[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] OpenVPN 2.0 on Freebsd Bridging Problem

Subject: Re: [Openvpn-users] OpenVPN 2.0 on Freebsd Bridging Problem
From: gui <gui@xxxxxxxxxxxx>
Date: Mon, 20 Jun 2005 15:54:33 -0700

kldload bridge and kldload if_tap confirmed not working on my system Freebsd 5.4
as the interfaces were not set to promisc mode.
after recompiling the kernel to include bridge and tap, my de0 and tap0 interfaces
were automatically set to promisc mode.
maybe some Freebsd experts care to comment on kldload?

now, i've to figure out how to set the firewall on my vpn server using ipfw.

regards

Chee
California

Mark J. Nernberg wrote:

From: <gui@xxxxxxxxxxxx>
Date: Mon, 20 Jun 2005 15:48:16 +0700 (PDT)
To: "Mark J. Nernberg" <mark@xxxxxxxxxxxxxxxxxxx>,
<openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Cc: gui <gui@xxxxxxxxxxxx>
Subject: Re: [Openvpn-users] OpenVPN 2.0 on Freebsd Bridging Problem

Hi Mark

Thank you for your reply once again.

I've managed to get my vpn working!
I think the kldload bridge and kldload if_tap were not working at all.
So I followed your advice and recompiled my kernel to include them.
The other change I made was to include gateway_enable in my /etc/rc.conf .
And then my openvpn started working.     (I don't know if the
gateway_enable is necessary or not).


gateway_enable IS required to route packets between interfaces.

For the benefit of non-techies like me trying to install OpenVPN 2.0
(Bridged_Ethernet) on Freebsd, here is how I installed OpenVPN 2.0
(bridging) on Freebsd 5.4.

(there may be some errors as I did this in a rush)

cd /usr/ports/security/openvpn
make
make install

Beware - the instructions and scripts in the port are all Linux-specific.


This is how my set up looks like:

vpn client : Windows XP, single machine connected directly to the Internet
with an external dynamic IP.

vpn server : Freebsd 5.4, a machine with 2 physical Ethernet interfaces -
one interface xl0 connected to the Internet with a static external IP
address (e.g. 206.216.131.8);
one interface de0 connected to the office LAN with an interal IP address
(192.168.55.146)
one tap0 interface bridged to the internal interface dc0.


My office LAN has a firewall/gateway (internal IP: 192.168.55.1, external
206.216.131.2).

                                                          206.216.131.8
192.168.55.146
XP Client <--------( Internet ) ------------------>  xl0 VPN Server de0
<-------------------->  Office LAN
                                |
                 
    |
       ---------------------->    Firewall
<---------------------------------------------
                                               206.216.131.2   192.168.55.1

Office Network : 192.168.55.0 / 24

Note that in Ethernet-Bridging VPN, your VPN network is the same as your
office LAN network
unlike 'routed' VPN.    Read the Ethernet Bridge page on www.openvn.net.


Actually, there is a router with T1 connection to the Internet at the
office and the router has
ethernet ports to which  x10 and the Firewall are connected.   But this is
irrelevant to the VPN.

First I recompiled my kernel to include
device      tap
options     BRIDGE

Then I did this in /etc/sysctl.conf
net.link.ether.bridge.enable=1
net.link.ether.bridge.config=de0,tap0


and in my /etc/rc.conf, i enabled gateway
gateway_enable="YES"


to generate certs and keys (from openvpn how-to page)
cd /usr/local/share/doc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-key client2
./build-key client3

./build-dh

mkdir /usr/local/etc/openvpn
cp -Rp /usr/local/share/doc/openvpn/easy-rsa /usr/local/etc/openvpn
cp /usr/local/share/doc/openvpn/sample-scripts/server.conf
/usr/local/etc/openvpn
configured the server.conf file (see below).

copied the client1.key, client1.crt and ca.crt into the
c:\~\openvpn\config folder on the client PC.

And started openvpn

/usr/local/sbin/openvpn --daemon --config /usr/local/etc/openvpn/server.conf


Starting and configuring openvpn on my XP client PC was easy.



Here is my server configuration file
server.conf

port 1194
proto udp
dev tap
ca /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/keys/server.crt
key /usr/local/etc/openvpn/easy-rsa/keys/server.key
dh /usr/local/etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.55.146 255.255.255.0 192.168.55.230 192.168.55.254
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3




My client.ovpn file
client
dev tap
proto udp
remote 206.216.131.8 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3




very good.

glad its working.

From: gui <gui@xxxxxxxxxxxx>
Date: Sun, 19 Jun 2005 19:25:24 -0700
To: <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: [Openvpn-users] OpenVPN 2.0 on Freebsd Bridging Problem

Hi Everybody

I'm trying to install OpenVPN 2.0 on Freebsd 5.4.
And it seems that most of the scripts and docs in the Freebsd port are
Linux-specific.
After searching the web, this is what I did.

kldload bridge
kldload if_tap

Perhaps better to compile them into the kernel.  Add to your kernel config
file:

device      tap
options     BRIDGE

and recompile/install.  While the klds are quite stable, it is more
efficient to build them statically into the kernel and strip anything out
of
the kernel you don't need.

configured my server.conf as shown below (the rest are left unchanged)

configured my client.opvn   (client running on XP)

I was able to start the server and client successfully.
And my client could get an IP address from the server.
However, I could not ping to the server internal network (the vpn
network).
It seems that the bridge is not working.

Here is how I configured the bridge (in /etc/sysctl.conf)

net.link.ether.bridge.enable=1
net.link.ether.bridge.config=de0:1,tap0:1

after starting the server, i also set my tap0 and de0 interfaces to
promisc mode.

Not needed.  Bridging the interfaces causes the kernel to put the
interfaces
in promisc mode.

my server.conf :  (only modifications shown, the rest are left
unchanged)

dev tap
ca /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/keys/server.crt
key /usr/local/etc/openvpn/easy-rsa/keys/server.key
dh /usr/local/etc/openvpn/easy-rsa/keys/dh1024.pem
#server 10.8.0.0 255.255.255.0
server-bridge 192.168.5.146 255.255.255.0 192.168.5.230 192.168.5.254

I read from the archive:
http://openvpn.net/archive/openvpn-users/2003-09/msg00026.html
that the tap0 has to be given an IP address in the same subnet as the
internal physical interface.
But this is impossible as you cannot have two interfaces on the same
subnet.

1.) Since when is this impossible?  Impractical, yes, but definitely not
impossible.  It will cause "issues".

2.) Why does it have to be given an IP on the same subnet as the internal
physical interface?

I use:

xl0 = 192.168.0.1/24
tap0 = 10.0.0.1/24
xl1 = (my external IP address)

sysctl net.link.ether.brige.config=xl0,tap0

it shouldn't cause any problems.

Can anybody who has successfuly installed openvpn 2.0 on freebsd share
how he or she did it?

Thank you very much in anticipation

Gui
California


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Prev by Date: Re: [Openvpn-users] OpenVPN 2.0 on Freebsd Bridging Problem
Next by Date: Re: [Openvpn-users] Single interface VPN server remote (site-site) - no ping past it
Previous by thread: Re: [Openvpn-users] OpenVPN 2.0 on Freebsd Bridging Problem
Next by thread: [Openvpn-users] performance problem using tap
Index(es):
- Date
- Thread