun >/dev/null 2>&1
> >
> > # From a security perspective, I think it makes
> > # sense to remove this, and have users who need
> > # it explictly enable in their --up scripts or
> > # firewall setups.
> >
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > /etc/rc.d/init.d/bridge-start
> >
> > # Run startup script, if defined
> > if [ -f $work/openvpn-startup ]; then
> > $work/openvpn-startup
> > fi
> >
> > if [ ! -d $piddir ]; then
> > mkdir $piddir
> > fi
> >
> > if [ -f $lock ]; then
> > # we were not shut down correctly
> > for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> > if [ -s $pidf ]; then
> > kill `cat $pidf` >/dev/null 2>&1
> > fi
> > rm -f $pidf
> > done
> > rm -f $lock
> > sleep 2
> > fi
> >
> > rm -f $piddir/*.pid
> > cd $work
> >
> > # Start every .conf in $work and run .sh if exists
> > errors=0
> > successes=0
> > for c in `/bin/ls *.conf 2>/dev/null`; do
> > bn=${c%%.conf}
> > if [ -f "$bn.sh" ]; then
> > . $bn.sh
> > fi
> > rm -f $piddir/$bn.pid
> > $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd
> > $work
> > if [ $? = 0 ]; then
> > successes=1
> > else
> > errors=1
> > fi
> > done
> >
> > if [ $errors = 1 ]; then
> > failure; echo
> > else
> > success; echo
> > fi
> >
> > if [ $successes = 1 ]; then
> > touch $lock
> > fi
> > ;;
> > stop)
> > echo -n $"Shutting down openvpn: "
> > for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> > if [ -s $pidf ]; then
> > kill `cat $pidf` >/dev/null 2>&1
> > fi
> > rm -f $pidf
> > done
> >
> > # Run shutdown script, if defined
> > if [ -f $work/openvpn-shutdown ]; then
> > $work/openvpn-shutdown
> > fi
> >
> > success; echo
> > rm -f $lock
> > ;;
> > restart)
> > $0 stop
> > sleep 2
> > $0 start
> > ;;
> > reload)
> > if [ -f $lock ]; then
> > for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> > if [ -s $pidf ]; then
> > kill -HUP `cat $pidf` >/dev/null 2>&1
> > fi
> > done
> > else
> > echo "openvpn: service not started"
> > exit 1
> > fi
> > ;;
> > reopen)
> > if [ -f $lock ]; then
> > for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> > if [ -s $pidf ]; then
> > kill -USR1 `cat $pidf` >/dev/null 2>&1
> > fi
> > done
> > else
> > echo "openvpn: service not started"
> > exit 1
> > fi
> > ;;
> > condrestart)
> > if [ -f $lock ]; then
> > $0 stop
> > # avoid race
> > sleep 2
> > $0 start
> > fi
> > ;;
> > status)
> > if [ -f $lock ]; then
> > for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> > if [ -s $pidf ]; then
> > kill -USR2 `cat $pidf` >/dev/null 2>&1
> > fi
> > done
> > echo "Status written to /var/log/messages"
> > else
> > echo "openvpn: service not started"
> > exit 1
> > fi
> > ;;
> > *)
> > echo "Usage: openvpn
> > {start|stop|restart|condrestart|reload|reopen|status}"
> > exit 1
> > ;;
> > esac
> > exit 0
> >
> > =========================
> > ifconfig output (server):
> > =========================
> > br0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
> > inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
> > inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:1603 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:127991 (124.9 KiB) TX bytes:107444 (104.9 KiB)
> >
> > eth0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
> > inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
> > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> > RX packets:1619 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:671 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:1000
> > RX bytes:158296 (154.5 KiB) TX bytes:110458 (107.8 KiB)
> > Interrupt:169
> >
> > lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > inet6 addr: ::1/128 Scope:Host
> > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > RX packets:1002 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:1002 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:2528944 (2.4 MiB) TX bytes:2528944 (2.4 MiB)
> >
> > tap0 Link encap:Ethernet HWaddr 00:FF:02:F4:5C:60
