[Fwd: Re: [TriLUG] OpenVPN: TAP vs TUN]
mark at thefowles.com
mark at thefowles.com
Mon Nov 21 12:20:02 EST 2005
Paul -
not sure if this will help or not, but are the IP's on the tunnel ends in
the same subnet?
here's the script I use for my tunnel --
echo "Starting up IP tunnel fr0..."
modprobe ip_gre
echo 1 >/proc/sys/net/ipv4/ip_forward
ip tunnel add fr0 mode gre remote 172.25.211.84 local 172.22.179.252 ttl 255
ip addr add 192.168.99.10 dev fr0
ip link set fr0 up
ip route add 192.168.7.0/24 dev fr0
route add -net 192.169.1.0/24 dev fr0
route add -net 192.168.21.0/24 gw 192.168.99.10 dev fr0
Not sure if it helps or not..
This end: The other end:
eth0 - 172.22.179.200 172.25.211.84
eth1 - 10.10.10.253 192.168.21.250
(fr0) - 192.168.99.10 (ral0) 192.168.7.1
gw = 192.168.21.254
Need a route entry from "This end" to the gateway on the other...
- Mark
> Greetings Josh, et al:
>
> Well, I feel like I'm getting closer, but still no cigar. :(
>
> I can at least start openvpn and bridging without losing connection to the
> server (always a plus when it's remote), and I can connect to it with a
> client, but I can't seem to talk either way through the tunnel. Here are
> my config files. Does anything jump out at anyone as being wrong? Maybe
> I'm doing things in the wrong order?
>
> I apologize in advance for the length of this email, but I wanted to
> include as much detail as possible.
>
> ============
> server.conf:
> ============
> port 1194
> proto udp
> dev tap
> ca ca.crt
> cert server.crt
> key server.key
> dh dh1024.pem
> ifconfig-pool-persist ipp.txt
> server-bridge 192.168.0.2 255.255.255.0 192.168.0.200 192.168.0.249
> keepalive 10 120
> cipher BF-CBC
> comp-lzo
> user nobody
> group nobody
> persist-key
> persist-tun
> status openvpn-status.log
> verb 4
> mute 20
>
> =============================
> (windows XP) client_001.opvn:
> =============================
> remote <FQDN for openvpn server - changed for privacy> 1194
> dev tap
> tls-client
> client
> proto udp
> nobind
> comp-lzo
> verb 3
> mute 20
> ca ca.crt
> cert client_001.crt
> key client_001.key
> ns-cert-type server
> cipher BF-CBC
>
> Almost stock server start-up script (/etc/rc.d/init.d/openvpn) which
> also calls bridge-start:
>
> #!/bin/sh
> #
> # openvpn This shell script takes care of starting and stopping
> # openvpn on RedHat or other chkconfig-based system.
> #
> # chkconfig: 345 24 76
> #
> # description: OpenVPN is a robust and highly flexible tunneling
> application that
> # uses all of the encryption, authentication, and
> certification features
> # of the OpenSSL library to securely tunnel IP networks over
> a single
> # UDP port.
> #
>
> # Contributed to the OpenVPN project by
> # Douglas Keller <doug at voidstar.dyndns.org>
> # 2002.05.15
>
> # To install:
> # copy this file to /etc/rc.d/init.d/openvpn
> # shell> chkconfig --add openvpn
> # shell> mkdir /etc/openvpn
> # make .conf or .sh files in /etc/openvpn (see below)
>
> # To uninstall:
> # run: chkconfig --del openvpn
>
> # Author's Notes:
> #
> # I have created an /etc/init.d init script and enhanced openvpn.spec to
> # automatically register the init script. Once the RPM is installed you
> # can start and stop OpenVPN with "service openvpn start" and "service
> # openvpn stop".
> #
> # The init script does the following:
> #
> # - Starts an openvpn process for each .conf file it finds in
> # /etc/openvpn.
> #
> # - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
> # it before starting openvpn (useful for doing openvpn --mktun...).
> #
> # - In addition to start/stop you can do:
> #
> # service openvpn reload - SIGHUP
> # service openvpn reopen - SIGUSR1
> # service openvpn status - SIGUSR2
> #
> # Modifications:
> #
> # 2003.05.02
> # * Changed == to = for sh compliance (Bishop Clark).
