[Fwd: Re: [TriLUG] OpenVPN: TAP vs TUN]
Josh Vickery
vickeryj at gmail.com
Mon Nov 21 14:26:11 EST 2005
I think I see a problem. In your server config you have the line:
dev tap
but your tap interface is tap0, so perhaps
dev tap0
would fix the problem. "dev tap0" is what I have in my server.conf
Josh
On 11/21/05, Paul G. Szabady <Paul at thyservice.com> wrote:
> Mark,
>
> The LAN IPs are in different subnets. However, the tunnel ends should be
> in the same subnet, due to the bridging. Right?
>
> client side
> LAN network: 192.168.2.0/255.255.255.0
> LAN IP: 192.168.2.100
> TAP/VPN IP: 192.168.0.200
> Gateway: 192.168.2.1
>
> server side
> bridged IP (br0): 192.168.0.2
> LAN network: 192.168.2.0/255.255.255.0
> Gateway: 192.168.0.1
>
>
> --
> Paul
> @ Thy Service
>
> > Paul -
> >
> > not sure if this will help or not, but are the IP's on the tunnel ends in
> > the same subnet?
> >
> > here's the script I use for my tunnel --
> >
> > echo "Starting up IP tunnel fr0..."
> > modprobe ip_gre
> > echo 1 >/proc/sys/net/ipv4/ip_forward
> > ip tunnel add fr0 mode gre remote 172.25.211.84 local 172.22.179.252 ttl
> > 255
> > ip addr add 192.168.99.10 dev fr0
> > ip link set fr0 up
> > ip route add 192.168.7.0/24 dev fr0
> > route add -net 192.169.1.0/24 dev fr0
> > route add -net 192.168.21.0/24 gw 192.168.99.10 dev fr0
> >
> >
> > Not sure if it helps or not..
> >
> > This end: The other end:
> > eth0 - 172.22.179.200 172.25.211.84
> > eth1 - 10.10.10.253 192.168.21.250
> > (fr0) - 192.168.99.10 (ral0) 192.168.7.1
> > gw = 192.168.21.254
> >
> > Need a route entry from "This end" to the gateway on the other...
> >
> >
> > - Mark
> >
> >> Greetings Josh, et al:
> >>
> >> Well, I feel like I'm getting closer, but still no cigar. :(
> >>
> >> I can at least start openvpn and bridging without losing connection to
> >> the
> >> server (always a plus when it's remote), and I can connect to it with a
> >> client, but I can't seem to talk either way through the tunnel. Here
> >> are
> >> my config files. Does anything jump out at anyone as being wrong?
> >> Maybe
> >> I'm doing things in the wrong order?
> >>
> >> I apologize in advance for the length of this email, but I wanted to
> >> include as much detail as possible.
> >>
> >> ============
> >> server.conf:
> >> ============
> >> port 1194
> >> proto udp
> >> dev tap
> >> ca ca.crt
> >> cert server.crt
> >> key server.key
> >> dh dh1024.pem
> >> ifconfig-pool-persist ipp.txt
> >> server-bridge 192.168.0.2 255.255.255.0 192.168.0.200 192.168.0.249
> >> keepalive 10 120
> >> cipher BF-CBC
> >> comp-lzo
> >> user nobody
> >> group nobody
> >> persist-key
> >> persist-tun
> >> status openvpn-status.log
> >> verb 4
> >> mute 20
> >>
> >> =============================
> >> (windows XP) client_001.opvn:
> >> =============================
> >> remote <FQDN for openvpn server - changed for privacy> 1194
> >> dev tap
> >> tls-client
> >> client
> >> proto udp
> >> nobind
> >> comp-lzo
> >> verb 3
> >> mute 20
> >> ca ca.crt
> >> cert client_001.crt
> >> key client_001.key
> >> ns-cert-type server
> >> cipher BF-CBC
> >>
> >> Almost stock server start-up script (/etc/rc.d/init.d/openvpn) which
> >> also calls bridge-start:
> >>
> >> #!/bin/sh
> >> #
> >> # openvpn This shell script takes care of starting and stopping
> >> # openvpn on RedHat or other chkconfig-based system.
> >> #
> >> # chkconfig: 345 24 76
> >> #
> >> # description: OpenVPN is a robust and highly flexible tunneling
> >> application that
> >> # uses all of the encryption, authentication, and
> >> certification features
> >> # of the OpenSSL library to securely tunnel IP networks
> >> over
> >> a single
> >> # UDP port.