> > inet6 addr: fe80::2ff:2ff:fef4:5c60/64 Scope:Link
> > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:900 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> >
> > =====================================================
> > route -n (server: (local = 192.168.0.2/255.255.255.0)
> > =====================================================
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use Iface
> > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
> > 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 br0
> >
> > ==============================================
> > ipconfig (windows client - TAP-Win32 Adapter):
> > ==============================================
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : TAP-Win32 Adapter V8
> > Physical Address. . . . . . . . . : 00-FF-F1-4B-A4-C6
> > Dhcp Enabled. . . . . . . . . . . : Yes
> > Autoconfiguration Enabled . . . . : Yes
> > IP Address. . . . . . . . . . . . : 192.168.0.200
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . :
> > DHCP Server . . . . . . . . . . . : 192.168.0.0
> > Lease Obtained. . . . . . . . . . : Monday, November 21, 2005 11:29:23 AM
> > Lease Expires . . . . . . . . . . : Tuesday, November 21, 2006 11:29:23 AM
> >
> > =============================
> > route print (windows client):
> > =============================
> > C:\>route print (local = 192.168.2.100/255.255.255.0)
> > ===========================================================================
> > Interface List
> > 0x1 ........................... MS TCP Loopback interface
> > 0x10005 ...00 06 5b ca e2 74 ...... Intel(R) PRO/1000 MT Network Connection
> > 0x30006 ...00 ff f1 4b a4 c6 ...... TAP-Win32 Adapter V8
> > ===========================================================================
> > ===========================================================================
> > Active Routes:
> > Network Destination Netmask Gateway Interface Metric
> > 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.100 10
> > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
> > 192.168.2.0 255.255.255.0 192.168.2.100 192.168.2.100 10
> > 192.168.2.100 255.255.255.255 127.0.0.1 127.0.0.1 10
> > 192.168.2.255 255.255.255.255 192.168.2.100 192.168.2.100 10
> > 192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.200 20
> > 192.168.0.200 255.255.255.255 127.0.0.1 127.0.0.1 20
> > 192.168.0.255 255.255.255.255 192.168.0.200 192.168.0.200 20
> > 224.0.0.0 240.0.0.0 192.168.2.100 192.168.2.100 10
> > 224.0.0.0 240.0.0.0 192.168.0.200 192.168.0.200 20
> > 255.255.255.255 255.255.255.255 192.168.2.100 192.168.2.100 1
> > 255.255.255.255 255.255.255.255 192.168.0.200 192.168.0.200 1
> > Default Gateway: 192.168.2.1
> > ===========================================================================
> > Persistent Routes:
> > None
> >
> >
> >
> > --
> > Paul
> > @ Thy Service
> >
> >
> > ---------------------------- Original Message ----------------------------
> > Subject: Re: [TriLUG] OpenVPN: TAP vs TUN
> > From: "Paul G. Szabady" <Paul at ThyService.com>
> > Date: Fri, November 18, 2005 4:38 pm
> > To: "Triangle Linux Users Group discussion list" <trilug at trilug.org>
> > --------------------------------------------------------------------------
> >
> > Josh,
> >
> > I owe you a beer! That's the *key* piece I was missing:
> >
> > setup the default gateway, since it gets lost when eth0 is
> > deconfigured (this step I had to add myself, since it is not mentioned in
> > the ethernet bridging howto):
> > > route add default gw $gw
> >
> > I've set this up on my laptop at home and it works. Now to implement in
> > production. However, I think I'll go onsite, just to be safe. ;)
> >
> > Thanks for your help!
> >
> > --
> > Paul
> > @ Thy Service
> >
> > > You can assign an IP to a bridge interface in linux, this makes it not
> > exactly a bridge, but its what I did to get bridge mode working with
> > OpenVPN with a single NIC.
