[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Fw: OpenVPN and bridge-utils


  • Subject: [Openvpn-users] Fw: OpenVPN and bridge-utils
  • From: scartomail <scartomail@xxxxxxxxx>
  • Date: Sun, 10 Feb 2008 07:57:43 -0800 (PST)

Hi Will and Rob,
 
Both thanks for the interest .
 
By the way, I do agree with you on setting up the vpn connection first and then start bridging.
That is actualy what I did(what I have done a lot of times before for my other servers).
 
I have setup the OpenVPN server and than I setup the client.
They were able to connect to each other without any problems.
I could reach the server and the server could reach the client, ping and evenrything through the tunnel.
 
After that I started to setup bridging on the server and had to adjust the configuration files
on both client and server to make use of that bridging capability(as that is my end goal).
 
As you both said we need to have al look at your conf files, so here they are:
(I left out all the comments and stuff I don't use, ore this mail would be a mile long)
 
 
 
Debian/etch/linux OpenVPN server config file.
port 1194
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.8.0.4 255.255.255.0 10.8.0.6 10.8.0.10
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         /etc/openvpn/openvpn.log
verb 3
tun-mtu 1450
fragment 1300
mssfix
 
 
 
WindowsXP OpenVPN client file.
client
dev tap
proto udp
remote 10.0.0.21 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
tun-mtu 1450
fragment 1300
mssfix
 
 
Please note that I am on a local lan and there are no firewalls in between.
My server has just one network card, I think there is no need for a second to make the bridging part work.
 
If you could tell me the config files are setup correct for bridging, that would make me verry happy.
Then at least I got that part right and can focus on the bridging part.
 
By the way here is my /etc/network/interfaces file(where in debian/etch I configure the bridging stuff):
 

auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
      address 10.0.0.20
      netmask 255.255.255.0
      network 10.0.0.0
      broadcast 10.0.0.255
      gateway 10.0.0.1
      # dns-* options are implemented by the resolvconf package, if installed
      dns-nameservers 62.45.45.45 62.45.46.46
      dns-search DEWAAL

auto br0
iface br0 inet static
    address 10.0.0.21
    netmask 255.255.255.0
    network 10.0.0.0
    broadcast 10.0.0.255
    gateway 10.0.0.1
    bridge_ports all
    dns-nameservers 62.45.45.45 62.45.46.46   

 
 
As the tun0 and tap0 devices come up later I add them by hand(for now that is).
After logging on I do "brctl addiff br0 tap0".
 
This by the way leaves me now with a gateway of 10.8.0.4 but I still cant ping or resolve anything.
 
I hope you have a better picture now and I do appreciate youre help verry much.
 
Rgds Edo
 
 
 

 
----- Original Message ----
From: Willy Offermans <Willy@xxxxxxxxxxxxxxxxxxx>
To: scartomail <scartomail@xxxxxxxxx>
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Sent: Saturday, February 9, 2008 10:48:43 AM
Subject: Re: [Openvpn-users] OpenVPN and bridge-utils

Hello Edo and OpenVPN friends,

On Thu, Feb 07, 2008 at 11:39:04AM -0800, scartomail wrote:
> I want bridging so the roadwarior can have full acces to the network.
> Just pushing routes seems to have a lot of limmitations.

