On Thu, 17 Nov 2005, luk4sz wrote:
so it means that we are both doing the same stupid mistake or that this howto on openvpn.net page is just crap But how one could publish it when it doesn't work?
Well, I think the documentation is very good and points you in the right direction, but as always with complex tools like VPNs you need a good knowledgle about IP networking and be able to troubleshot and draw your own conclutions about a perticular problem. If you don't have this basic knowledge I'd recommend you pay someone todo it for you. After all, it's a security application you're working with here so if you don't understand it fully you risk exposing your complete network...
Please don't complain about the documentation. If you buy a commersial product, complain as much as you want. With an opensource product, use the documentation as it is, then use your own brain, and when you have found something that could have been documented better supply a patch with your enhanced version.
There is one thing that I don't understand, and maybe You could explain it to me. In Ethernet Bridging Notes on this page: http://openvpn.net/bridge.html they wrote:
Draw a picture of what you're trying to acomplish and you will probably understand what it means. In short words, don't tell your OpenVPN client to connect to an OpenVPN server on an IP address that belongs to the local network that you will be bridging across the network.
And for Daniel, in you orignal post you wrote:
At the moment, I've setup the bridge-start/stop scripts from the Howto page, referencing "br0", "tap1" (because tap0 is currently used by a working VPN), and "eth1", with IP 126.96.36.199. So I'm bridging with the external interface and IP - is that correct?
Just try to think logical. You have made your OpenVPN client use an IP address directly out of your local network. When he tries to ping a machine on the local network, this ping will be encrypted by OpenVPN and sent to the OpenVPN server over the public internet. Then when it arrives on your server, it will be decrypted and sent out on tap1 (as that's the interface you have specified in your openvpn server config).
Now what do you want to happend with this packet?? Do you want it briged with your external interface so it will be forwarded back out there un-encrypted? No, ofcource not, you want it forwarded to your local physical interface (eth0?) so it can reach the machine you were trying to ping. So, bridge it with your local interface.
Here's how I bring my interfaces up before starting OpenVPN on my servers:
openvpn --mktun --dev tap0
brctl addbr br0 brctl addif br0 tap0 brctl addif br0 eth0 brctl stp br0 off
ifconfig tap0 promisc up ifconfig eth0 promisc up ifconfig br0 10.10.0.1 netmask 255.255.255.0 broadcast 10.10.0.255
ifconfig eth1 my.public.ip netmask 255.255.255.248 broadcast x.x.x.x route add default gw x.x.x.x
Then I start OpenVPN with a config like this:
port 443 proto tcp-server dev tap0
tls-server pkcs12 server.p12 dh dh1024.pem mode server daemon ifconfig 10.10.0.1 255.255.255.0 crl-verify crl.pem
client-to-client client-config-dir /etc/openvpn/clients-config
ifconfig-pool 10.10.0.200 10.10.0.210 ifconfig-pool-persist openvpn.ipp 30
ping 10 ping-restart 120 mssfix 1400
user nobody group nobody persist-tun persist-key
log /var/log/openvpn-tcp.log status /var/log/openvpn-tcp.status 10 status-version 2 verb 3 mute 10
____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users