Re: ARP and npppd
On 2013-02-18, Claudio Jeker cje...@diehard.n-r-g.com wrote: Even though L2TP has L2 in its name it is not built to create ethernet layer 2 tunnels. It is just tunneling PPP packets inside of UDP. So the only thing you can do is proxyarp (which npppd does not support natively) or route the traffic. Routing the traffic is probably the easiest way for this. Use a different subnet for the PPP-assigned addresses and add a static route on the gateway (and ideally on other machines which the PPP-connected devices will need to reach too, it may work without but you'll either be pushing a bunch of extra traffic via the gateway, or relying on ICMP redirects which may be disabled and at best are bleurgh ;) The proxy arp route is less nice but a few pointers if people want to try that; you can use arp(8) in base for it; see the '-f' option - or arpd (in ports) can cover a whole subnet without listing addresses separately. Alternatively there is the combination of pppd+xl2tpd; pppd does support proxy arp natively, though npppd is nicer and easier to configure, especially with IPsec). FWIW none of these can do IPv6 in the tunnels on OpenBSD, for that you could use gif, gre, openvpn or just plain ipsec.
Re: ARP and npppd
On Mon, Feb 18, 2013 at 6:43 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-02-18, Claudio Jeker cje...@diehard.n-r-g.com wrote: Even though L2TP has L2 in its name it is not built to create ethernet layer 2 tunnels. It is just tunneling PPP packets inside of UDP. So the only thing you can do is proxyarp (which npppd does not support natively) or route the traffic. Routing the traffic is probably the easiest way for this. Use a different subnet for the PPP-assigned addresses and add a static route on the gateway (and ideally on other machines which the PPP-connected devices will need to reach too, it may work without but you'll either be pushing a bunch of extra traffic via the gateway, or relying on ICMP redirects which may be disabled and at best are bleurgh ;) The proxy arp route is less nice but a few pointers if people want to try that; you can use arp(8) in base for it; see the '-f' option - or arpd (in ports) can cover a whole subnet without listing addresses separately. Alternatively there is the combination of pppd+xl2tpd; pppd does support proxy arp natively, though npppd is nicer and easier to configure, especially with IPsec). FWIW none of these can do IPv6 in the tunnels on OpenBSD, for that you could use gif, gre, openvpn or just plain ipsec. the OP is talking about iStuff client, this 'may' reduce the set of possibility, especially if he do not want to install an app. I have no clue how to bridge a gif on an iPhone ! -- - () ascii ribbon campaign - against html e-mail /\
Re: ARP and npppd
On Mon, Feb 18, 2013 at 09:37:27AM -0500, sven falempin wrote: On Mon, Feb 18, 2013 at 6:43 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-02-18, Claudio Jeker cje...@diehard.n-r-g.com wrote: Even though L2TP has L2 in its name it is not built to create ethernet layer 2 tunnels. It is just tunneling PPP packets inside of UDP. So the only thing you can do is proxyarp (which npppd does not support natively) or route the traffic. Routing the traffic is probably the easiest way for this. Use a different subnet for the PPP-assigned addresses and add a static route on the gateway (and ideally on other machines which the PPP-connected devices will need to reach too, it may work without but you'll either be pushing a bunch of extra traffic via the gateway, or relying on ICMP redirects which may be disabled and at best are bleurgh ;) The proxy arp route is less nice but a few pointers if people want to try that; you can use arp(8) in base for it; see the '-f' option - or arpd (in ports) can cover a whole subnet without listing addresses separately. Alternatively there is the combination of pppd+xl2tpd; pppd does support proxy arp natively, though npppd is nicer and easier to configure, especially with IPsec). FWIW none of these can do IPv6 in the tunnels on OpenBSD, for that you could use gif, gre, openvpn or just plain ipsec. the OP is talking about iStuff client, this 'may' reduce the set of possibility, especially if he do not want to install an app. I have no clue how to bridge a gif on an iPhone ! -- - () ascii ribbon campaign - against html e-mail /\ Thanks everybody for the ideas an clarification. Routing would be nice, but not really practical with iThings. I ended up with a perl hack that monitors syslog to add and remove arp entries when npppd reports a connection, and another that cron fires off every few minutes to look at ifconfig's output and update the arp cache. It's working so far, but it's a bit of a hack. Thanks all for the help. Stuart
ARP and npppd
