Problem with OpenVPN and ethernet bridging
list at museum.rain.com
Mon Apr 23 01:14:20 UTC 2007
I'm trying to get my feet wet with an ethernet bridging setup
I have two hosts on a 10.0.0.0/24 network that I want to
connect: dl360 is the server, and t30 is the client. These
hosts are resolvable by /etc/hosts. TLS seems to be working
from certs I created at cacert.org.
The goal is to bridge the t30 client to the second ethernet
NIC of the dl360 server.
The client is assigned an IP from the bridged LAN correctly,
but the client cannot ping the 172.16.16.1 IP on the server's
ethernet interface. tcpdump shows traffic going out the
tap0 interface on the client (ARP traffic, that is, trying to
ARP for 172.16.16.1). tcpdump on the server's physical bge0
shows incoming traffic destined for UDP port 1194 on the server,
but no traffic on the server's tap0 or bridge0 interfaces.
The OpenVPN docs, examples, and instructions are highly linux-
centric, so I'm having to read between the lines a lot. Based on
I am not assigning IPs to the server's tap and bridge interfaces,
as that page claims that such is unnecessary under FreeBSD.
So my troubleshooting is focusing on the server side, since I
can see that VPN traffic is reaching the public interface, but
OpenVPN is not mapping that traffic onto the ethernet bridge.
For now, I am creating the tap and bridge interfaces manually.
in /etc/rc.conf, I find that OpenVPN does not create the
bridge interface. I am running this script by hand, followed
by running "/usr/local/etc/rc.d/openvpn start":
ifconfig tap0 create
ifconfig bridge0 create
ifconfig bridge0 addm bge1 addm tap0 up
Here's ifconfig on the server:
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
inet 10.0.0.22 netmask 0xffffff00 broadcast 10.0.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
bge1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
inet 172.16.16.1 netmask 0xffffff00 broadcast 172.16.16.255
media: Ethernet autoselect (none)
status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
tap0: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
Opened by PID 49835
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: bge1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
Here's the openvpn.conf on the server:
key dl360.key # This file should be kept secret
server-bridge 172.16.16.1 255.255.255.0 172.16.16.50 172.16.16.100
keepalive 10 120
- - -
And here's the openvpn.conf on the client:
remote dl360 1194
- - -
I have set net.inet.ip.forwarding set to 1 on the server to ensure
that packets are forwarded between interfaces.
What am I missing on the server side that's preventing me from pinging
from 172.16.16.50 to 172.16.16.1? The client is running 6.2-STABLE
circa March 13, and the server is 7.0-CURRENT circa late April 21.
More information about the freebsd-questions