[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Server with one NIC in order to bridge clients.

  • Subject: [Openvpn-users] Server with one NIC in order to bridge clients.
  • From: Nauleau Frédéric <frederic.nauleau@xxxxxxxxx>
  • Date: Wed, 6 Sep 2006 00:02:25 +0200
Hello,

   I found a lot of stuff about my search but I have stil one problem.

I explain my problem:

    I have a Debian Sarge server with only one NIC connected to the  
Internet.
    I have several client (under MacOsX/Unix/Windows) which connect  
to the server via OpenVPN. I would like to create a virtual LAN with  
the server and all the connected client with broadcast.
Client must see other clients of course.

I decided to create a bridge server wihout bridging a physical NIC.

This is what I manage to have:

Server can ping all of my clients
My clients can ping the server
My clients CAN'T ping other clients...

I think that it's a route/firewall problem but I don't know what to  
do...

Thanks for help
THANKS THANKS THANKS for people who will help me.

  Fred.

My CONFIG:

1°) Server config file
2°) bridging start script
3°) Client config file
4°) Server if config
5°) Firewall ipTable launch script

------------------------------------------
1° Server config file
------------------------------------------

port 6969
proto udp

dev tap0
ca /etc/openvpn/config/rsa/keys/ca.crt
cert /etc/openvpn/config/rsa/keys/LeMoustique.crt
key /etc/openvpn/config/rsa/keys/LeMoustique.key
dh /etc/openvpn/config/rsa/keys/dh1024.pem

ifconfig-pool-persist ipp.txt
server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254

client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

------------------------------------------
2° Bridging start
------------------------------------------

#!/bin/bash

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

for t in $tap; do
     openvpn --mktun --dev $t
done

brctl addbr $br
#brctl addif $br $eth

for t in $tap; do
     brctl addif $br $t
done

for t in $tap; do
     ifconfig $t 0.0.0.0 promisc up
done

ifconfig $br 192.168.8.1 netmask 255.255.255.0 broadcast 192.168.8.255

------------------------------------------
3° Client config file
------------------------------------------

client
dev tap
proto udp
remote HIDDEN ADRESS 6969
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert NauleauFrederic-iMac.crt
key NauleauFrederic-iMac.key
comp-lzo
verb 3

------------------------------------------
4° Server if config
------------------------------------------

br0       Lien encap:Ethernet  HWaddr 82:A1:0D:57:AC:05
           inet adr:192.168.8.1  Bcast:192.168.8.255  Masque: 
255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:40 errors:0 dropped:0 overruns:0 frame:0
           TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:0
           RX bytes:1321 (1.2 KiB)  TX bytes:378 (378.0 b)

eth0      Lien encap:Ethernet  HWaddr 00:40:63:E7:B2:41
           inet adr:88.191.28.69  Bcast:88.191.28.255  Masque: 
255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:40222 errors:0 dropped:0 overruns:0 frame:0
           TX packets:21098 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:1000
           RX bytes:3462133 (3.3 MiB)  TX bytes:3648996 (3.4 MiB)
           Interruption:18 Adresse de base:0xfc00

lo        Lien encap:Boucle locale
           inet adr:127.0.0.1  Masque:255.0.0.0
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:2382 errors:0 dropped:0 overruns:0 frame:0
           TX packets:2382 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:0
           RX bytes:353230 (344.9 KiB)  TX bytes:353230 (344.9 KiB)

tap0      Lien encap:Ethernet  HWaddr 82:A1:0D:57:AC:05
           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
           RX packets:40 errors:0 dropped:0 overruns:0 frame:0
           TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:100
           RX bytes:1881 (1.8 KiB)  TX bytes:378 (378.0 b)

------------------------------------------
5° Firewall ipTable rules
------------------------------------------

#!/bin/bash
echo Setting firewall rules...

#
# config de base
#

# vidage
iptables -t filter -F
iptables -t filter -X

# avant tout : autoriser SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

# ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# interdire toute connexion entrante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP

# interdire toute connexion sortante
iptables -t filter -P OUTPUT ACCEPT

# autoriser les requetes DNS, FTP, HTTP (pour les mises a jour)
modprobe ip_conntrack_ftp
iptables -t filter -A OUTPUT -p udp --dport 6969 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 21 -m state --state  
NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -m state --state  
ESTABLISHED-j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 1024:65535 --dport  
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

# autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# Refuser ping <- A commenter
iptables -t filter -A INPUT -p icmp -j ACCEPT

#
# gestion des connexions entrantes autorises
#

# iptables -t filter -A INPUT -p <tcp|udp> --dport <port> -j ACCEPT

#vpn
iptables -t filter -A INPUT -p udp --dport 6969 -j ACCEPT

# http, https
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

# ftp
iptables -t filter -A INPUT -p tcp --dport 20 -m state --state  
ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 1024:65535 --dport  
1024:65535 -m state --state ESTABLISHED -j ACCEPT

# dns
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-09/msg00030.html on line 393

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-09/msg00030.html on line 393