> >> #
> >>
> >> # Contributed to the OpenVPN project by
> >> # Douglas Keller <doug at voidstar.dyndns.org>
> >> # 2002.05.15
> >>
> >> # To install:
> >> # copy this file to /etc/rc.d/init.d/openvpn
> >> # shell> chkconfig --add openvpn
> >> # shell> mkdir /etc/openvpn
> >> # make .conf or .sh files in /etc/openvpn (see below)
> >>
> >> # To uninstall:
> >> # run: chkconfig --del openvpn
> >>
> >> # Author's Notes:
> >> #
> >> # I have created an /etc/init.d init script and enhanced openvpn.spec to
> >> # automatically register the init script. Once the RPM is installed you
> >> # can start and stop OpenVPN with "service openvpn start" and "service
> >> # openvpn stop".
> >> #
> >> # The init script does the following:
> >> #
> >> # - Starts an openvpn process for each .conf file it finds in
> >> # /etc/openvpn.
> >> #
> >> # - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
> >> # it before starting openvpn (useful for doing openvpn --mktun...).
> >> #
> >> # - In addition to start/stop you can do:
> >> #
> >> # service openvpn reload - SIGHUP
> >> # service openvpn reopen - SIGUSR1
> >> # service openvpn status - SIGUSR2
> >> #
> >> # Modifications:
> >> #
> >> # 2003.05.02
> >> # * Changed == to = for sh compliance (Bishop Clark).
> >> # * If condrestart|reload|reopen|status, check that we were
> >> # actually started (James Yonan).
> >> # * Added lock, piddir, and work variables (James Yonan).
> >> # * If start is attempted twice, without an intervening stop, or
> >> # if start is attempted when previous start was not properly
> >> # shut down, then kill any previously started processes, before
> >> # commencing new start operation (James Yonan).
> >> # * Do a better job of flagging errors on start, and properly
> >> # returning success or failure status to caller (James Yonan).
> >> #
> >> # 2005.04.04
> >> # * Added openvpn-startup and openvpn-shutdown script calls
> >> # (James Yonan).
> >> #
> >>
> >> # Location of openvpn binary
> >> openvpn=""
> >> openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
> >> for location in $openvpn_locations
> >> do
> >> if [ -f "$location" ]
> >> then
> >> openvpn=$location
> >> fi
> >> done
> >>
> >> # Lockfile
> >> lock="/var/lock/subsys/openvpn"
> >>
> >> # PID directory
> >> piddir="/var/run/openvpn"
> >>
> >> # Our working directory
> >> work=/etc/openvpn
> >>
> >> # Source function library.
> >> . /etc/rc.d/init.d/functions
> >>
> >> # Source networking configuration.
> >> . /etc/sysconfig/network
> >>
> >> # Check that networking is up.
> >> if [ ${NETWORKING} = "no" ]
> >> then
> >> echo "Networking is down"
> >> exit 0
> >> fi
> >>
> >> # Check that binary exists
> >> if ! [ -f $openvpn ]
> >> then
> >> echo "openvpn binary not found"
> >> exit 0
> >> fi
> >>
> >> # See how we were called.
> >> case "$1" in
> >> start)
> >> echo -n $"Starting openvpn: "
> >>
> >> /sbin/modprobe tun >/dev/null 2>&1
> >>
> >> # From a security perspective, I think it makes
> >> # sense to remove this, and have users who need
> >> # it explictly enable in their --up scripts or
> >> # firewall setups.