> > >
> > > I wrote up a nice HOWTO and stuck in on the OpenVPN wiki, but their wiki
> > has now been down for months. You can get my (hard to read) notes here:
> > >
> > > http://vickeryj.freeshell.org/notes/
> > >
> > > In short, I brought up the tap device like so:
> > >
> > >> openvpn --mktun --dev tap0
> > >
> > > and bridge it with the ethernet device like this:
> > >
> > >> brctl addbr br0
> > >> brctl addif br0 eth0
> > >> brctl addif br0 tap0
> > >
> > > then stick everything in promiscuous mode:
> > >
> > >> ifconfig tap0 0.0.0.0 promisc up
> > >> ifconfig eth0 0.0.0.0 promisc up
> > >
> > > then assign the ip that eth0 used to have to the bridge device (this
> > might be what is missing if you are loosing network connectivity to the
> > box):
> > >
> > >> ifconfig br0 $eth_ip netmask $eth_netmask broadcast $eth_broadcast
> > >
> > > setup the default gateway, since it gets lost when eth0 is
> > > deconfigured (this step I had to add myself, since it is not mentioned
> > in the ethernet bridging howto):
> > >> route add default gw $gw
> > >
> > > if you want to do this remotely, all those lines need to be in a script,
> > as you will lose network connectivity to the box until the last ifconfig
> > line is run.
> > >
> > > Josh
> > >
> > > On 11/18/05, Paul G. Szabady <Paul at thyservice.com> wrote:
> > >> Jim,
> > >>
> > >> Done that, but note, I'm not even at the point of connecting a client yet.
> > >>
> > >> --
> > >> Paul
> > >> @ Thy Service
> > >>
> > >> > make sure source and destination IP addresses are *not* on the same
> > network address.
> > >> >
> > >> > regards,
> > >> >
> > >> > jim
> > >> >
> > >> > Jim Ray, President
> > >> > Neuse River Network, Inc.
> > >> >
> > >> > tel: 919-838-1672 x111
> > >> > toll free: 800-617-7652
> > >> > cell: 919-606-1772
> > >> > http://www.Neuse.Net
> > >> >
> > >> > Ask about our Clean Technologies. Established in the Carolinas 1997.
> > >> >
> > >> >
> > >> >
> > >> > Paul G. Szabady wrote:
> > >> >
> > >> >>Greetings,
> > >> >>
> > >> >>I am trying to set up a TAP style VPN but I'm apparently missing a
> > key piece of information and was hoping someone could clarify this
> > for me.
> > >> >>
> > >> >>I have a linux (CentOS 4.2) server w/OpenVPN (openvpn-2.1_beta7-1
> > installed from RPM built from src), and a windows 2000 server behind
> > a linksys router. I need to be able to access the windows server on
> > the local LAN from the internet, with an IP address in the same
> > subnet as
> > >> the
> > >> >>windows server, hence the desire to set up using TAP/bridge mode.
> > (Setting up TUN was easy, but didn't work as I needed it to.) The
> > >> linux
> > >> >>machine has a single NIC, which is why this is so confusing to me.
> > >> When
> > >> >> I
> > >> >>set up OpenVPN w/TAP, I lose all network access to the linux server.
> > Having had a "home grown linux switch" (old pc w/6 NICs running in
> > >> bridge
> > >> >>mode), this makes sense. I believe I have followed all the
> > >> >>instructions/notes/suggestions from the openVPN howto as well as the
> > Ethernet-Bridge-netfilter howto. But I'm still missing something.
> > >> >>
> > >> >>The big question: If I am apparently invisible to the network, how
> > >> does
> > >> >>one make a connection (VPN or other) to the linux server?
> > >> >>
> > >> >>
> > >> >>
> > >> > --
> > >> > TriLUG mailing list :
> > >> http://www.trilug.org/mailman/listinfo/trilug
> > >> > TriLUG Organizational FAQ : http://trilug.org/faq/
> > >> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> > >>
> > >> --
> > >> TriLUG mailing list :
> > >> http://www.trilug.org/mailman/listinfo/trilug
> > >> TriLUG Organizational FAQ : http://trilug.org/faq/
> > >> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> > >>
> > > --
> > > TriLUG mailing list :
> > http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ
> > : http://trilug.org/faq/
> > > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> > >
> >
> >
> >
> > --
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >
>
More information about the TriLUG
mailing list