[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: openvpn and ccd


  • Subject: Re: [Openvpn-users] Re: openvpn and ccd
  • From: "BlaaT 0001" <blaat0001@xxxxxxxxx>
  • Date: Thu, 13 Apr 2006 17:55:37 +0200

Hello again,

 just a question : if is necessary to use tun interface in routed mode and
> tap interface bridged mode?
>  if i well understood
>            * tap interface is an virtual ethernet interface which have to be
> bridge with a real ethernet interface like eth0/1
>            * tun interface is an virtual interface too but i don't
> understand why there is not necessary to brigde it?
>

When you're using the TAP interface you're working with Ethernet
Frames. IP Packets are encapsulated in Frames (the source and
destination MAC address and some additional information are added to
the IP packet).

When you're using the TUN interface you're working with IP Packets.

When hosts on the same LAN (connected on the same switch for instance)
they communicate with eachother using the MAC address of each host,
this is called layer 2 communication (ISO Layer 2).

When hosts are not on the same LAN they will only be able to
communicate on Layer 3 (using Internet Protocol IP). Their IP packets
are routed by routers and these routers communicatie with the clients
on Layer 2 using the MAC address.

Same LAN (or the same IP subnet):

Client 1 MAC --> Message --> Client 2 MAC

Different LAN (different IP subnet):

Client 1 IP --> Router 1 MAC ---> Intermediate routers MAC / IP -->
Router 2 MAC <-- Client 2 IP

Basicly what I'm trying to tell you is that the clients communicate
with their routers on Layer 2 using the MAC address, the router routes
your IP packet to the other router which in turn sends it as an
ethernet frame to client 2.

Cisco explains this in about 100 pages of text in detail. It's really
just basic Ethernet knowlegde and pretty hard to explain in a short
note. OpenVPN has nothing to do with it really.

Remember when you're using TUN your working with IP packets. IP
packets need to be routed. You have to use different IP Subnets when
you're using TUN for your LAN and your OpenVPN Virtual LAN.

TAP works with frames, frames do not need to be routed. OpenVPN subnet
is the same as your LAN and are connected to eachother using a
software mechanism called bridge. The bridge software relays the
frames from your OpenVPN clients to the LAN and the other way round.
It's really a connection between your tun0 and eth0 interface.

Instead of IP forwarding which you use with TUN you use bridging with TAP.

When you use TAP you're OpenVPN server is basically a switch, each
time a openvpn client connects you basically plug in it's cable into
the switch and he's connected and ready to talk to other clients as if
he's on the same LAN.

I hope this clearifies matters a bit.

Good luck with your interm period.