Hi all, I'm having a bit of trouble getting l2tp working from behind a firewall. Here's the setup: OpenBSD with isakmpd and npppd -- Home Router -- Internet -- Cell Network -- iPhone/Laptop Basically, the idea is to make a VPN for use when I'm travelling. I can connect just fine and put traffic on the network, but arp requests from other hosts on the network don't get sent back through the l2tp tunnel. If I manually add the ethernet address of the If I manually update the arp cache of another host on the network with the ethernet address of my npppd/isakmpd box and the IP assigned by npppd, traffic flows with no problem. Looking at the traffic of the nic on the npppd box, I see arp replies coming in. tcpdump on the pipex interface doesn't report the arp requests. Is there something special I need to do to send non-ip traffic through the vpn? Here are my config files: ipsec.conf: ike passive esp transport \ proto udp from mydomain.com (0.0.0.0/0) to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk xxx npppd.conf: authentication LOCAL type local { users-file /etc/npppd/npppd-users } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 l2tp-accept-dialin yes } ipcp IPCP { pool-address 192.168.11.150-192.168.11.159 dns-servers 192.168.11.25 } interface pppx0 address 192.168.11.160 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0 npppd-users: stuart:\ :password=foo: ifconfig's output: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33152 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 76:7f:52:6e:91:0d priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::747f:52ff:fe6e:910d%re0 prefixlen 64 scopeid 0x1 inet6 2601:xxx prefixlen 64 autoconf pltime 14391 vltime 86391 inet6 2601:xxx prefixlen 64 autoconf autoconfprivacy pltime 6138 vltime 78138 inet 192.168.11.29 netmask 0xff00 broadcast 192.168.11.255 enc0: flags=0 priority: 0 groups: enc status: active pflog0: flags=141UP,RUNNING,PROMISC mtu 33152 priority: 0 groups: pflog pppx0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1360 description: stuart priority: 0 groups: pppx inet 192.168.11.160 -- 192.168.11.157 netmask 0x Thanks, Stuart
Re: ARP and npppd
I think this is on TODO-list. This is why npppd considered to be not ready and thus not linked to build. //mxb On 17 feb 2013, at 16:32, Stuart McMurray kd5...@gmail.com wrote: Hi all, I'm having a bit of trouble getting l2tp working from behind a firewall. Here's the setup: OpenBSD with isakmpd and npppd -- Home Router -- Internet -- Cell Network -- iPhone/Laptop Basically, the idea is to make a VPN for use when I'm travelling. I can connect just fine and put traffic on the network, but arp requests from other hosts on the network don't get sent back through the l2tp tunnel. If I manually add the ethernet address of the If I manually update the arp cache of another host on the network with the ethernet address of my npppd/isakmpd box and the IP assigned by npppd, traffic flows with no problem. Looking at the traffic of the nic on the npppd box, I see arp replies coming in. tcpdump on the pipex interface doesn't report the arp requests. Is there something special I need to do to send non-ip traffic through the vpn? Here are my config files: ipsec.conf: ike passive esp transport \ proto udp from mydomain.com (0.0.0.0/0) to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk xxx npppd.conf: authentication LOCAL type local { users-file /etc/npppd/npppd-users } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 l2tp-accept-dialin yes } ipcp IPCP { pool-address 192.168.11.150-192.168.11.159 dns-servers 192.168.11.25 } interface pppx0 address 192.168.11.160 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0 npppd-users: stuart:\ :password=foo: ifconfig's output: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33152 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 76:7f:52:6e:91:0d priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::747f:52ff:fe6e:910d%re0 prefixlen 64 scopeid 0x1 inet6 2601:xxx prefixlen 64 autoconf pltime 14391 vltime 86391 inet6 2601:xxx prefixlen 64 autoconf autoconfprivacy pltime 6138 vltime 78138 inet 192.168.11.29 netmask 0xff00 broadcast 192.168.11.255 enc0: flags=0 priority: 0 groups: enc status: active pflog0: flags=141UP,RUNNING,PROMISC mtu 33152 priority: 0 groups: pflog pppx0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1360 description: stuart priority: 0 groups: pppx inet 192.168.11.160 -- 192.168.11.157 netmask 0x Thanks, Stuart
Re: ARP and npppd
On Sun, Feb 17, 2013 at 11:03:44PM +0100, mxb wrote: I think this is on TODO-list. This is why npppd considered to be not ready and thus not linked to build. It is linked to the build and has been for 5 months. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: ARP and npppd
