[Fwd: Re: [TriLUG] OpenVPN: TAP vs TUN]

Paul G. Szabady Paul at ThyService.com
Mon Nov 21 14:19:23 EST 2005


My windows firewall is off, but I double checked the TAP interface to be
sure and it is off as well.

Question:  Am I supposed to see a new tap<#> for every client that
connects?  I turned up logging to 10 on the server and client and see a
line "TUN/TAP device tap1 opened".  However, I don't see a tap1 when I
look at my ifconfig output.

-- 
Paul
@ Thy Service

> I just had a thought.  Since the Windows client seems to be picking up
> an IP and a route ok, have you checked your Windows firewall setttings
> for the tap interface?
>
> On 11/21/05, Josh Vickery <vickeryj at gmail.com> wrote:
>> I'm glad to hear that I'm not the only one who got stuck with the
>> default route going away!
>>
>> I didn't see anything obvious in your config, but that doesn't mean
>> there isn't anything there.
>>
>> It might be easier to troubleshoot your problems with the log files.
>> If you start openvpn not as a daemon, you can send the output to a
>> file.  I don't know how to capture the log on a Windows client, but
>> the Linux client spews its output to the console by default.
>>
>> Josh
>>
>> On 11/21/05, Paul G. Szabady <Paul at thyservice.com> wrote:
>> > Greetings Josh, et al:
>> >
>> > Well, I feel like I'm getting closer, but still no cigar.  :(
>> >
>> > I can at least start openvpn and bridging without losing connection to
>> the
>> > server (always a plus when it's remote), and I can connect to it with
>> a
>> > client, but I can't seem to talk either way through the tunnel.  Here
>> are
>> > my config files.  Does anything jump out at anyone as being wrong?
>> Maybe
>> > I'm doing things in the wrong order?
>> >
>> > I apologize in advance for the length of this email, but I wanted to
>> > include as much detail as possible.
>> >
>> > ============
>> > server.conf:
>> > ============
>> > port 1194
>> > proto udp
>> > dev tap
>> > ca ca.crt
>> > cert server.crt
>> > key server.key
>> > dh dh1024.pem
>> > ifconfig-pool-persist ipp.txt
>> > server-bridge 192.168.0.2 255.255.255.0 192.168.0.200 192.168.0.249
>> > keepalive 10 120
>> > cipher BF-CBC
>> > comp-lzo
>> > user nobody
>> > group nobody
>> > persist-key
>> > persist-tun
>> > status openvpn-status.log
>> > verb 4
>> > mute 20
>> >
>> > =============================
>> > (windows XP) client_001.opvn:
>> > =============================
>> > remote <FQDN for openvpn server - changed for privacy> 1194
>> > dev tap
>> > tls-client
>> > client
>> > proto udp
>> > nobind
>> > comp-lzo
>> > verb 3
>> > mute 20
>> > ca ca.crt
>> > cert client_001.crt
>> > key client_001.key
>> > ns-cert-type server
>> > cipher BF-CBC
>> >
>> > Almost stock server start-up script (/etc/rc.d/init.d/openvpn) which
>> > also calls bridge-start:
>> >
>> > #!/bin/sh
>> > #
>> > # openvpn       This shell script takes care of starting and stopping
>> > #               openvpn on RedHat or other chkconfig-based system.
>> > #
>> > # chkconfig: 345 24 76
>> > #
>> > # description: OpenVPN is a robust and highly flexible tunneling
>> > application that
>> > #              uses all of the encryption, authentication, and
>> > certification features
>> > #              of the OpenSSL library to securely tunnel IP networks
>> over
>> > a single
>> > #              UDP port.
>> > #
>> >
>> > # Contributed to the OpenVPN project by
>> > # Douglas Keller <doug at voidstar.dyndns.org>
>> > # 2002.05.15
>> >
>> > # To install:
>> > #   copy this file to /etc/rc.d/init.d/openvpn
>> > #   shell> chkconfig --add openvpn
>> > #   shell> mkdir /etc/openvpn
>> > #   make .conf or .sh files in /etc/openvpn (see below)
>> >
>> > # To uninstall:
>> > #   run: chkconfig --del openvpn
>> >
>> > # Author's Notes:
>> > #
>> > # I have created an /etc/init.d init script and enhanced openvpn.spec
>> to
>> > # automatically register the init script.  Once the RPM is installed
>> you
>> > # can start and stop OpenVPN with "service openvpn start" and "service
>> > # openvpn stop".
