[Fwd: Re: [TriLUG] OpenVPN: TAP vs TUN]
Paul G. Szabady
Paul at ThyService.com
Mon Nov 21 14:27:21 EST 2005
Mark,
The LAN IPs are in different subnets. However, the tunnel ends should be
in the same subnet, due to the bridging. Right?
client side
LAN network: 192.168.2.0/255.255.255.0
LAN IP: 192.168.2.100
TAP/VPN IP: 192.168.0.200
Gateway: 192.168.2.1
server side
bridged IP (br0): 192.168.0.2
LAN network: 192.168.2.0/255.255.255.0
Gateway: 192.168.0.1
--
Paul
@ Thy Service
> Paul -
>
> not sure if this will help or not, but are the IP's on the tunnel ends in
> the same subnet?
>
> here's the script I use for my tunnel --
>
> echo "Starting up IP tunnel fr0..."
> modprobe ip_gre
> echo 1 >/proc/sys/net/ipv4/ip_forward
> ip tunnel add fr0 mode gre remote 172.25.211.84 local 172.22.179.252 ttl
> 255
> ip addr add 192.168.99.10 dev fr0
> ip link set fr0 up
> ip route add 192.168.7.0/24 dev fr0
> route add -net 192.169.1.0/24 dev fr0
> route add -net 192.168.21.0/24 gw 192.168.99.10 dev fr0
>
>
> Not sure if it helps or not..
>
> This end: The other end:
> eth0 - 172.22.179.200 172.25.211.84
> eth1 - 10.10.10.253 192.168.21.250
> (fr0) - 192.168.99.10 (ral0) 192.168.7.1
> gw = 192.168.21.254
>
> Need a route entry from "This end" to the gateway on the other...
>
>
> - Mark
>
>> Greetings Josh, et al:
>>
>> Well, I feel like I'm getting closer, but still no cigar. :(
>>
>> I can at least start openvpn and bridging without losing connection to
>> the
>> server (always a plus when it's remote), and I can connect to it with a
>> client, but I can't seem to talk either way through the tunnel. Here
>> are
>> my config files. Does anything jump out at anyone as being wrong?
>> Maybe
>> I'm doing things in the wrong order?
>>
>> I apologize in advance for the length of this email, but I wanted to
>> include as much detail as possible.
>>
>> ============
>> server.conf:
>> ============
>> port 1194
>> proto udp
>> dev tap
>> ca ca.crt
>> cert server.crt
>> key server.key
>> dh dh1024.pem
>> ifconfig-pool-persist ipp.txt
>> server-bridge 192.168.0.2 255.255.255.0 192.168.0.200 192.168.0.249
>> keepalive 10 120
>> cipher BF-CBC
>> comp-lzo
>> user nobody
>> group nobody
>> persist-key
>> persist-tun
>> status openvpn-status.log
>> verb 4
>> mute 20
>>
>> =============================
>> (windows XP) client_001.opvn:
>> =============================
>> remote <FQDN for openvpn server - changed for privacy> 1194
>> dev tap
>> tls-client
>> client
>> proto udp
>> nobind
>> comp-lzo
>> verb 3
>> mute 20
>> ca ca.crt
>> cert client_001.crt
>> key client_001.key
>> ns-cert-type server
>> cipher BF-CBC
>>
>> Almost stock server start-up script (/etc/rc.d/init.d/openvpn) which
>> also calls bridge-start:
>>
>> #!/bin/sh
>> #
>> # openvpn This shell script takes care of starting and stopping
>> # openvpn on RedHat or other chkconfig-based system.
>> #
>> # chkconfig: 345 24 76
>> #
>> # description: OpenVPN is a robust and highly flexible tunneling
>> application that
>> # uses all of the encryption, authentication, and
>> certification features
>> # of the OpenSSL library to securely tunnel IP networks
>> over
>> a single
>> # UDP port.
