Re: OpenVPN, tap interface and bridge
Stuart Hendersonwrote: > On 5.8 and earlier: > > # ifconfig tun1 link0 > > Then you'll be able to add it to the bridge. Thanks Giancarlo and Stuart! That solved it. > On -current (and will be the case for 5.9), use e.g. 'dev tap1' instead > (and add tap1 to the bridge interface). I'll keep that in mind, thanks. > I note you say "assign IP address directly to a bridge" - that isn't how > it works in OpenBSD, you should assign the IP to a member interface > of the bridge. Okay, I did it (for em0). em0, tun0 and tun1 are now in the bridge and as long as em0 is not concerned, bridge is working fine (machines see each other and the box). However there is another problem. I have four machines, let's call them: - mtcp - Windows 7 machine connected to OpenVPN with TCP - mudp - Linux machine connected to OpenVPN over UDP - meth - Linux machine connected directly to em0 - mbsd - OpenBSD server with bridge Machines mtcp and mudp communicate with each other and with mbsd without any problems. Machine meth and mbsd also communicate with each other. However when I try to ping mtcp from meth, this is what happens. 1. meth sends arp request, receives reply and starts sending icmp packets. This can be seen in tcpdump on meth side (tcpdump -i eth2 -n host 172.24.40.6): 11:12:59.235984 ARP, Request who-has 172.24.40.6 tell 172.24.40.2, length 28 11:12:59.445795 ARP, Reply 172.24.40.6 is-at 00:50:b6:11:XX:XX, length 46 11:12:59.445820 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 1, length 64 11:13:00.243925 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 2, length 64 11:13:01.251932 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 3, length 64 2. mbsd sees only arp request and reply, but does not see icmp requests (tcpdump -i bridge0 -n host 172.24.40.6), so of course these requests are not forwarded to the pinged box (meth): 11:12:59.508367 arp who-has 172.24.40.6 tell 172.24.40.2 11:12:59.717785 arp reply 172.24.40.6 is-at 00:50:b6:11:XX:XX Any idea what can be wrong? -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos" http://www.chmurka.net/
OpenVPN, tap interface and bridge
Hi, I have an OpenVPN server running on OpenBSD. I use tunX interface in tap mode (as far as I know, it's the OpenBSD equivalent of tapX interface from Linux, so it should be bridgeable): dev tun1 dev-typetap No IP is assigned to this interface, because I want to bridge two OpenVPN interfaces and one Ethernet interface and assign IP address directly to a bridge. OpenVPN is running and ifconfig looks like that: tun1: flags=8051mtu 1500 priority: 0 groups: tun status: active However: gof@bsd:~$ sudo ifconfig bridge0 create gof@bsd:~$ sudo ifconfig bridge0 add tun1 ifconfig: bridge0: tun1: Invalid argument Bridge ifconfig: bridge0: flags=0<> groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp Can I do something to solve it? -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos" http://www.chmurka.net/
Re: OpenVPN, tap interface and bridge
Dag Richardswrote: > I run OpenVPN on a pair of carped up gateways With bridge between OpenVPN interface and other interfaces? > What are you trying to achieve with this very odd sounding config. > There may be a more straightforward way to get there. Ok, so I'll tell exactly what I want to do. I have a private network of machines in various locations. These machines are running different systems (Linux, Win7) and need to be connected with a VPN. Some of them can connect only to certain TCP port (because they are behind a fascist firewall) and some of them have less restricted network access and are able to communicate using UDP. To make it more complicated, one of these machines can connect directly to the OpenBSD box with a dedicated fast Ethernet interface, so I'd like to use that interface. OpenBSD box acts as a server for all these machines. So we have three interfaces: tun0 - for VPN clients connecting with TCP tun1 - for VPN clients communicating with UDP em0 - direct, fast interface for one client There is also em1 interface for outbound traffic (with public IP). Now all machines connect to the VPN using TCP, but I want to switch these UDP-capable to UDP and this one Ethernet-capable box to Ethernet (now this Ethernet connection is completely separate, with separate addressing). What I need to do is to have these three interfaces bridged together with one common IP address, so all computers in a VPN will be visible to each other. Take care. -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos" http://www.chmurka.net/
Downgrade from 5.8-current to 5.8 release
Hi, I have a problem. I mistakenly installed OpenBSD 5.8-current (I thought it was 5.8 release). Everything is set up, configured and live, but now pkg_add fails, because libc version has changed. Can't install p5-Crypt-OpenSSL-Random-0.10 because of libraries |library c.84.0 not found | /usr/lib/libc.so.83.0 (system): bad major - As I don't want to use snapshots and follow -current, is there an easy way to downgrade my installation to 5.8 release without losing my configuration? I thought about just untaring appropriate tgz packages (base58.tgz, copying /bsd etc.) and recompiling one program that I installed manually (because it now uses libs from my installed snapshot), but I am almost certain I would lose my configuration this way... -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos" http://www.chmurka.net/
Re: Downgrade from 5.8-current to 5.8 release
Nick Hollandwrote: > Only supported way (i.e., devs and I won't laugh at you when you > complain about the results) is to wipe and reload. I thought there is an easier way :( Ok, so I'll wipe and reinstall. Thanks. -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos" http://www.chmurka.net/
Re: Linux crypt(3)
Thank you for all the replies! On Sat, 17 Oct 2015, Devin Reade wrote: > As you're looking into solutions, make sure you're looking at the right > problem. Your text sounds like you're migrating system account passwords, I'm not. These are passwords for the news server. Users are authenticated using ckpasswd, which uses crypt(). On Sat, 17 Oct 2015, Adam Wolk wrote: > Don't know if it works out for you but you could generate ssh keys for > existing accounts and allow users to access the new system using that > provided ssh key & set the passwords themselves (or just keep using key > auth and disabling passwords :)). I don't want to force users to do anything, I want this change to be transparent to them... -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
Re: Linux crypt(3)
On Mon, 19 Oct 2015, Adam Van Ymeren wrote: > Could you modify the existing linux system to also output a suitable > bcrypt hash for their password the next time they log in. Yes, that's the great idea. It didn't cross my mind before. Thank you! -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
Linux crypt(3)
Hi misc, I'm migrating one of my servers from Linux to OpenBSD and I need a method to authenticate users based on passwords treated with Linux crypt() function. Passwords are encrypted with salted DES, without glibc2 extensions. For example: $ htpasswd -nbd test test test:MbfD9Vq5SL5aE Where "Mb" is a random salt and the rest is encrypted password. As OpenBSD crypt() function differs from the one in Linux libc and returns NULL for setting "Mb", before I start porting it from libc, maybe you have an easier solution? Maybe there is a library I can use (different than whole bloated Linux libc)? Kind regards. -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"