Problem with OpenVPN and ethernet bridging
James Long
list at museum.rain.com
Mon Apr 23 01:14:20 UTC 2007
I'm trying to get my feet wet with an ethernet bridging setup
under OpenVPN.
I have two hosts on a 10.0.0.0/24 network that I want to
connect: dl360 is the server, and t30 is the client. These
hosts are resolvable by /etc/hosts. TLS seems to be working
from certs I created at cacert.org.
The goal is to bridge the t30 client to the second ethernet
NIC of the dl360 server.
The client is assigned an IP from the bridged LAN correctly,
but the client cannot ping the 172.16.16.1 IP on the server's
ethernet interface. tcpdump shows traffic going out the
tap0 interface on the client (ARP traffic, that is, trying to
ARP for 172.16.16.1). tcpdump on the server's physical bge0
shows incoming traffic destined for UDP port 1194 on the server,
but no traffic on the server's tap0 or bridge0 interfaces.
The OpenVPN docs, examples, and instructions are highly linux-
centric, so I'm having to read between the lines a lot. Based on
http://www.mired.org/home/mwm/papers/FreeBSD-OpenVPN-Bridging.html
I am not assigning IPs to the server's tap and bridge interfaces,
as that page claims that such is unnecessary under FreeBSD.
So my troubleshooting is focusing on the server side, since I
can see that VPN traffic is reaching the public interface, but
OpenVPN is not mapping that traffic onto the ethernet bridge.
For now, I am creating the tap and bridge interfaces manually.
Despite having:
openvpn_enable="YES"
openvpn_if="tap bridge"
in /etc/rc.conf, I find that OpenVPN does not create the
bridge interface. I am running this script by hand, followed
by running "/usr/local/etc/rc.d/openvpn start":
ifconfig tap0 create
ifconfig bridge0 create
ifconfig bridge0 addm bge1 addm tap0 up
Here's ifconfig on the server:
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:08:02:a0:c6:9d
inet 10.0.0.22 netmask 0xffffff00 broadcast 10.0.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
bge1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:08:02:a0:c6:9e
inet 172.16.16.1 netmask 0xffffff00 broadcast 172.16.16.255
media: Ethernet autoselect (none)
status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
tap0: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:bd:87:77:8b:00
Opened by PID 49835
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether b6:1d:6a:ae:be:a4
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: bge1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
Here's the openvpn.conf on the server:
local dl360
port 1194
proto udp
dev tap0
ca cacert.org.crt
cert dl360.crt
key dl360.key # This file should be kept secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 172.16.16.1 255.255.255.0 172.16.16.50 172.16.16.100
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
- - -
And here's the openvpn.conf on the client:
client
dev tap
proto udp
remote dl360 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.org.crt
cert t30.crt
key t30.key
log-append openvpn.log
verb 3
- - -
I have set net.inet.ip.forwarding set to 1 on the server to ensure
that packets are forwarded between interfaces.
What am I missing on the server side that's preventing me from pinging
from 172.16.16.50 to 172.16.16.1? The client is running 6.2-STABLE
circa March 13, and the server is 7.0-CURRENT circa late April 21.
Thank you!
Jim
More information about the freebsd-questions
mailing list