>> #
>>
>> # Contributed to the OpenVPN project by
>> # Douglas Keller <doug at voidstar.dyndns.org>
>> # 2002.05.15
>>
>> # To install:
>> # copy this file to /etc/rc.d/init.d/openvpn
>> # shell> chkconfig --add openvpn
>> # shell> mkdir /etc/openvpn
>> # make .conf or .sh files in /etc/openvpn (see below)
>>
>> # To uninstall:
>> # run: chkconfig --del openvpn
>>
>> # Author's Notes:
>> #
>> # I have created an /etc/init.d init script and enhanced openvpn.spec to
>> # automatically register the init script. Once the RPM is installed you
>> # can start and stop OpenVPN with "service openvpn start" and "service
>> # openvpn stop".
>> #
>> # The init script does the following:
>> #
>> # - Starts an openvpn process for each .conf file it finds in
>> # /etc/openvpn.
>> #
>> # - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
>> # it before starting openvpn (useful for doing openvpn --mktun...).
>> #
>> # - In addition to start/stop you can do:
>> #
>> # service openvpn reload - SIGHUP
>> # service openvpn reopen - SIGUSR1
>> # service openvpn status - SIGUSR2
>> #
>> # Modifications:
>> #
>> # 2003.05.02
>> # * Changed == to = for sh compliance (Bishop Clark).
>> # * If condrestart|reload|reopen|status, check that we were
>> # actually started (James Yonan).
>> # * Added lock, piddir, and work variables (James Yonan).
>> # * If start is attempted twice, without an intervening stop, or
>> # if start is attempted when previous start was not properly
>> # shut down, then kill any previously started processes, before
>> # commencing new start operation (James Yonan).
>> # * Do a better job of flagging errors on start, and properly
>> # returning success or failure status to caller (James Yonan).
>> #
>> # 2005.04.04
>> # * Added openvpn-startup and openvpn-shutdown script calls
>> # (James Yonan).
>> #
>>
>> # Location of openvpn binary
>> openvpn=""
>> openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
>> for location in $openvpn_locations
>> do
>> if [ -f "$location" ]
>> then
>> openvpn=$location
>> fi
>> done
>>
>> # Lockfile
>> lock="/var/lock/subsys/openvpn"
>>
>> # PID directory
>> piddir="/var/run/openvpn"
>>
>> # Our working directory
>> work=/etc/openvpn
>>
>> # Source function library.
>> . /etc/rc.d/init.d/functions
>>
>> # Source networking configuration.
>> . /etc/sysconfig/network
>>
>> # Check that networking is up.
>> if [ ${NETWORKING} = "no" ]
>> then
>> echo "Networking is down"
>> exit 0
>> fi
>>
>> # Check that binary exists
>> if ! [ -f $openvpn ]
>> then
>> echo "openvpn binary not found"
>> exit 0
>> fi
>>
>> # See how we were called.
>> case "$1" in
>> start)
>> echo -n $"Starting openvpn: "
>>
>> /sbin/modprobe tun >/dev/null 2>&1
>>
>> # From a security perspective, I think it makes
>> # sense to remove this, and have users who need
>> # it explictly enable in their --up scripts or
>> # firewall setups.