>> > #
>> > # The init script does the following:
>> > #
>> > # - Starts an openvpn process for each .conf file it finds in
>> > #   /etc/openvpn.
>> > #
>> > # - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
>> > #   it before starting openvpn (useful for doing openvpn --mktun...).
>> > #
>> > # - In addition to start/stop you can do:
>> > #
>> > #   service openvpn reload - SIGHUP
>> > #   service openvpn reopen - SIGUSR1
>> > #   service openvpn status - SIGUSR2
>> > #
>> > # Modifications:
>> > #
>> > # 2003.05.02
>> > #   * Changed == to = for sh compliance (Bishop Clark).
>> > #   * If condrestart|reload|reopen|status, check that we were
>> > #     actually started (James Yonan).
>> > #   * Added lock, piddir, and work variables (James Yonan).
>> > #   * If start is attempted twice, without an intervening stop, or
>> > #     if start is attempted when previous start was not properly
>> > #     shut down, then kill any previously started processes, before
>> > #     commencing new start operation (James Yonan).
>> > #   * Do a better job of flagging errors on start, and properly
>> > #     returning success or failure status to caller (James Yonan).
>> > #
>> > # 2005.04.04
>> > #   * Added openvpn-startup and openvpn-shutdown script calls
>> > #     (James Yonan).
>> > #
>> >
>> > # Location of openvpn binary
>> > openvpn=""
>> > openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
>> > for location in $openvpn_locations
>> > do
>> >   if [ -f "$location" ]
>> >   then
>> >     openvpn=$location
>> >   fi
>> > done
>> >
>> > # Lockfile
>> > lock="/var/lock/subsys/openvpn"
>> >
>> > # PID directory
>> > piddir="/var/run/openvpn"
>> >
>> > # Our working directory
>> > work=/etc/openvpn
>> >
>> > # Source function library.
>> > . /etc/rc.d/init.d/functions
>> >
>> > # Source networking configuration.
>> > . /etc/sysconfig/network
>> >
>> > # Check that networking is up.
>> > if [ ${NETWORKING} = "no" ]
>> > then
>> >   echo "Networking is down"
>> >   exit 0
>> > fi
>> >
>> > # Check that binary exists
>> > if ! [ -f  $openvpn ]
>> > then
>> >   echo "openvpn binary not found"
>> >   exit 0
>> > fi
>> >
>> > # See how we were called.
>> > case "$1" in
>> >   start)
>> >         echo -n $"Starting openvpn: "
>> >
>> >         /sbin/modprobe tun >/dev/null 2>&1
>> >
>> >         # From a security perspective, I think it makes
>> >         # sense to remove this, and have users who need
>> >         # it explictly enable in their --up scripts or
>> >         # firewall setups.
>> >
>> >         echo 1 > /proc/sys/net/ipv4/ip_forward
>> >         /etc/rc.d/init.d/bridge-start
>> >
>> >         # Run startup script, if defined
>> >         if [ -f $work/openvpn-startup ]; then
>> >             $work/openvpn-startup
>> >         fi
>> >
>> >         if [ ! -d  $piddir ]; then
>> >             mkdir $piddir
>> >         fi
>> >
>> >         if [ -f $lock ]; then
>> >             # we were not shut down correctly
>> >             for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> >               if [ -s $pidf ]; then
>> >                 kill `cat $pidf` >/dev/null 2>&1
>> >               fi
>> >               rm -f $pidf
>> >             done
>> >             rm -f $lock
>> >             sleep 2
>> >         fi
>> >
>> >         rm -f $piddir/*.pid
>> >         cd $work
>> >
>> >         # Start every .conf in $work and run .sh if exists
>> >         errors=0
>> >         successes=0
>> >         for c in `/bin/ls *.conf 2>/dev/null`; do
>> >             bn=${c%%.conf}
>> >             if [ -f "$bn.sh" ]; then
>> >                 . $bn.sh
>> >             fi
>> >             rm -f $piddir/$bn.pid
>> >             $openvpn --daemon --writepid $piddir/$bn.pid --config $c
>> --cd
>> > $work
>> >             if [ $? = 0 ]; then
>> >                 successes=1
>> >             else
>> >                 errors=1
>> >             fi
>> >         done
>> >
>> >         if [ $errors = 1 ]; then
>> >             failure; echo
>> >         else
>> >             success; echo
>> >         fi
>> >
>> >         if [ $successes = 1 ]; then
>> >             touch $lock
>> >         fi
>> >         ;;
>> >   stop)
>> >         echo -n $"Shutting down openvpn: "