> >>
> >> echo 1 > /proc/sys/net/ipv4/ip_forward
> >> /etc/rc.d/init.d/bridge-start
> >>
> >> # Run startup script, if defined
> >> if [ -f $work/openvpn-startup ]; then
> >> $work/openvpn-startup
> >> fi
> >>
> >> if [ ! -d $piddir ]; then
> >> mkdir $piddir
> >> fi
> >>
> >> if [ -f $lock ]; then
> >> # we were not shut down correctly
> >> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> >> if [ -s $pidf ]; then
> >> kill `cat $pidf` >/dev/null 2>&1
> >> fi
> >> rm -f $pidf
> >> done
> >> rm -f $lock
> >> sleep 2
> >> fi
> >>
> >> rm -f $piddir/*.pid
> >> cd $work
> >>
> >> # Start every .conf in $work and run .sh if exists
> >> errors=0
> >> successes=0
> >> for c in `/bin/ls *.conf 2>/dev/null`; do
> >> bn=${c%%.conf}
> >> if [ -f "$bn.sh" ]; then
> >> . $bn.sh
> >> fi
> >> rm -f $piddir/$bn.pid
> >> $openvpn --daemon --writepid $piddir/$bn.pid --config $c
> >> --cd
> >> $work
> >> if [ $? = 0 ]; then
> >> successes=1
> >> else
> >> errors=1
> >> fi
> >> done
> >>
> >> if [ $errors = 1 ]; then
> >> failure; echo
> >> else
> >> success; echo
> >> fi
> >>
> >> if [ $successes = 1 ]; then
> >> touch $lock
> >> fi
> >> ;;
> >> stop)
> >> echo -n $"Shutting down openvpn: "
> >> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> >> if [ -s $pidf ]; then
> >> kill `cat $pidf` >/dev/null 2>&1
> >> fi
> >> rm -f $pidf
> >> done
> >>
> >> # Run shutdown script, if defined
> >> if [ -f $work/openvpn-shutdown ]; then
> >> $work/openvpn-shutdown
> >> fi
> >>
> >> success; echo
> >> rm -f $lock
> >> ;;
> >> restart)
> >> $0 stop
> >> sleep 2
> >> $0 start
> >> ;;
> >> reload)
> >> if [ -f $lock ]; then
> >> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> >> if [ -s $pidf ]; then
> >> kill -HUP `cat $pidf` >/dev/null 2>&1
> >> fi
> >> done
> >> else
> >> echo "openvpn: service not started"
> >> exit 1
> >> fi
> >> ;;
> >> reopen)
> >> if [ -f $lock ]; then
> >> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> >> if [ -s $pidf ]; then
> >> kill -USR1 `cat $pidf` >/dev/null 2>&1
> >> fi
> >> done
> >> else
> >> echo "openvpn: service not started"
> >> exit 1
> >> fi
> >> ;;
> >> condrestart)
> >> if [ -f $lock ]; then
> >> $0 stop
> >> # avoid race
> >> sleep 2
> >> $0 start
> >> fi
> >> ;;
> >> status)
> >> if [ -f $lock ]; then
> >> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> >> if [ -s $pidf ]; then
> >> kill -USR2 `cat $pidf` >/dev/null 2>&1
> >> fi
> >> done
> >> echo "Status written to /var/log/messages"
> >> else
> >> echo "openvpn: service not started"
> >> exit 1
> >> fi
> >> ;;
> >> *)
> >> echo "Usage: openvpn
> >> {start|stop|restart|condrestart|reload|reopen|status}"
> >> exit 1
> >> ;;
> >> esac
> >> exit 0
> >>
> >> =========================
> >> ifconfig output (server):
> >> =========================
> >> br0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
> >> inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
> >> inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
> >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >> RX packets:1603 errors:0 dropped:0 overruns:0 frame:0
> >> TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
> >> collisions:0 txqueuelen:0
> >> RX bytes:127991 (124.9 KiB) TX bytes:107444 (104.9 KiB)
> >>
> >> eth0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
> >> inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
> >> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> >> RX packets:1619 errors:0 dropped:0 overruns:0 frame:0
> >> TX packets:671 errors:0 dropped:0 overruns:0 carrier:0
> >> collisions:0 txqueuelen:1000
> >> RX bytes:158296 (154.5 KiB) TX bytes:110458 (107.8 KiB)
> >> Interrupt:169
> >>
> >> lo Link encap:Local Loopback
> >> inet addr:127.0.0.1 Mask:255.0.0.0
> >> inet6 addr: ::1/128 Scope:Host
> >> UP LOOPBACK RUNNING MTU:16436 Metric:1
> >> RX packets:1002 errors:0 dropped:0 overruns:0 frame:0
> >> TX packets:1002 errors:0 dropped:0 overruns:0 carrier:0
> >> collisions:0 txqueuelen:0
> >> RX bytes:2528944 (2.4 MiB) TX bytes:2528944 (2.4 MiB)
> >>
> >> tap0 Link encap:Ethernet HWaddr 00:FF:02:F4:5C:60
> >> inet6 addr: fe80::2ff:2ff:fef4:5c60/64 Scope:Link
> >> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> >> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >> TX packets:0 errors:0 dropped:900 overruns:0 carrier:0