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> /etc/rc.d/init.d/bridge-start
>>
>> # Run startup script, if defined
>> if [ -f $work/openvpn-startup ]; then
>> $work/openvpn-startup
>> fi
>>
>> if [ ! -d $piddir ]; then
>> mkdir $piddir
>> fi
>>
>> if [ -f $lock ]; then
>> # we were not shut down correctly
>> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> if [ -s $pidf ]; then
>> kill `cat $pidf` >/dev/null 2>&1
>> fi
>> rm -f $pidf
>> done
>> rm -f $lock
>> sleep 2
>> fi
>>
>> rm -f $piddir/*.pid
>> cd $work
>>
>> # Start every .conf in $work and run .sh if exists
>> errors=0
>> successes=0
>> for c in `/bin/ls *.conf 2>/dev/null`; do
>> bn=${c%%.conf}
>> if [ -f "$bn.sh" ]; then
>> . $bn.sh
>> fi
>> rm -f $piddir/$bn.pid
>> $openvpn --daemon --writepid $piddir/$bn.pid --config $c
>> --cd
>> $work
>> if [ $? = 0 ]; then
>> successes=1
>> else
>> errors=1
>> fi
>> done
>>
>> if [ $errors = 1 ]; then
>> failure; echo
>> else
>> success; echo
>> fi
>>
>> if [ $successes = 1 ]; then
>> touch $lock
>> fi
>> ;;
>> stop)
>> echo -n $"Shutting down openvpn: "
>> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> if [ -s $pidf ]; then
>> kill `cat $pidf` >/dev/null 2>&1
>> fi
>> rm -f $pidf
>> done
>>
>> # Run shutdown script, if defined
>> if [ -f $work/openvpn-shutdown ]; then
>> $work/openvpn-shutdown
>> fi
>>
>> success; echo
>> rm -f $lock
>> ;;
>> restart)
>> $0 stop
>> sleep 2
>> $0 start
>> ;;
>> reload)
>> if [ -f $lock ]; then
>> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> if [ -s $pidf ]; then
>> kill -HUP `cat $pidf` >/dev/null 2>&1
>> fi
>> done
>> else
>> echo "openvpn: service not started"
>> exit 1
>> fi
>> ;;
>> reopen)
>> if [ -f $lock ]; then
>> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> if [ -s $pidf ]; then
>> kill -USR1 `cat $pidf` >/dev/null 2>&1
>> fi
>> done
>> else
>> echo "openvpn: service not started"
>> exit 1
>> fi
>> ;;
>> condrestart)
>> if [ -f $lock ]; then
>> $0 stop
>> # avoid race
>> sleep 2
>> $0 start
>> fi
>> ;;
>> status)
>> if [ -f $lock ]; then
>> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
>> if [ -s $pidf ]; then
>> kill -USR2 `cat $pidf` >/dev/null 2>&1
>> fi
>> done
>> echo "Status written to /var/log/messages"
>> else
>> echo "openvpn: service not started"
>> exit 1
>> fi
>> ;;
>> *)
>> echo "Usage: openvpn
>> {start|stop|restart|condrestart|reload|reopen|status}"
>> exit 1
>> ;;
>> esac
>> exit 0
>>
>> =========================
>> ifconfig output (server):
>> =========================
>> br0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
>> inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
>> inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:1603 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:127991 (124.9 KiB) TX bytes:107444 (104.9 KiB)
>>
>> eth0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
>> inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
>> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
>> RX packets:1619 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:671 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:158296 (154.5 KiB) TX bytes:110458 (107.8 KiB)
>> Interrupt:169
>>
>> lo Link encap:Local Loopback
>> inet addr:127.0.0.1 Mask:255.0.0.0
>> inet6 addr: ::1/128 Scope:Host
>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>> RX packets:1002 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:1002 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:2528944 (2.4 MiB) TX bytes:2528944 (2.4 MiB)
>>
>> tap0 Link encap:Ethernet HWaddr 00:FF:02:F4:5C:60
>> inet6 addr: fe80::2ff:2ff:fef4:5c60/64 Scope:Link
>> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:900 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>>
>> =====================================================