>> >         for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> >           if [ -s $pidf ]; then
>> >             kill `cat $pidf` >/dev/null 2>&1
>> >           fi
>> >           rm -f $pidf
>> >         done
>> >
>> >         # Run shutdown script, if defined
>> >         if [ -f $work/openvpn-shutdown ]; then
>> >             $work/openvpn-shutdown
>> >         fi
>> >
>> >         success; echo
>> >         rm -f $lock
>> >         ;;
>> >   restart)
>> >         $0 stop
>> >         sleep 2
>> >         $0 start
>> >         ;;
>> >   reload)
>> >         if [ -f $lock ]; then
>> >             for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> >                 if [ -s $pidf ]; then
>> >                     kill -HUP `cat $pidf` >/dev/null 2>&1
>> >                 fi
>> >             done
>> >         else
>> >             echo "openvpn: service not started"
>> >             exit 1
>> >         fi
>> >         ;;
>> >   reopen)
>> >         if [ -f $lock ]; then
>> >             for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> >                 if [ -s $pidf ]; then
>> >                     kill -USR1 `cat $pidf` >/dev/null 2>&1
>> >                 fi
>> >             done
>> >         else
>> >             echo "openvpn: service not started"
>> >             exit 1
>> >         fi
>> >         ;;
>> >   condrestart)
>> >         if [ -f $lock ]; then
>> >             $0 stop
>> >             # avoid race
>> >             sleep 2
>> >             $0 start
>> >         fi
>> >         ;;
>> >   status)
>> >         if [ -f $lock ]; then
>> >             for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> >                 if [ -s $pidf ]; then
>> >                     kill -USR2 `cat $pidf` >/dev/null 2>&1
>> >                 fi
>> >             done
>> >             echo "Status written to /var/log/messages"
>> >         else
>> >             echo "openvpn: service not started"
>> >             exit 1
>> >         fi
>> >         ;;
>> >   *)
>> >         echo "Usage: openvpn
>> > {start|stop|restart|condrestart|reload|reopen|status}"
>> >         exit 1
>> >         ;;
>> > esac
>> > exit 0
>> >
>> > =========================
>> > ifconfig output (server):
>> > =========================
>> > br0       Link encap:Ethernet  HWaddr 00:11:11:CC:97:FC
>> >           inet addr:192.168.0.2  Bcast:192.168.0.255
>> Mask:255.255.255.0
>> >           inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
>> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>> >           RX packets:1603 errors:0 dropped:0 overruns:0 frame:0
>> >           TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
>> >           collisions:0 txqueuelen:0
>> >           RX bytes:127991 (124.9 KiB)  TX bytes:107444 (104.9 KiB)
>> >
>> > eth0      Link encap:Ethernet  HWaddr 00:11:11:CC:97:FC
>> >           inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
>> >           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>> >           RX packets:1619 errors:0 dropped:0 overruns:0 frame:0
>> >           TX packets:671 errors:0 dropped:0 overruns:0 carrier:0
>> >           collisions:0 txqueuelen:1000
>> >           RX bytes:158296 (154.5 KiB)  TX bytes:110458 (107.8 KiB)
>> >           Interrupt:169
>> >
>> > lo        Link encap:Local Loopback
>> >           inet addr:127.0.0.1  Mask:255.0.0.0
>> >           inet6 addr: ::1/128 Scope:Host
>> >           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>> >           RX packets:1002 errors:0 dropped:0 overruns:0 frame:0
>> >           TX packets:1002 errors:0 dropped:0 overruns:0 carrier:0
>> >           collisions:0 txqueuelen:0
>> >           RX bytes:2528944 (2.4 MiB)  TX bytes:2528944 (2.4 MiB)
>> >
>> > tap0      Link encap:Ethernet  HWaddr 00:FF:02:F4:5C:60
>> >           inet6 addr: fe80::2ff:2ff:fef4:5c60/64 Scope:Link
>> >           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>> >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> >           TX packets:0 errors:0 dropped:900 overruns:0 carrier:0
>> >           collisions:0 txqueuelen:0
>> >           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>> >
>> > =====================================================