> >> collisions:0 txqueuelen:0
> >> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> >>
> >> =====================================================
> >> route -n (server: (local = 192.168.0.2/255.255.255.0)
> >> =====================================================
> >> Kernel IP routing table
> >> Destination Gateway Genmask Flags Metric Ref Use
> >> Iface
> >> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
> >> br0
> >> 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0
> >> br0
> >>
> >> ==============================================
> >> ipconfig (windows client - TAP-Win32 Adapter):
> >> ==============================================
> >> Connection-specific DNS Suffix . :
> >> Description . . . . . . . . . . . : TAP-Win32 Adapter V8
> >> Physical Address. . . . . . . . . : 00-FF-F1-4B-A4-C6
> >> Dhcp Enabled. . . . . . . . . . . : Yes
> >> Autoconfiguration Enabled . . . . : Yes
> >> IP Address. . . . . . . . . . . . : 192.168.0.200
> >> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >> Default Gateway . . . . . . . . . :
> >> DHCP Server . . . . . . . . . . . : 192.168.0.0
> >> Lease Obtained. . . . . . . . . . : Monday, November 21, 2005 11:29:23
> >> AM
> >> Lease Expires . . . . . . . . . . : Tuesday, November 21, 2006 11:29:23
> >> AM
> >>
> >> =============================
> >> route print (windows client):
> >> =============================
> >> C:\>route print (local = 192.168.2.100/255.255.255.0)
> >> ===========================================================================
> >> Interface List
> >> 0x1 ........................... MS TCP Loopback interface
> >> 0x10005 ...00 06 5b ca e2 74 ...... Intel(R) PRO/1000 MT Network
> >> Connection
> >> 0x30006 ...00 ff f1 4b a4 c6 ...... TAP-Win32 Adapter V8
> >> ===========================================================================
> >> ===========================================================================
> >> Active Routes:
> >> Network Destination Netmask Gateway Interface
> >> Metric
> >> 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.100
> >> 10
> >> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
> >> 1
> >> 192.168.2.0 255.255.255.0 192.168.2.100 192.168.2.100
> >> 10
> >> 192.168.2.100 255.255.255.255 127.0.0.1 127.0.0.1
> >> 10
> >> 192.168.2.255 255.255.255.255 192.168.2.100 192.168.2.100
> >> 10
> >> 192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.200
> >> 20
> >> 192.168.0.200 255.255.255.255 127.0.0.1 127.0.0.1
> >> 20
> >> 192.168.0.255 255.255.255.255 192.168.0.200 192.168.0.200
> >> 20
> >> 224.0.0.0 240.0.0.0 192.168.2.100 192.168.2.100
> >> 10
> >> 224.0.0.0 240.0.0.0 192.168.0.200 192.168.0.200
> >> 20
> >> 255.255.255.255 255.255.255.255 192.168.2.100 192.168.2.100
> >> 1
> >> 255.255.255.255 255.255.255.255 192.168.0.200 192.168.0.200
> >> 1
> >> Default Gateway: 192.168.2.1
> >> ===========================================================================
> >> Persistent Routes:
> >> None
> >>
> >>
> >>
> >> --
> >> Paul
> >> @ Thy Service
> >>
> >>
> >> ---------------------------- Original Message
> >> ----------------------------
> >> Subject: Re: [TriLUG] OpenVPN: TAP vs TUN
> >> From: "Paul G. Szabady" <Paul at ThyService.com>
> >> Date: Fri, November 18, 2005 4:38 pm
> >> To: "Triangle Linux Users Group discussion list"
> >> <trilug at trilug.org>
> >> --------------------------------------------------------------------------
> >>
> >> Josh,
> >>
> >> I owe you a beer! That's the *key* piece I was missing:
> >>
> >> setup the default gateway, since it gets lost when eth0 is
> >> deconfigured (this step I had to add myself, since it is not mentioned
> >> in
> >> the ethernet bridging howto):
> >>> route add default gw $gw
> >>
> >> I've set this up on my laptop at home and it works. Now to implement in
> >> production. However, I think I'll go onsite, just to be safe. ;)
> >>
> >> Thanks for your help!
> >>
> >> --
> >> Paul
> >> @ Thy Service
> >>
> >>> You can assign an IP to a bridge interface in linux, this makes it not
> >> exactly a bridge, but its what I did to get bridge mode working with
> >> OpenVPN with a single NIC.