> # * If condrestart|reload|reopen|status, check that we were
> # actually started (James Yonan).
> # * Added lock, piddir, and work variables (James Yonan).
> # * If start is attempted twice, without an intervening stop, or
> # if start is attempted when previous start was not properly
> # shut down, then kill any previously started processes, before
> # commencing new start operation (James Yonan).
> # * Do a better job of flagging errors on start, and properly
> # returning success or failure status to caller (James Yonan).
> #
> # 2005.04.04
> # * Added openvpn-startup and openvpn-shutdown script calls
> # (James Yonan).
> #
>
> # Location of openvpn binary
> openvpn=""
> openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
> for location in $openvpn_locations
> do
> if [ -f "$location" ]
> then
> openvpn=$location
> fi
> done
>
> # Lockfile
> lock="/var/lock/subsys/openvpn"
>
> # PID directory
> piddir="/var/run/openvpn"
>
> # Our working directory
> work=/etc/openvpn
>
> # Source function library.
> . /etc/rc.d/init.d/functions
>
> # Source networking configuration.
> . /etc/sysconfig/network
>
> # Check that networking is up.
> if [ ${NETWORKING} = "no" ]
> then
> echo "Networking is down"
> exit 0
> fi
>
> # Check that binary exists
> if ! [ -f $openvpn ]
> then
> echo "openvpn binary not found"
> exit 0
> fi
>
> # See how we were called.
> case "$1" in
> start)
> echo -n $"Starting openvpn: "
>
> /sbin/modprobe tun >/dev/null 2>&1
>
> # From a security perspective, I think it makes
> # sense to remove this, and have users who need
> # it explictly enable in their --up scripts or
> # firewall setups.
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> /etc/rc.d/init.d/bridge-start
>
> # Run startup script, if defined
> if [ -f $work/openvpn-startup ]; then
> $work/openvpn-startup
> fi
>
> if [ ! -d $piddir ]; then
> mkdir $piddir
> fi
>
> if [ -f $lock ]; then
> # we were not shut down correctly
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill `cat $pidf` >/dev/null 2>&1
> fi
> rm -f $pidf
> done
> rm -f $lock
> sleep 2
> fi
>
> rm -f $piddir/*.pid
> cd $work
>
> # Start every .conf in $work and run .sh if exists
> errors=0
> successes=0
> for c in `/bin/ls *.conf 2>/dev/null`; do
> bn=${c%%.conf}
> if [ -f "$bn.sh" ]; then
> . $bn.sh
> fi
> rm -f $piddir/$bn.pid
> $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd
> $work
> if [ $? = 0 ]; then
> successes=1
> else
> errors=1
> fi
> done
>
> if [ $errors = 1 ]; then
> failure; echo
> else
> success; echo
> fi
>
> if [ $successes = 1 ]; then
> touch $lock
> fi
> ;;
> stop)
> echo -n $"Shutting down openvpn: "
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill `cat $pidf` >/dev/null 2>&1
> fi
> rm -f $pidf
> done
>
> # Run shutdown script, if defined
> if [ -f $work/openvpn-shutdown ]; then
> $work/openvpn-shutdown
> fi
>
> success; echo
> rm -f $lock
> ;;
> restart)
> $0 stop
> sleep 2
> $0 start
> ;;
> reload)
> if [ -f $lock ]; then
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill -HUP `cat $pidf` >/dev/null 2>&1
> fi
> done
> else
> echo "openvpn: service not started"
> exit 1
> fi
> ;;
> reopen)
> if [ -f $lock ]; then
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill -USR1 `cat $pidf` >/dev/null 2>&1
> fi
> done
> else
> echo "openvpn: service not started"
> exit 1
> fi
> ;;
> condrestart)
> if [ -f $lock ]; then
> $0 stop
> # avoid race
> sleep 2
> $0 start
> fi
> ;;
> status)
> if [ -f $lock ]; then
> for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
> if [ -s $pidf ]; then
> kill -USR2 `cat $pidf` >/dev/null 2>&1
> fi
> done
> echo "Status written to /var/log/messages"
> else
> echo "openvpn: service not started"
> exit 1
> fi
> ;;
> *)
> echo "Usage: openvpn
> {start|stop|restart|condrestart|reload|reopen|status}"
> exit 1
> ;;
> esac
> exit 0
>
> =========================
> ifconfig output (server):
> =========================
> br0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
> inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1603 errors:0 dropped:0 overruns:0 frame:0
> TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:127991 (124.9 KiB) TX bytes:107444 (104.9 KiB)