>> > route -n (server: (local = 192.168.0.2/255.255.255.0)
>> > =====================================================
>> > Kernel IP routing table
>> > Destination     Gateway         Genmask         Flags Metric Ref
>> Use Iface
>> > 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0
>> 0 br0
>> > 0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0
>> 0 br0
>> >
>> > ==============================================
>> > ipconfig (windows client - TAP-Win32 Adapter):
>> > ==============================================
>> > Connection-specific DNS Suffix  . :
>> > Description . . . . . . . . . . . : TAP-Win32 Adapter V8
>> > Physical Address. . . . . . . . . : 00-FF-F1-4B-A4-C6
>> > Dhcp Enabled. . . . . . . . . . . : Yes
>> > Autoconfiguration Enabled . . . . : Yes
>> > IP Address. . . . . . . . . . . . : 192.168.0.200
>> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> > Default Gateway . . . . . . . . . :
>> > DHCP Server . . . . . . . . . . . : 192.168.0.0
>> > Lease Obtained. . . . . . . . . . : Monday, November 21, 2005 11:29:23
>> AM
>> > Lease Expires . . . . . . . . . . : Tuesday, November 21, 2006
>> 11:29:23 AM
>> >
>> > =============================
>> > route print (windows client):
>> > =============================
>> > C:\>route print (local = 192.168.2.100/255.255.255.0)
>> > ===========================================================================
>> > Interface List
>> > 0x1 ........................... MS TCP Loopback interface
>> > 0x10005 ...00 06 5b ca e2 74 ...... Intel(R) PRO/1000 MT Network
>> Connection
>> > 0x30006 ...00 ff f1 4b a4 c6 ...... TAP-Win32 Adapter V8
>> > ===========================================================================
>> > ===========================================================================
>> > Active Routes:
>> > Network Destination        Netmask          Gateway       Interface
>> Metric
>> >           0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.100
>>    10
>> >         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1
>>    1
>> >       192.168.2.0    255.255.255.0    192.168.2.100   192.168.2.100
>>    10
>> >     192.168.2.100  255.255.255.255        127.0.0.1       127.0.0.1
>>    10
>> >     192.168.2.255  255.255.255.255    192.168.2.100   192.168.2.100
>>    10
>> >       192.168.0.0    255.255.255.0    192.168.0.200   192.168.0.200
>>    20
>> >     192.168.0.200  255.255.255.255        127.0.0.1       127.0.0.1
>>    20
>> >     192.168.0.255  255.255.255.255    192.168.0.200   192.168.0.200
>>    20
>> >         224.0.0.0        240.0.0.0    192.168.2.100   192.168.2.100
>>    10
>> >         224.0.0.0        240.0.0.0    192.168.0.200   192.168.0.200
>>    20
>> >   255.255.255.255  255.255.255.255    192.168.2.100   192.168.2.100
>>    1
>> >   255.255.255.255  255.255.255.255    192.168.0.200   192.168.0.200
>>    1
>> > Default Gateway:       192.168.2.1
>> > ===========================================================================
>> > Persistent Routes:
>> >   None
>> >
>> >
>> >
>> > --
>> > Paul
>> > @ Thy Service
>> >
>> >
>> > ---------------------------- Original Message
>> ----------------------------
>> > Subject: Re: [TriLUG] OpenVPN: TAP vs TUN
>> > From:    "Paul G. Szabady" <Paul at ThyService.com>
>> > Date:    Fri, November 18, 2005 4:38 pm
>> > To:      "Triangle Linux Users Group discussion list"
>> <trilug at trilug.org>
>> > --------------------------------------------------------------------------
>> >
>> > Josh,
>> >
>> > I owe you a beer!  That's the *key* piece I was missing:
>> >
>> > setup the default gateway, since it gets lost when eth0 is
>> > deconfigured (this step I had to add myself, since it is not mentioned
>> in
>> > the ethernet bridging howto):
>> > > route add default gw $gw
>> >
>> > I've set this up on my laptop at home and it works.  Now to implement
>> in
>> > production.  However, I think I'll go onsite, just to be safe.  ;)
>> >
>> > Thanks for your help!
>> >
>> > --
>> > Paul
>> > @ Thy Service
>> >
>> > > You can assign an IP to a bridge interface in linux, this makes it
>> not
>> > exactly a bridge, but its what I did to get bridge mode working with
>> > OpenVPN with a single NIC.
