tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Fwd: openvpn, no errors but no workie...

Well here's the fix for me...

Like all BSD variants, the tap method requires a kernel with                    
tap, bridge and GATEWAY enabled in the kernel. The sysctl option                
for packet forwarding must be set. (In NetBSD that would be                     
net.inet.ip.forwarding=1, typically from /etc/sysctl.conf at boot)              
The last line of the config file specifies the location of a script to          
run on startup:                                                                 
up /usr/local/etc/openvpn/                                           
This script brings up the tap interface and assigns it a dummy address          
so it doesn't go back down. It is also important to bridge the tap              
interface to the lan interface so packets will leave the box! (They             
won't route out of the tap interface without it.) For example                   
# make an ip to bring up the tap interface                                      
ifconfig $1 netmask                             
# make bridge0 to pass through the tap interface to the private network :)      
ifconfig create bridge0                                                         
brconfig bridge0 add $1 add nfe0 up                                             
Be sure to specify the correct interface for the LAN (on this host it is        
nfe0) the tap interface (typically tap0) is passed to the script as $1          
by openvpn.                                                                     
greetings, George                                                               

On Sun 13 Jul 2008 at 10:34:27 PM -0700, Brian Buhrow wrote:
>       Hello.  I'm running OpenVPN 2.0.5 on NetBSD-4.0 with both clients and
>servers, and it works flawlessly.  It's very stable, connects right away,
>and runs for weeks without a hickup.
>       The difference between my setup and yours is that I'm using tun
>devices rather than tap devices.  Since tap devices imply layer 2 level
>switching, I wonder if there's some problem with the config as you
>transfered it from FreeBSD to  NetBSD?  I know the tap driver works on
>NetBSD-4.x because I'm using it elsewhere without difficulty.
>On Jul 13, 10:24pm, George Georgalis wrote:
>} Subject: Fwd: openvpn, no errors but no workie...
>} Maybe I should run this by the kernel list? I think the
>} only option needed for this openvpn configuration is
>} pseudo-device tap? (which is enabled)
>} // George
>} ----- Forwarded message from George Georgalis <> 
>} Date: Sun, 13 Jul 2008 21:44:56 -0400
>} From: George Georgalis <>
>} To:, 
>} Subject: openvpn, no errors but no workie...
>} I deployed openvpn a few years ago on a FreeBSD box and
>} it has worked flawlessly. But the other day the hardware
>} failed and I put the config and keys on a netbsd-4
>} box. The daemon starts up normal, and clients initialize
>} quickly. It is a tap based vpn, and the route is pushed
>} by the server, but not the gateway or ns.
>} Besides all the logs not showing errors, the clients do
>} get a proper route added for the remote subnet, eg this
>} IP is on the remote side of the connection:
>} # route get
>}    route to:
>} destination:
>}        mask:
>}   interface: tap0
>}       flags: <UP,DONE,CLONING>
>}  recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     
>}        0         0         0         0         0         0      1500      
>} the vpn server lan ip and subnet show in my client
>} routing table...
>} 192.168.15         link#7             UC          1        0   tap0
>}      link#7             UHLW        0        0   tap0
>} and you can see my client connection in the status log
>} Virtual Address,Common Name,Real Address,Last Ref
> Jul 13 21:33:15 2008
>} but that's it. no workie. I can't ping the client ip
>} from the cooresponding ipp.txt:
>} George_Georgalis_fuji_2007.07.27.1854.07,
>} (I'm not sure where else I might find that IP on the
>} server, it's not in the arp table), nor can I reach any
>} other ip on the remote subnet, including the server's
>} lan IP.
>} I've turned off all firewalling and I can reach the
>} private subnet from a shell on the vpn server.
>} What could be the problem here?
>} // George
>} -- 
>} George Georgalis, information system scientist <IXOYE><
>} ----- End forwarded message -----
>} -- 
>} George Georgalis, information system scientist <IXOYE><
>>-- End of excerpt from George Georgalis

George Georgalis, information system scientist <IXOYE><

Home | Main Index | Thread Index | Old Index