>
> eth0 Link encap:Ethernet HWaddr 00:11:11:CC:97:FC
> inet6 addr: fe80::211:11ff:fecc:97fc/64 Scope:Link
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:1619 errors:0 dropped:0 overruns:0 frame:0
> TX packets:671 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:158296 (154.5 KiB) TX bytes:110458 (107.8 KiB)
> Interrupt:169
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:1002 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1002 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:2528944 (2.4 MiB) TX bytes:2528944 (2.4 MiB)
>
> tap0 Link encap:Ethernet HWaddr 00:FF:02:F4:5C:60
> inet6 addr: fe80::2ff:2ff:fef4:5c60/64 Scope:Link
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:900 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> =====================================================
> route -n (server: (local = 192.168.0.2/255.255.255.0)
> =====================================================
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
> br0
> 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0
> br0
>
> ==============================================
> ipconfig (windows client - TAP-Win32 Adapter):
> ==============================================
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : TAP-Win32 Adapter V8
> Physical Address. . . . . . . . . : 00-FF-F1-4B-A4-C6
> Dhcp Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IP Address. . . . . . . . . . . . : 192.168.0.200
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . :
> DHCP Server . . . . . . . . . . . : 192.168.0.0
> Lease Obtained. . . . . . . . . . : Monday, November 21, 2005 11:29:23 AM
> Lease Expires . . . . . . . . . . : Tuesday, November 21, 2006 11:29:23 AM
>
> =============================
> route print (windows client):
> =============================
> C:\>route print (local = 192.168.2.100/255.255.255.0)
> ===========================================================================
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x10005 ...00 06 5b ca e2 74 ...... Intel(R) PRO/1000 MT Network
> Connection
> 0x30006 ...00 ff f1 4b a4 c6 ...... TAP-Win32 Adapter V8
> ===========================================================================
> ===========================================================================
> Active Routes:
> Network Destination Netmask Gateway Interface
> Metric
> 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.100
> 10
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
> 1
> 192.168.2.0 255.255.255.0 192.168.2.100 192.168.2.100
> 10
> 192.168.2.100 255.255.255.255 127.0.0.1 127.0.0.1
> 10
> 192.168.2.255 255.255.255.255 192.168.2.100 192.168.2.100
> 10
> 192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.200
> 20
> 192.168.0.200 255.255.255.255 127.0.0.1 127.0.0.1
> 20
> 192.168.0.255 255.255.255.255 192.168.0.200 192.168.0.200
> 20
> 224.0.0.0 240.0.0.0 192.168.2.100 192.168.2.100
> 10
> 224.0.0.0 240.0.0.0 192.168.0.200 192.168.0.200
> 20
> 255.255.255.255 255.255.255.255 192.168.2.100 192.168.2.100
> 1
> 255.255.255.255 255.255.255.255 192.168.0.200 192.168.0.200
> 1
> Default Gateway: 192.168.2.1
> ===========================================================================
> Persistent Routes:
> None
>
>
>
> --
> Paul
> @ Thy Service
>
>
> ---------------------------- Original Message ----------------------------
> Subject: Re: [TriLUG] OpenVPN: TAP vs TUN
> From: "Paul G. Szabady" <Paul at ThyService.com>
> Date: Fri, November 18, 2005 4:38 pm
> To: "Triangle Linux Users Group discussion list" <trilug at trilug.org>
> --------------------------------------------------------------------------
>
> Josh,
>
> I owe you a beer! That's the *key* piece I was missing:
>
> setup the default gateway, since it gets lost when eth0 is
> deconfigured (this step I had to add myself, since it is not mentioned in
> the ethernet bridging howto):
>> route add default gw $gw
>
> I've set this up on my laptop at home and it works. Now to implement in
> production. However, I think I'll go onsite, just to be safe. ;)
>
> Thanks for your help!