>> > >
>> > > I wrote up a nice HOWTO and stuck in on the OpenVPN wiki, but their
>> wiki
>> > has now been down for months.  You can get my (hard to read) notes
>> here:
>> > >
>> > > http://vickeryj.freeshell.org/notes/
>> > >
>> > > In short, I brought up the tap device like so:
>> > >
>> > >> openvpn --mktun --dev tap0
>> > >
>> > > and bridge it with the ethernet device like this:
>> > >
>> > >> brctl addbr br0
>> > >> brctl addif br0 eth0
>> > >> brctl addif br0 tap0
>> > >
>> > > then stick everything in promiscuous mode:
>> > >
>> > >> ifconfig tap0 0.0.0.0 promisc up
>> > >> ifconfig eth0 0.0.0.0 promisc up
>> > >
>> > > then assign the ip that eth0 used to have to the bridge device (this
>> > might be what is missing if you are loosing network connectivity to
>> the
>> > box):
>> > >
>> > >> ifconfig br0 $eth_ip netmask $eth_netmask broadcast $eth_broadcast
>> > >
>> > > setup the default gateway, since it gets lost when eth0 is
>> > > deconfigured (this step I had to add myself, since it is not
>> mentioned
>> > in the ethernet bridging howto):
>> > >> route add default gw $gw
>> > >
>> > > if you want to do this remotely, all those lines need to be in a
>> script,
>> > as you will lose network connectivity to the box until the last
>> ifconfig
>> > line is run.
>> > >
>> > > Josh
>> > >
>> > > On 11/18/05, Paul G. Szabady <Paul at thyservice.com> wrote:
>> > >> Jim,
>> > >>
>> > >> Done that, but note, I'm not even at the point of connecting a
>> client yet.
>> > >>
>> > >> --
>> > >> Paul
>> > >> @ Thy Service
>> > >>
>> > >> > make sure source and destination IP addresses are *not* on the
>> same
>> > network address.
>> > >> >
>> > >> > regards,
>> > >> >
>> > >> > jim
>> > >> >
>> > >> > Jim Ray, President
>> > >> > Neuse River Network, Inc.
>> > >> >
>> > >> > tel: 919-838-1672 x111
>> > >> > toll free: 800-617-7652
>> > >> > cell: 919-606-1772
>> > >> > http://www.Neuse.Net
>> > >> >
>> > >> > Ask about our Clean Technologies.  Established in the Carolinas
>> 1997.
>> > >> >
>> > >> >
>> > >> >
>> > >> > Paul G. Szabady wrote:
>> > >> >
>> > >> >>Greetings,
>> > >> >>
>> > >> >>I am trying to set up a TAP style VPN but I'm apparently missing
>> a
>> > key piece of information and was hoping someone could clarify this
>> > for me.
>> > >> >>
>> > >> >>I have a linux (CentOS 4.2) server w/OpenVPN (openvpn-2.1_beta7-1
>> > installed from RPM built from src), and a windows 2000 server behind
>> > a linksys router.  I need to be able to access the windows server on
>> > the local LAN from the internet, with an IP address in the same
>> > subnet as
>> > >> the
>> > >> >>windows server, hence the desire to set up using TAP/bridge mode.
>> > (Setting up TUN was easy, but didn't work as I needed it to.)  The
>> > >> linux
>> > >> >>machine has a single NIC, which is why this is so confusing to
>> me.
>> > >> When
>> > >> >> I
>> > >> >>set up OpenVPN w/TAP, I lose all network access to the linux
>> server.
>> > Having had a "home grown linux switch" (old pc w/6 NICs running in
>> > >> bridge
>> > >> >>mode), this makes sense.  I believe I have followed all the
>> > >> >>instructions/notes/suggestions from the openVPN howto as well as
>> the
>> > Ethernet-Bridge-netfilter howto.  But I'm still missing something.
>> > >> >>
>> > >> >>The big question:  If I am apparently invisible to the network,
>> how
>> > >> does
>> > >> >>one make a connection (VPN or other) to the linux server?
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> > --
>> > >> > TriLUG mailing list        :
>> > >> http://www.trilug.org/mailman/listinfo/trilug
>> > >> > TriLUG Organizational FAQ  : http://trilug.org/faq/
>> > >> > TriLUG Member Services FAQ :
>> http://members.trilug.org/services_faq/
>> > >>
>> > >> --
>> > >> TriLUG mailing list        :
>> > >> http://www.trilug.org/mailman/listinfo/trilug
>> > >> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> > >> TriLUG Member Services FAQ :
>> http://members.trilug.org/services_faq/
>> > >>
>> > > --
>> > > TriLUG mailing list        :
>> > http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational
>> FAQ
>> > : http://trilug.org/faq/
>> > > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> > >
>> >
>> >
>> >
>> > --
>> > TriLUG mailing list        :
>> http://www.trilug.org/mailman/listinfo/trilug
>> > TriLUG Organizational FAQ  : http://trilug.org/faq/
>> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> >
>>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>




More information about the TriLUG mailing list