[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] mixed tun-tap setup


  • Subject: Re: [Openvpn-users] mixed tun-tap setup
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Tue, 11 Dec 2007 07:31:50 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID249LLkNf50221X29

sadfub@xxxxxxx wrote:
> Hello everyone,
>
> actually I've here a multiple client tun-server running, but I need a
> client with a tap device. (I'll use this in a VMware instance with
> bridging, and tun doesn't work) Since each connection has to have
> identically tun xor tap interfaces my server.conf has a "dev tun" line
> in its configuration file. Hence I feel impossible to make a tap-client.
>   

I don't know if this is a limitation of your VM guest, but I've used tun
devices in OpenVPN  (both as a Linux and Windows guest using VMware's
bridging configuration for the client adapter.)

> A solution could be to run multiple OpenVPN instances on my box, and
> connect the networks with routing. So I inspected the
> /etc/init.d/openvpn script and I saw that there seems to be support for
> multiple instances:
>
> [...]
> for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
>    NAME=${CONFIG%%.conf}
>    start_vpn
> done
> [...]
>   

Most distribution's initscripts do the same thing which allows you to
run as many OpenVPN daemons as you want.  Just create another
/etc/openvpn/bridge.conf (or whatever you want to call it) and set it up
to use a tap adapter.  Don't forget to take care of the interface
bridging on your server if you want to bring this client onto your
existing LAN.

As a small side note, different distributions may have slightly
different initscripts, so consult any documentation that's in your
file.  I don't recognize that snipit of code from the official OpenVPN
initscript (which only works on Redhat or similar init systems) which is
why I bring this up.

> My question, is there a small guide somewhere that I could read? Is it
> possible to use the certificates I already using for the tun-openvpn
> network, since the new instance would need a sever certificate, or am I
> wrong?
>   

You can use the same set of certificates on both servers, but just
remember that this means a client with a valid certificate could choose
to connect to either server, so be mindful of your security needs.  If
that poses a problem you might want to either use a verify script to
only allow specific clients or consider a separate set of certificates
for each instance.

As far as a guide goes, here's the OpenVPN.net example of a bridged
configuration: http://openvpn.net/bridge.html.

-- 
Josh


Attachment: signature.asc
Description: OpenPGP digital signature