>> route -n (server: (local = 192.168.0.2/255.255.255.0)
>> =====================================================
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use
>> Iface
>> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
>> br0
>> 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0
>> br0
>>
>> ==============================================
>> ipconfig (windows client - TAP-Win32 Adapter):
>> ==============================================
>> Connection-specific DNS Suffix . :
>> Description . . . . . . . . . . . : TAP-Win32 Adapter V8
>> Physical Address. . . . . . . . . : 00-FF-F1-4B-A4-C6
>> Dhcp Enabled. . . . . . . . . . . : Yes
>> Autoconfiguration Enabled . . . . : Yes
>> IP Address. . . . . . . . . . . . : 192.168.0.200
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> Default Gateway . . . . . . . . . :
>> DHCP Server . . . . . . . . . . . : 192.168.0.0
>> Lease Obtained. . . . . . . . . . : Monday, November 21, 2005 11:29:23
>> AM
>> Lease Expires . . . . . . . . . . : Tuesday, November 21, 2006 11:29:23
>> AM
>>
>> =============================
>> route print (windows client):
>> =============================
>> C:\>route print (local = 192.168.2.100/255.255.255.0)
>> ===========================================================================
>> Interface List
>> 0x1 ........................... MS TCP Loopback interface
>> 0x10005 ...00 06 5b ca e2 74 ...... Intel(R) PRO/1000 MT Network
>> Connection
>> 0x30006 ...00 ff f1 4b a4 c6 ...... TAP-Win32 Adapter V8
>> ===========================================================================
>> ===========================================================================
>> Active Routes:
>> Network Destination Netmask Gateway Interface
>> Metric
>> 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.100
>> 10
>> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
>> 1
>> 192.168.2.0 255.255.255.0 192.168.2.100 192.168.2.100
>> 10
>> 192.168.2.100 255.255.255.255 127.0.0.1 127.0.0.1
>> 10
>> 192.168.2.255 255.255.255.255 192.168.2.100 192.168.2.100
>> 10
>> 192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.200
>> 20
>> 192.168.0.200 255.255.255.255 127.0.0.1 127.0.0.1
>> 20
>> 192.168.0.255 255.255.255.255 192.168.0.200 192.168.0.200
>> 20
>> 224.0.0.0 240.0.0.0 192.168.2.100 192.168.2.100
>> 10
>> 224.0.0.0 240.0.0.0 192.168.0.200 192.168.0.200
>> 20
>> 255.255.255.255 255.255.255.255 192.168.2.100 192.168.2.100
>> 1
>> 255.255.255.255 255.255.255.255 192.168.0.200 192.168.0.200
>> 1
>> Default Gateway: 192.168.2.1
>> ===========================================================================
>> Persistent Routes:
>> None
>>
>>
>>
>> --
>> Paul
>> @ Thy Service
>>
>>
>> ---------------------------- Original Message
>> ----------------------------
>> Subject: Re: [TriLUG] OpenVPN: TAP vs TUN
>> From: "Paul G. Szabady" <Paul at ThyService.com>
>> Date: Fri, November 18, 2005 4:38 pm
>> To: "Triangle Linux Users Group discussion list"
>> <trilug at trilug.org>
>> --------------------------------------------------------------------------
>>
>> Josh,
>>
>> I owe you a beer! That's the *key* piece I was missing:
>>
>> setup the default gateway, since it gets lost when eth0 is
>> deconfigured (this step I had to add myself, since it is not mentioned
>> in
>> the ethernet bridging howto):
>>> route add default gw $gw
>>
>> I've set this up on my laptop at home and it works. Now to implement in
>> production. However, I think I'll go onsite, just to be safe. ;)
>>
>> Thanks for your help!
>>
>> --
>> Paul
>> @ Thy Service
>>
>>> You can assign an IP to a bridge interface in linux, this makes it not
>> exactly a bridge, but its what I did to get bridge mode working with
>> OpenVPN with a single NIC.
