|
|
Hello everyone, This relates to OpenVPN with FreeBSD and is (mostly) solved, see below: Maybe its something for the FAQ ... I've got a quite simple and vanilla config here. There is an office network (10.10.10.0/24), and a DSL Internet Uplink. Ovpn clients connect to the external IP, port 1194 udp, of the Firewall (FreeBSD 6.2 RELEASE / i386). Ovpn is configured to use the tap Interface. The setup works very nicely. Smtp and imap services are running on the inside Part of the Firewall, which is also the openvpn Server, at 10.10.10.1. Machines on the "wired" office part of the LAN can connect to these services, but ovpn clients cannot. They can ping 10.10.10.1 but tcp and udp do not work. To be more specific, TCP packets sent by the firewall to the vpn clients have corrupted checksums, thats what tcpdump tells me. Unfortunately I have no Idea whether it's an OpenVPN or FreeBSD Bug, but certainly it is one. This tcpdump explains my Problem: | # tcpdump -vvv -i tap0 -X -s 1600 host vpn72 | tcpdump: WARNING: tap0: no IPv4 address assigned | tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 1600 bytes This is the SYN Packet from the client, wanting to initiate the SMTP Session: | 16:06:52.939044 IP (tos 0x0, ttl 128, id 18184, offset 0, flags | [DF], proto: TCP (6), length: 48) vpn72.office.celix.at.1331 > | koyote.office.celix.at.smtp: S, cksum 0x40f1 (correct), ---------------------------------------------> ^^^^^^^^^ | 3099401284:3099401284(0) win 16384 <mss 1336,nop,nop,sackOK> | | 0x0000: 4500 0030 4708 4000 8006 8b63 0a0a 0a48 E..0G.@....c...H | 0x0010: 0a0a 0a01 0533 0019 b8bd 1c44 0000 0000 .....3.....D.... | 0x0020: 7002 4000 40f1 0000 0204 0538 0101 0402 p.@.@......8.... This is the answer of the Mailserver: | 16:06:52.939153 IP (tos 0x0, ttl 64, id 169, offset 0, flags | [DF], proto: TCP (6), length: 48) koyote.office.celix.at.smtp > | vpn72.office.celix.at.1331: S, cksum 0x287f (incorrect (-> ---------------------------------------------> ^^^^^^^^^ | 0x26cb), 2634202519:2634202519(0) ack 3099401285 win 65535 <mss | 1460,sackOK,eol> | | 0x0000: 4500 0030 00a9 4000 4006 11c3 0a0a 0a01 E..0..@.@....... | 0x0010: 0a0a 0a48 0019 0533 9d02 bd97 b8bd 1c45 ...H...3.......E | 0x0020: 7012 ffff 287f 0000 0204 05b4 0402 0000 p...(........... How should I proceed to resolve this? As I said, all other IP Traffic works. No, it does not. ARP is also not forwarded through the bridge from one vpn client to the other. Whats the matter with FreeBSD's bridging? Maybe I should use ng_bridge? But here is the solution to my original question: ifconfig the Hardware Network Card which is part of the bridge with "-txcsum". In fact, you'll only have the problem if the physical network card which is part of the bridge does hardware checksumming. This forces the kernel to generate checksums for the packets. Otherwise Packets enter the bridge without a set checksum, which the client then drops. See <http://lists.freebsd.org/pipermail/freebsd-net/2005-May/007199.html> What should I try to get the arp (for client to client traffic) working? Thank you all, George Relevant Parts of my config: Ifconfig of Server Machine: | em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 | options=b<RXCSUM,TXCSUM,VLAN_MTU> | inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 | ether 00:0e:0c:a1:ae:cd | media: Ethernet autoselect (1000baseTX <full-duplex>) | status: active | fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 | options=8<VLAN_MTU> | inet 81.223.15.210 netmask 0xfffffff0 broadcast 81.223.15.223 | inet 81.223.15.211 netmask 0xffffffff broadcast 81.223.15.211 | inet 81.223.15.212 netmask 0xffffffff broadcast 81.223.15.212 | ether 00:90:27:f6:a8:fe | media: Ethernet autoselect (100baseTX <full-duplex>) | status: active | plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500 | lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 | inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 | inet6 ::1 prefixlen 128 | inet 127.0.0.1 netmask 0xff000000 | tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 | ether 00:bd:9c:60:02:00 | Opened by PID 34700 sockstat |grep -i vpn | nobody openvpn 34705 3 dgram -> /var/run/logpriv | nobody openvpn 34705 6 udp4 81.223.15.212:1194 *:* Server Config: | mode server | float | local 81.223.15.212 | push "dhcp-option DNS 10.10.10.15" | push "dhcp-option DOMAIN office.celix.at" | push "ip-win32 dynamic" | crl-verify crl.pem | port 1194 | proto udp | dev tap | ca ca.crt | cert server.crt | key server.key # This file should be kept secret | dh dh2048.pem | ifconfig-pool-persist ipp.txt | server-bridge 10.10.10.70 255.255.255.0 10.10.10.71 10.10.10.89 | keepalive 10 120 | comp-lzo | max-clients 15 | user nobody | group nobody | persist-key | persist-tun | status openvpn-status.log | verb 1 Client Config: | client | dev tap | pull | proto udp | remote ssl.celix.at 1194 | resolv-retry infinite | nobind | persist-key | persist-tun | ca ca.crt | cert celix.crt | key celix.key | ns-cert-type server | comp-lzo | verb 1 /etc/sysctl.conf | net.link.ether.bridge.config=em0,tap0 | net.link.ether.bridge.enable=1 /boot/loader.conf | ipdivert_load=yes | bridge_load=yes ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |