Re: Fwd: openvpn, no errors but no workie...

To: tech-kern%NetBSD.org@localhost
Subject: Re: Fwd: openvpn, no errors but no workie...
From: George Georgalis <george%galis.org@localhost>
Date: Wed, 16 Jul 2008 17:12:57 -0400
Well here's the fix for me...

Like all BSD variants, the tap method requires a kernel with                    
                                                            
tap, bridge and GATEWAY enabled in the kernel. The sysctl option                
                                                            
for packet forwarding must be set. (In NetBSD that would be                     
                                                            
net.inet.ip.forwarding=1, typically from /etc/sysctl.conf at boot)              
                                                            
                                                                                
                                                            
The last line of the config file specifies the location of a script to          
                                                            
run on startup:                                                                 
                                                            
                                                                                
                                                            
up /usr/local/etc/openvpn/bridgeup.sh                                           
                                                            
                                                                                
                                                            
This script brings up the tap interface and assigns it a dummy address          
                                                            
so it doesn't go back down. It is also important to bridge the tap              
                                                            
interface to the lan interface so packets will leave the box! (They             
                                                            
won't route out of the tap interface without it.) For example                   
                                                            
                                                                                
                                                            
#!/bin/sh                                                                       
                                                            
# make an ip to bring up the tap interface                                      
                                                            
ifconfig $1 192.168.254.254 netmask 255.255.255.255                             
                                                            
# make bridge0 to pass through the tap interface to the private network :)      
                                                            
ifconfig create bridge0                                                         
                                                            
brconfig bridge0 add $1 add nfe0 up                                             
                                                            
                                                                                
                                                            
Be sure to specify the correct interface for the LAN (on this host it is        
                                                            
nfe0) the tap interface (typically tap0) is passed to the script as $1          
                                                            
by openvpn.                                                                     
                                                            
                                                                                
                                                            
greetings, George                                                               
                                                            


On Sun 13 Jul 2008 at 10:34:27 PM -0700, Brian Buhrow wrote:
>       Hello.  I'm running OpenVPN 2.0.5 on NetBSD-4.0 with both clients and
>servers, and it works flawlessly.  It's very stable, connects right away,
>and runs for weeks without a hickup.
>       The difference between my setup and yours is that I'm using tun
>devices rather than tap devices.  Since tap devices imply layer 2 level
>switching, I wonder if there's some problem with the config as you
>transfered it from FreeBSD to  NetBSD?  I know the tap driver works on
>NetBSD-4.x because I'm using it elsewhere without difficulty.
>-Brian
>
>On Jul 13, 10:24pm, George Georgalis wrote:
>} Subject: Fwd: openvpn, no errors but no workie...
>} Maybe I should run this by the kernel list? I think the
>} only option needed for this openvpn configuration is
>} pseudo-device tap? (which is enabled)
>} 
>} // George
>} 
>} ----- Forwarded message from George Georgalis <george%galis.org@localhost> 
>-----
>} 
>} Date: Sun, 13 Jul 2008 21:44:56 -0400
>} From: George Georgalis <george%galis.org@localhost>
>} To: openvpn-users%lists.sourceforge.net@localhost, 
>pkgsrc-users%netbsd.org@localhost
>} Subject: openvpn, no errors but no workie...
>} 
>} I deployed openvpn a few years ago on a FreeBSD box and
>} it has worked flawlessly. But the other day the hardware
>} failed and I put the config and keys on a netbsd-4
>} box. The daemon starts up normal, and clients initialize
>} quickly. It is a tap based vpn, and the route is pushed
>} by the server, but not the gateway or ns.
>} 
>} Besides all the logs not showing errors, the clients do
>} get a proper route added for the remote subnet, eg this
>} IP is on the remote side of the connection:
>} 
>} # route get 192.168.15.1
>}    route to: 192.168.15.1
>} destination: 192.168.15.0
>}        mask: 255.255.255.0
>}   interface: tap0
>}       flags: <UP,DONE,CLONING>
>}  recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     
>expire
>}        0         0         0         0         0         0      1500      
>-122 
>} 
>} the vpn server lan ip and subnet show in my client
>} routing table...
>} 
>} 192.168.15         link#7             UC          1        0   tap0
>} 192.168.15.85      link#7             UHLW        0        0   tap0
>} 
>} and you can see my client connection in the status log
>} 
>} Virtual Address,Common Name,Real Address,Last Ref
>} 
>ae:fa:86:7a:84:a9,George_Georgalis_fuji_2007.07.27.1854.07,70.183.8.249:63779,Sun
> Jul 13 21:33:15 2008
>} 
>} but that's it. no workie. I can't ping the client ip
>} from the cooresponding ipp.txt:
>} 
>} George_Georgalis_fuji_2007.07.27.1854.07,192.168.15.229
>} 
>} (I'm not sure where else I might find that IP on the
>} server, it's not in the arp table), nor can I reach any
>} other ip on the remote subnet, including the server's
>} lan IP.
>} 
>} I've turned off all firewalling and I can reach the
>} private subnet from a shell on the vpn server.
>} 
>} What could be the problem here?
>} 
>} // George
>} 
>} 
>} -- 
>} George Georgalis, information system scientist <IXOYE><
>} 
>} 
>} ----- End forwarded message -----
>} 
>} -- 
>} George Georgalis, information system scientist <IXOYE><
>>-- End of excerpt from George Georgalis
>
>

-- 
George Georgalis, information system scientist <IXOYE><
References:
- Re: Fwd: openvpn, no errors but no workie...
  - From: Brian Buhrow
Prev by Date: Re: Subfile GSoC Mid-Checkpoint Status
Next by Date: Re: inode open
Previous by Thread: Re: Fwd: openvpn, no errors but no workie...
Next by Thread: Subfile GSoC Mid-Checkpoint Status
Indexes:
Home | Main Index | Thread Index | Old Index