>>>
>>> I wrote up a nice HOWTO and stuck in on the OpenVPN wiki, but their
>>> wiki
>> has now been down for months. You can get my (hard to read) notes here:
>>>
>>> http://vickeryj.freeshell.org/notes/
>>>
>>> In short, I brought up the tap device like so:
>>>
>>>> openvpn --mktun --dev tap0
>>>
>>> and bridge it with the ethernet device like this:
>>>
>>>> brctl addbr br0
>>>> brctl addif br0 eth0
>>>> brctl addif br0 tap0
>>>
>>> then stick everything in promiscuous mode:
>>>
>>>> ifconfig tap0 0.0.0.0 promisc up
>>>> ifconfig eth0 0.0.0.0 promisc up
>>>
>>> then assign the ip that eth0 used to have to the bridge device (this
>> might be what is missing if you are loosing network connectivity to the
>> box):
>>>
>>>> ifconfig br0 $eth_ip netmask $eth_netmask broadcast $eth_broadcast
>>>
>>> setup the default gateway, since it gets lost when eth0 is
>>> deconfigured (this step I had to add myself, since it is not mentioned
>> in the ethernet bridging howto):
>>>> route add default gw $gw
>>>
>>> if you want to do this remotely, all those lines need to be in a
>>> script,
>> as you will lose network connectivity to the box until the last ifconfig
>> line is run.
>>>
>>> Josh
>>>
>>> On 11/18/05, Paul G. Szabady <Paul at thyservice.com> wrote:
>>>> Jim,
>>>>
>>>> Done that, but note, I'm not even at the point of connecting a client
>>>> yet.
>>>>
>>>> --
>>>> Paul
>>>> @ Thy Service
>>>>
>>>> > make sure source and destination IP addresses are *not* on the same
>> network address.
>>>> >
>>>> > regards,
>>>> >
>>>> > jim
>>>> >
>>>> > Jim Ray, President
>>>> > Neuse River Network, Inc.
>>>> >
>>>> > tel: 919-838-1672 x111
>>>> > toll free: 800-617-7652
>>>> > cell: 919-606-1772
>>>> > http://www.Neuse.Net
>>>> >
>>>> > Ask about our Clean Technologies. Established in the Carolinas
>>>> 1997.
>>>> >
>>>> >
>>>> >
>>>> > Paul G. Szabady wrote:
>>>> >
>>>> >>Greetings,
>>>> >>
>>>> >>I am trying to set up a TAP style VPN but I'm apparently missing a
>> key piece of information and was hoping someone could clarify this
>> for me.
>>>> >>
>>>> >>I have a linux (CentOS 4.2) server w/OpenVPN (openvpn-2.1_beta7-1
>> installed from RPM built from src), and a windows 2000 server behind
>> a linksys router. I need to be able to access the windows server on
>> the local LAN from the internet, with an IP address in the same
>> subnet as
>>>> the
>>>> >>windows server, hence the desire to set up using TAP/bridge mode.
>> (Setting up TUN was easy, but didn't work as I needed it to.) The
>>>> linux
>>>> >>machine has a single NIC, which is why this is so confusing to me.
>>>> When
>>>> >> I
>>>> >>set up OpenVPN w/TAP, I lose all network access to the linux server.
>> Having had a "home grown linux switch" (old pc w/6 NICs running in
>>>> bridge
>>>> >>mode), this makes sense. I believe I have followed all the
>>>> >>instructions/notes/suggestions from the openVPN howto as well as the
>> Ethernet-Bridge-netfilter howto. But I'm still missing something.
>>>> >>
>>>> >>The big question: If I am apparently invisible to the network, how
>>>> does
>>>> >>one make a connection (VPN or other) to the linux server?
>>>> >>
>>>> >>
>>>> >>
>>>> > --
>>>> > TriLUG mailing list :
>>>> http://www.trilug.org/mailman/listinfo/trilug
>>>> > TriLUG Organizational FAQ : http://trilug.org/faq/
>>>> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>>
>>>> --
>>>> TriLUG mailing list :
>>>> http://www.trilug.org/mailman/listinfo/trilug
>>>> TriLUG Organizational FAQ : http://trilug.org/faq/
>>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>>
>>> --
>>> TriLUG mailing list :
>> http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ
>> : http://trilug.org/faq/
>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>
>>
>>
>>
>> --
>> TriLUG mailing list :
>> http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>
More information about the TriLUG
mailing list