> >>>
> >>> I wrote up a nice HOWTO and stuck in on the OpenVPN wiki, but their
> >>> wiki
> >> has now been down for months. You can get my (hard to read) notes here:
> >>>
> >>> http://vickeryj.freeshell.org/notes/
> >>>
> >>> In short, I brought up the tap device like so:
> >>>
> >>>> openvpn --mktun --dev tap0
> >>>
> >>> and bridge it with the ethernet device like this:
> >>>
> >>>> brctl addbr br0
> >>>> brctl addif br0 eth0
> >>>> brctl addif br0 tap0
> >>>
> >>> then stick everything in promiscuous mode:
> >>>
> >>>> ifconfig tap0 0.0.0.0 promisc up
> >>>> ifconfig eth0 0.0.0.0 promisc up
> >>>
> >>> then assign the ip that eth0 used to have to the bridge device (this
> >> might be what is missing if you are loosing network connectivity to the
> >> box):
> >>>
> >>>> ifconfig br0 $eth_ip netmask $eth_netmask broadcast $eth_broadcast
> >>>
> >>> setup the default gateway, since it gets lost when eth0 is
> >>> deconfigured (this step I had to add myself, since it is not mentioned
> >> in the ethernet bridging howto):
> >>>> route add default gw $gw
> >>>
> >>> if you want to do this remotely, all those lines need to be in a
> >>> script,
> >> as you will lose network connectivity to the box until the last ifconfig
> >> line is run.
> >>>
> >>> Josh
> >>>
> >>> On 11/18/05, Paul G. Szabady <Paul at thyservice.com> wrote:
> >>>> Jim,
> >>>>
> >>>> Done that, but note, I'm not even at the point of connecting a client
> >>>> yet.
> >>>>
> >>>> --
> >>>> Paul
> >>>> @ Thy Service
> >>>>
> >>>> > make sure source and destination IP addresses are *not* on the same
> >> network address.
> >>>> >
> >>>> > regards,
> >>>> >
> >>>> > jim
> >>>> >
> >>>> > Jim Ray, President
> >>>> > Neuse River Network, Inc.
> >>>> >
> >>>> > tel: 919-838-1672 x111
> >>>> > toll free: 800-617-7652
> >>>> > cell: 919-606-1772
> >>>> > http://www.Neuse.Net
> >>>> >
> >>>> > Ask about our Clean Technologies. Established in the Carolinas
> >>>> 1997.
> >>>> >
> >>>> >
> >>>> >
> >>>> > Paul G. Szabady wrote:
> >>>> >
> >>>> >>Greetings,
> >>>> >>
> >>>> >>I am trying to set up a TAP style VPN but I'm apparently missing a
> >> key piece of information and was hoping someone could clarify this
> >> for me.
> >>>> >>
> >>>> >>I have a linux (CentOS 4.2) server w/OpenVPN (openvpn-2.1_beta7-1
> >> installed from RPM built from src), and a windows 2000 server behind
> >> a linksys router. I need to be able to access the windows server on
> >> the local LAN from the internet, with an IP address in the same
> >> subnet as
> >>>> the
> >>>> >>windows server, hence the desire to set up using TAP/bridge mode.
> >> (Setting up TUN was easy, but didn't work as I needed it to.) The
> >>>> linux
> >>>> >>machine has a single NIC, which is why this is so confusing to me.
> >>>> When
> >>>> >> I
> >>>> >>set up OpenVPN w/TAP, I lose all network access to the linux server.
> >> Having had a "home grown linux switch" (old pc w/6 NICs running in
> >>>> bridge
> >>>> >>mode), this makes sense. I believe I have followed all the
> >>>> >>instructions/notes/suggestions from the openVPN howto as well as the
> >> Ethernet-Bridge-netfilter howto. But I'm still missing something.
> >>>> >>
> >>>> >>The big question: If I am apparently invisible to the network, how
> >>>> does
> >>>> >>one make a connection (VPN or other) to the linux server?
> >>>> >>
> >>>> >>
> >>>> >>
> >>>> > --
> >>>> > TriLUG mailing list :
> >>>> http://www.trilug.org/mailman/listinfo/trilug
> >>>> > TriLUG Organizational FAQ : http://trilug.org/faq/
> >>>> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>>>
> >>>> --
> >>>> TriLUG mailing list :
> >>>> http://www.trilug.org/mailman/listinfo/trilug
> >>>> TriLUG Organizational FAQ : http://trilug.org/faq/
> >>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>>>
> >>> --
> >>> TriLUG mailing list :
> >> http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ
> >> : http://trilug.org/faq/
> >>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>>
> >>
> >>
> >>
> >> --
> >> TriLUG mailing list :
> >> http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG Organizational FAQ : http://trilug.org/faq/
> >> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > --
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>
More information about the TriLUG
mailing list