On Sun, Feb 17, 2013 at 10:32:33AM -0500, Stuart McMurray wrote: Hi all, I'm having a bit of trouble getting l2tp working from behind a firewall. Here's the setup: OpenBSD with isakmpd and npppd -- Home Router -- Internet -- Cell Network -- iPhone/Laptop Basically, the idea is to make a VPN for use when I'm travelling. I can connect just fine and put traffic on the network, but arp requests from other hosts on the network don't get sent back through the l2tp tunnel. If I manually add the ethernet address of the If I manually update the arp cache of another host on the network with the ethernet address of my npppd/isakmpd box and the IP assigned by npppd, traffic flows with no problem. Looking at the traffic of the nic on the npppd box, I see arp replies coming in. tcpdump on the pipex interface doesn't report the arp requests. Is there something special I need to do to send non-ip traffic through the vpn? npppd and L2TP VPN are not built to do L2 VPNs. To build something like that you would need to do proxy-arp on the npppd box and even then not everything will work since it is still a ppp connection running in the end. It may be better to use gif(4) over ipsec for this since that will allow you to do etherip and native L2 VPNs. On the client bridge the gif with vether(4) and on the server bridge it with your real ethernet device. npppd works great for L3 VPNs though... -- :wq Claudio
Re: ARP and npppd
On Sun, Feb 17, 2013 at 5:13 PM, Claudio Jeker cje...@diehard.n-r-g.comwrote: On Sun, Feb 17, 2013 at 10:32:33AM -0500, Stuart McMurray wrote: Hi all, I'm having a bit of trouble getting l2tp working from behind a firewall. Here's the setup: OpenBSD with isakmpd and npppd -- Home Router -- Internet -- Cell Network -- iPhone/Laptop Basically, the idea is to make a VPN for use when I'm travelling. I can connect just fine and put traffic on the network, but arp requests from other hosts on the network don't get sent back through the l2tp tunnel. If I manually add the ethernet address of the If I manually update the arp cache of another host on the network with the ethernet address of my npppd/isakmpd box and the IP assigned by npppd, traffic flows with no problem. Looking at the traffic of the nic on the npppd box, I see arp replies coming in. tcpdump on the pipex interface doesn't report the arp requests. Is there something special I need to do to send non-ip traffic through the vpn? npppd and L2TP VPN are not built to do L2 VPNs. To build something like that you would need to do proxy-arp on the npppd box and even then not everything will work since it is still a ppp connection running in the end. It may be better to use gif(4) over ipsec for this since that will allow you to do etherip and native L2 VPNs. On the client bridge the gif with vether(4) and on the server bridge it with your real ethernet device. npppd works great for L3 VPNs though... -- :wq Claudio If npppd's L2TP VPN isn't built for an L2 VPN (?), what's the appropriate daemon to set up an L2TP VPN in OpenBSD? Since the clients are going to be iOS (Apple, non Cisco) devices, bridging interfaces manually isn't a possibility.
Re: ARP and npppd
On Sun, Feb 17, 2013 at 06:25:24PM -0500, Stuart McMurray wrote: On Sun, Feb 17, 2013 at 5:13 PM, Claudio Jeker cje...@diehard.n-r-g.comwrote: On Sun, Feb 17, 2013 at 10:32:33AM -0500, Stuart McMurray wrote: Hi all, I'm having a bit of trouble getting l2tp working from behind a firewall. Here's the setup: OpenBSD with isakmpd and npppd -- Home Router -- Internet -- Cell Network -- iPhone/Laptop Basically, the idea is to make a VPN for use when I'm travelling. I can connect just fine and put traffic on the network, but arp requests from other hosts on the network don't get sent back through the l2tp tunnel. If I manually add the ethernet address of the If I manually update the arp cache of another host on the network with the ethernet address of my npppd/isakmpd box and the IP assigned by npppd, traffic flows with no problem. Looking at the traffic of the nic on the npppd box, I see arp replies coming in. tcpdump on the pipex interface doesn't report the arp requests. Is there something special I need to do to send non-ip traffic through the vpn? npppd and L2TP VPN are not built to do L2 VPNs. To build something like that you would need to do proxy-arp on the npppd box and even then not everything will work since it is still a ppp connection running in the end. It may be better to use gif(4) over ipsec for this since that will allow you to do etherip and native L2 VPNs. On the client bridge the gif with vether(4) and on the server bridge it with your real ethernet device. npppd works great for L3 VPNs though... -- :wq Claudio If npppd's L2TP VPN isn't built for an L2 VPN (?), what's the appropriate daemon to set up an L2TP VPN in OpenBSD? Since the clients are going to be iOS (Apple, non Cisco) devices, bridging interfaces manually isn't a possibility. Even though L2TP has L2 in its name it is not built to create ethernet layer 2 tunnels. It is just tunneling PPP packets inside of UDP. So the only thing you can do is proxyarp (which npppd does not support natively) or route the traffic. Especially for all the iOS devices there is no need to make this a L2 network (unless you want to do airplay over VPN). -- :wq Claudio