>
> --
> Paul
> @ Thy Service
>
>> You can assign an IP to a bridge interface in linux, this makes it not
> exactly a bridge, but its what I did to get bridge mode working with
> OpenVPN with a single NIC.
>>
>> I wrote up a nice HOWTO and stuck in on the OpenVPN wiki, but their wiki
> has now been down for months. You can get my (hard to read) notes here:
>>
>> http://vickeryj.freeshell.org/notes/
>>
>> In short, I brought up the tap device like so:
>>
>>> openvpn --mktun --dev tap0
>>
>> and bridge it with the ethernet device like this:
>>
>>> brctl addbr br0
>>> brctl addif br0 eth0
>>> brctl addif br0 tap0
>>
>> then stick everything in promiscuous mode:
>>
>>> ifconfig tap0 0.0.0.0 promisc up
>>> ifconfig eth0 0.0.0.0 promisc up
>>
>> then assign the ip that eth0 used to have to the bridge device (this
> might be what is missing if you are loosing network connectivity to the
> box):
>>
>>> ifconfig br0 $eth_ip netmask $eth_netmask broadcast $eth_broadcast
>>
>> setup the default gateway, since it gets lost when eth0 is
>> deconfigured (this step I had to add myself, since it is not mentioned
> in the ethernet bridging howto):
>>> route add default gw $gw
>>
>> if you want to do this remotely, all those lines need to be in a script,
> as you will lose network connectivity to the box until the last ifconfig
> line is run.
>>
>> Josh
>>
>> On 11/18/05, Paul G. Szabady <Paul at thyservice.com> wrote:
>>> Jim,
>>>
>>> Done that, but note, I'm not even at the point of connecting a client
>>> yet.
>>>
>>> --
>>> Paul
>>> @ Thy Service
>>>
>>> > make sure source and destination IP addresses are *not* on the same
> network address.
>>> >
>>> > regards,
>>> >
>>> > jim
>>> >
>>> > Jim Ray, President
>>> > Neuse River Network, Inc.
>>> >
>>> > tel: 919-838-1672 x111
>>> > toll free: 800-617-7652
>>> > cell: 919-606-1772
>>> > http://www.Neuse.Net
>>> >
>>> > Ask about our Clean Technologies. Established in the Carolinas 1997.
>>> >
>>> >
>>> >
>>> > Paul G. Szabady wrote:
>>> >
>>> >>Greetings,
>>> >>
>>> >>I am trying to set up a TAP style VPN but I'm apparently missing a
> key piece of information and was hoping someone could clarify this
> for me.
>>> >>
>>> >>I have a linux (CentOS 4.2) server w/OpenVPN (openvpn-2.1_beta7-1
> installed from RPM built from src), and a windows 2000 server behind
> a linksys router. I need to be able to access the windows server on
> the local LAN from the internet, with an IP address in the same
> subnet as
>>> the
>>> >>windows server, hence the desire to set up using TAP/bridge mode.
> (Setting up TUN was easy, but didn't work as I needed it to.) The
>>> linux
>>> >>machine has a single NIC, which is why this is so confusing to me.
>>> When
>>> >> I
>>> >>set up OpenVPN w/TAP, I lose all network access to the linux server.
> Having had a "home grown linux switch" (old pc w/6 NICs running in
>>> bridge
>>> >>mode), this makes sense. I believe I have followed all the
>>> >>instructions/notes/suggestions from the openVPN howto as well as the
> Ethernet-Bridge-netfilter howto. But I'm still missing something.
>>> >>
>>> >>The big question: If I am apparently invisible to the network, how
>>> does
>>> >>one make a connection (VPN or other) to the linux server?
>>> >>
>>> >>
>>> >>
>>> > --
>>> > TriLUG mailing list :
>>> http://www.trilug.org/mailman/listinfo/trilug
>>> > TriLUG Organizational FAQ : http://trilug.org/faq/
>>> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>
>>> --
>>> TriLUG mailing list :
>>> http://www.trilug.org/mailman/listinfo/trilug
>>> TriLUG Organizational FAQ : http://trilug.org/faq/
>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>
>> --
>> TriLUG mailing list :
> http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ
> : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>
>
>
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the TriLUG
mailing list