> Anyway, I did not set the push "redirect-gateway" option because I also want it to use the local network.
> But if it would resolve the problem... so I uncomented the push "redirect-gateway" option.
> Unfortunatly I still have the same problem.
>
> The logfile on the server or the client are not giving me any errors on the gateway problem part(or any other).
> It's al handshake done wel, adding routes and gateway's???
>
> Here is the last part of my client.log:
> Thu Feb 07 20:29:07 2008 [dewaal] Peer Connection Initiated with 10.0.0.20:1194
> Thu Feb 07 20:29:08 2008 SENT CONTROL [dewaal]: 'PUSH_REQUEST' (status=1)
> Thu Feb 07 20:29:08 2008 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,route-gateway 10.8.0.4,ping 10,ping-restart 120,ifconfig 10.8.0.6 255.255.255.0'
> Thu Feb 07 20:29:08 2008 OPTIONS IMPORT: timers and/or timeouts modified
> Thu Feb 07 20:29:08 2008 OPTIONS IMPORT: --ifconfig/up options modified
> Thu Feb 07 20:29:08 2008 OPTIONS IMPORT: route options modified
> Thu Feb 07 20:29:08 2008 TAP-WIN32 device [Local Area Connection 10] opened: \\.\Global\{7379ADC9-0617-44B8-AFB0-93BD12DBF5BF}.tap
> Thu Feb 07 20:29:08 2008 TAP-Win32 Driver Version 8.4
> Thu Feb 07 20:29:08 2008 TAP-Win32 MTU=1500
> Thu Feb 07 20:29:08 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.0 on interface {7379ADC9-0617-44B8-AFB0-93BD12DBF5BF} [DHCP-serv: 10.8.0.0, lease-time: 31536000]
> Thu Feb 07 20:29:08 2008 Successful ARP Flush on interface [7] {7379ADC9-0617-44B8-AFB0-93BD12DBF5BF}
> Thu Feb 07 20:29:08 2008 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
> Thu Feb 07 20:29:08 2008 route ADD 10.0.0.20 MASK 255.255.255.255 10.0.0.1
> Thu Feb 07 20:29:08 2008 Route addition via IPAPI succeeded
> Thu Feb 07 20:29:08 2008 route DELETE 0.0.0.0 MASK 0.0.0.0 10.0.0.1
> Thu Feb 07 20:29:08 2008 Route deletion via IPAPI succeeded
> Thu Feb 07 20:29:08 2008 route ADD 0.0.0.0 MASK 0.0.0.0 10.8.0.4
> Thu Feb 07 20:29:08 2008 Route addition via IPAPI succeeded
> Thu Feb 07 20:29:08 2008 Initialization Sequence Completed
>
> I'm on a local lan and can not ping 10.8.0.4 as this line says it is my gateway.
> Thu Feb 07 20:29:08 2008 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,route-gateway 10.8.0.4,ping 10,ping-restart 120,ifconfig 10.8.0.6 255.255.255.0'
>
>
> Any thoughts?
>
>
> Rgds Edo
>
>
>
> ----- Original Message ----
> From: Willy Offermans <Willy@xxxxxxxxxxxxxxxxxxx>
> To: scartomail <scartomail@xxxxxxxxx>
> Sent: Thursday, February 7, 2008 1:12:40 PM
> Subject: Re: [Openvpn-users] OpenVPN and bridge-utils
>
> Hello Edo and OpenVPN friends,
>
> On Thu, Feb 07, 2008 at 03:27:18AM -0800, scartomail wrote:
> > Hi Everyone,
> >
> > I have setup an OpenVPN server(debian/etch) and one client(winXP).
> > The client should be a roadwarrior and connect to the network behind the OpenVPN server.
> >
> > First I setup the connection to the OpenVPN and this was without problems.
> > But after installing and setting up the bridge-utils I do get a connection with the
> > OpenVPN server and an ipadres but no gateway??
> >
> > The client can not even ping the OpenVPN server on 10.8.0.1?
> > The last line in my client's OpenVPN log is: Unable to get a default gateway.
> >
> > Debian has privided excelent scripts and an howto but it seems that something is still wrong.
> > Anybody any experiance with this kind of setup?
> >
> > Thanks in advance.
> >
> > Rgds Edo
> >
>
> Why do you need bridging?
>
> In general, you do not need bridging to have proper vpn connection.
>
> Maybe you forgot
> push "redirect-gateway"
> in your server config file, but I'm not totally sure that this is what
> you want.
>
>
> --
> Met vriendelijke groeten,
> With kind regards,
> Mit freundlichen Gruessen,
> De jrus wah,
>
> Willy
>
> *************************************
> W.K. Offermans
> Home:  +31 45 544 49 44
> Mobile: +31 653 27 16 23
> e-mail: Willy@xxxxxxxxxxxxxxxxxxx
>
>                                      Powered by ....
>
>                                            (__)
>                                        \\\'',)
>                                          \/  \ ^
>                                          .\._/_)
>
>                                      www.FreeBSD.org
>
>
>      ____________________________________________________________________________________
> Looking for last minute shopping deals? 
> Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

What find of limitations do pushing routes have?

I know my advice to you sounds silly, but forget about bridging for the
time being. Just setup a decent VPN connection with working pinging and
blahblah first. There are some pitfalls you will have to overcome
already, like Gateway, IP and routing problems, firewall, keys etc. If
you have overcome all these problems, then start playing with bridging.
At the end bridging isn't that hard at all, but if you have all
problems at the same time you don't know where to find the solutions.

It is very difficult for us to assist you, if you don't provide us with
detailed information. Most important are the client and server vpn
config files. Specification about OS and status of firewalls are also
interesting.


--
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,

Willy

*************************************
W.K. Offermans
Home:  +31 45 544 49 44
Mobile: +31 653 27 16 23
e-mail: Willy@xxxxxxxxxxxxxxxxxxx

                                      Powered by ....

                                            (__)
                                        \\\'',)
                                          \/  \ ^
                                          .\._/_)

                                      www.FreeBSD.org



Never miss a thing. Make Yahoo your homepage.



Looking for last minute shopping deals? Find them fast with Yahoo! Search.