BlaaT




On 4/13/06, Pierre LEONARD <pier.leonard@xxxxxxx> wrote:
>  BlaaT 0001 a écrit :
>  Hello Pierre,
>
> I've put some comments in your previous message.
>
> On 4/13/06, Pierre LEONARD <pier.leonard@xxxxxxx> wrote:
>
>
>  Pierre LEONARD a écrit :
>
>
>
>  hello
> i'm french student and i work on openvpn during my trainig period
>
> in fact i've two problem but maybe it's the same...
>
> i would like to use a tunnel with a tun interface in routed mode
> i generate my certificate, the authentication is succesfull
> the connection is established.
>
> the logs are the following on the server side:
> ********************************************************************************************************
>
> <client public ip>:33743 [nomade.test.pierre] Peer Connection
> Initiated with <client public ip>:33743
> nomade.test.pierre/<client public ip>:33743 MULTI: no dynamic or
> static remote --ifconfig address is available for
> nomade.test.pierre/<client public ip>:33743
> nomade.test.pierre/<client public ip>:33743 PUSH: Received control
> message: 'PUSH_REQUEST'
> nomade.test.pierre/<client public ip>:33743 SENT CONTROL
> [nomade.test.pierre]: 'PUSH_REPLY,ifconfig 192.168.1.2
> 192.168.1.1,route 192.168.1.0 255.255.255.0,ping 10,ping-restart 120'
> (status=1)
> ********************************************************************************************************
>
> and the initialization of the sequence is completed without error on
> the client side
>
>
> but with the following configuration i cannot ping the server from the
> client, i've this message on server side:
> *********************************************************************************************************
>
> nomade.test.pierre/<client public ip>:33743 MULTI: bad source address
> from client [192.168.1.2], packet dropped
> *********************************************************************************************************
>
> i don't understand why because the tun interface are ok on the both sides
>
>
> my configuration for the server is
> *********************************************************************************************************
>
> local <server public ip>
> port 1194
> proto udp
> dev tun
> mode server
>
>  --server network netmask
>  A helper directive designed to simplify the configuration of
> OpenVPN's server mode. This directive will set up an OpenVPN server
> which will allocate addresses to clients out of the given
> network/netmask. The server itself will take the ".1" address of the
> given network for use as the server-side endpoint of the local TUN/TAP
> interface.
>
>  For example, --server 10.8.0.0 255.255.255.0 expands as follows:
>
>  mode server
>  tls-server
>
>  if dev tun:
>  ifconfig 10.8.0.1 10.8.0.2
>  ifconfig-pool 10.8.0.4 10.8.0.251
>  route 10.8.0.0 255.255.255.0
>  if client-to-client:
>  push "route 10.8.0.0 255.255.255.0"
>  else
>  push "route 10.8.0.1"
>
>  if dev tap:
>  ifconfig 10.8.0.1 255.255.255.0
>  ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
>  push "route-gateway 10.8.0.1"
>
> This pretty much means you can configure the IP of the server much easier
> with:
>
> server 192.168.1.0 255.255.255.0
>
> That's it.
>
> ##> > tls-server
> The server directive obsoletes the tls-server directive, you can
> remove it from your server config.
>
>
>
>
>
>  tun-mtu 1500
> mssfix
>
> persist-key
> persist-tun
> ca .../cacert.pem
> cert .../vpn.pierre.crt
> key .../vpn.pierre.key
> dh .../dh1024.pem
>
>
>  ##> > ifconfig 192.168.1.1 192.168.1.2
> You don't need this anymore. Remove it from your config file
>
> ##> > route 192.168.1.0 255.255.255.0
> ##> > push "ifconfig 192.168.1.2 192.168.1.1"
> ##> > push "route 192.168.1.0 255.255.255.0"
> You don't need this anymore as well, read the man page on the "server"
> directive.
>
>
>
>
>  client-to-client << don't leave this out if you want your vpn clients to
> see eachother
>
> keepalive 10 120
> cipher BF-CBC
> comp-lzo
> max-clients 15
> user nobody
> group nogroup
> chroot .../logs
> status ...logs/status_routed.log
> log-append ...logs/openvpn_routed.log
> verb 4
> ************************************************************************************************************
>
>
> and the client:
> ************************************************************************************************************
>
> client
>
>  -client
>  A helper directive designed to simplify the configuration of
> OpenVPN's client mode. This directive is equivalent to:
>
>  pull
>  tls-client
>
>
>
>
>
>
>
>  dev tun
> proto udp
> remote <server public ip> 1194
> resolv-retry infinite
> nobind
>
>
>  ##> > tls-client
> You don't need this due to the "client" directive, you can remove it
> from your config.
>
>
>
>
>  persist-key
> persist-tun
> ca .../cacert.pem
> cert .../nomade1.pierre.crt
> key .../nomade1.pierre.key
>
> keepalive 10 60
> cipher BF-CBC
> comp-lzo
> verb 2
> mute 5
> **************************************************************************************************************
>
>
>
>
>
>
> my second problem which maybe is link is that when i try to use ccd
> directory, i've this error on server
> **************************************************************************************************************
>
> TLS Auth Error: --client-config-dir authentication failed for common
> name 'nomade.test.pierre'
> file='/etc/openvpn/ccd/nomade.test.pierre'
> **************************************************************************************************************
>
>
> but i specify on the client the "pull" directive
> and on the server i specify:
> ***********************************************
> chroot /etc/openvpn/ccd # idon't know if necessary
> client-config-dir /etc/openvpn/ccd
> ccd-exclusive
> ***********************************************
> whitout "push ifconfig..."
>
>  No you don't. You specified:
>
> chroot .../logs in your server config.
>
> If your config files reside in "/etc/openvpn" this would chroot
> openvpn into /etc/openvpn/logs or /etc/logs (../ = /etc)
>
> If you specify a CCD dir than this directory must reside in this
> /etc/openvpn/logs directory.
>
> I would recommend creating a directory /etc/openvpn/jail
> In the server config file specify:
>
> chroot /etc/openvpn/jail
> client-config-dir ccd
> ccd-exclusive
>
> Create a directory /etc/openvpn/jail/ccd and place all your CCD files
> in that directory.
>
>
>
>
>
>
>
>  i hope i'm clear !
> who could help me??
> thanks you for your interesting
>
>
>  nobody could help me please?
> i don't find any solution on the web
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
>
> Good luck and don't forget to post your findings,
>
> Cheers,
>
> BlaaT
>
>
>
>  ok that's right
>  in fact my problem came from 2 main points
>  * i didn't understand all the directive and the diff between mode server
> and server (it's better now ! :-) )
>  * and apparently there isn't possible to specify 2 root in chroot directive
> such as one for the ccd dir and one for the log dir
>
>  my acutal structure is the following:
>
>                                       /etc
>                                          |
>                                   /openvpn
>                                          |
> ---------------------------------------------------------------------------
>         |                                |                             |
>    /config                        /jail                        /tls
>                                          |
>
> --------------------------------------
>                           |                              |
>                        /ccd                        /log
>
>  and now i chroot the jail dir (thanks blaat)
>  thanks a lot for your help blaat & cduffy
>  :-)
>  now i continu my tour and i will work on an tap interface with a bridged
> mode
>
>  just a question : if is necessary to use tun interface in routed mode and
> tap interface bridged mode?
>  if i well understood
>            * tap interface is an virtual ethernet interface which have to be
> bridge with a real ethernet interface like eth0/1
>            * tun interface is an virtual interface too but i don't
> understand why there is not necessary to brigde it?
>
>
>
>


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users