Re: OpenVPN, tap interface and bridge

2015-11-03 Thread Adam Wysocki 
Stuart Henderson  wrote:

> On 5.8 and earlier:
> 
> # ifconfig tun1 link0
> 
> Then you'll be able to add it to the bridge.

Thanks Giancarlo and Stuart! That solved it.

> On -current (and will be the case for 5.9), use e.g. 'dev tap1' instead
> (and add tap1 to the bridge interface).

I'll keep that in mind, thanks.

> I note you say "assign IP address directly to a bridge" - that isn't how
> it works in OpenBSD, you should assign the IP to a member interface
> of the bridge.

Okay, I did it (for em0). em0, tun0 and tun1 are now in the bridge and as 
long as em0 is not concerned, bridge is working fine (machines see each 
other and the box). However there is another problem.

I have four machines, let's call them:

- mtcp - Windows 7 machine connected to OpenVPN with TCP
- mudp - Linux machine connected to OpenVPN over UDP
- meth - Linux machine connected directly to em0
- mbsd - OpenBSD server with bridge

Machines mtcp and mudp communicate with each other and with mbsd without 
any problems. Machine meth and mbsd also communicate with each other.

However when I try to ping mtcp from meth, this is what happens.

1. meth sends arp request, receives reply and starts sending icmp packets. 
This can be seen in tcpdump on meth side (tcpdump -i eth2 -n host 
172.24.40.6):

11:12:59.235984 ARP, Request who-has 172.24.40.6 tell 172.24.40.2, length 28
11:12:59.445795 ARP, Reply 172.24.40.6 is-at 00:50:b6:11:XX:XX, length 46
11:12:59.445820 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 
1, length 64
11:13:00.243925 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 
2, length 64
11:13:01.251932 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 
3, length 64

2. mbsd sees only arp request and reply, but does not see icmp requests 
(tcpdump -i bridge0 -n host 172.24.40.6), so of course these requests are 
not forwarded to the pinged box (meth):

11:12:59.508367 arp who-has 172.24.40.6 tell 172.24.40.2
11:12:59.717785 arp reply 172.24.40.6 is-at 00:50:b6:11:XX:XX

Any idea what can be wrong?

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
http://www.chmurka.net/

OpenVPN, tap interface and bridge

2015-11-02 Thread Adam Wysocki 
Hi,

I have an OpenVPN server running on OpenBSD. I use tunX interface in tap
mode (as far as I know, it's the OpenBSD equivalent of tapX interface from
Linux, so it should be bridgeable):

dev tun1
dev-typetap

No IP is assigned to this interface, because I want to bridge two OpenVPN
interfaces and one Ethernet interface and assign IP address directly to a
bridge.

OpenVPN is running and ifconfig looks like that:

tun1: flags=8051 mtu 1500
priority: 0
groups: tun
status: active

However:

gof@bsd:~$ sudo ifconfig bridge0 create
gof@bsd:~$ sudo ifconfig bridge0 add tun1
ifconfig: bridge0: tun1: Invalid argument

Bridge ifconfig:

bridge0: flags=0<>
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp

Can I do something to solve it?

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
http://www.chmurka.net/

Re: OpenVPN, tap interface and bridge

2015-11-02 Thread Adam Wysocki 
Dag Richards  wrote:

> I run OpenVPN on a pair of carped up gateways 

With bridge between OpenVPN interface and other interfaces?

> What are you trying to achieve with this very odd sounding config.
> There may be a more straightforward way to get there.

Ok, so I'll tell exactly what I want to do.

I have a private network of machines in various locations. These machines 
are running different systems (Linux, Win7) and need to be connected with 
a VPN. Some of them can connect only to certain TCP port (because they are 
behind a fascist firewall) and some of them have less restricted network 
access and are able to communicate using UDP. To make it more complicated, 
one of these machines can connect directly to the OpenBSD box with a 
dedicated fast Ethernet interface, so I'd like to use that interface.

OpenBSD box acts as a server for all these machines.

So we have three interfaces:

tun0 - for VPN clients connecting with TCP
tun1 - for VPN clients communicating with UDP
em0 - direct, fast interface for one client

There is also em1 interface for outbound traffic (with public IP).

Now all machines connect to the VPN using TCP, but I want to switch these 
UDP-capable to UDP and this one Ethernet-capable box to Ethernet (now this 
Ethernet connection is completely separate, with separate addressing). What 
I need to do is to have these three interfaces bridged together with one 
common IP address, so all computers in a VPN will be visible to each other.

Take care.

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
http://www.chmurka.net/

Downgrade from 5.8-current to 5.8 release

2015-11-01 Thread Adam Wysocki 
Hi,

I have a problem. I mistakenly installed OpenBSD 5.8-current (I thought it 
was 5.8 release). Everything is set up, configured and live, but now 
pkg_add fails, because libc version has changed.


Can't install p5-Crypt-OpenSSL-Random-0.10 because of libraries
|library c.84.0 not found
| /usr/lib/libc.so.83.0 (system): bad major
-

As I don't want to use snapshots and follow -current, is there an easy way 
to downgrade my installation to 5.8 release without losing my 
configuration? I thought about just untaring appropriate tgz packages 
(base58.tgz, copying /bsd etc.) and recompiling one program that I 
installed manually (because it now uses libs from my installed snapshot), 
but I am almost certain I would lose my configuration this way...

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
http://www.chmurka.net/

Re: Downgrade from 5.8-current to 5.8 release

2015-11-01 Thread Adam Wysocki 
Nick Holland  wrote:

> Only supported way (i.e., devs and I won't laugh at you when you
> complain about the results) is to wipe and reload.

I thought there is an easier way :(

Ok, so I'll wipe and reinstall. Thanks.

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
http://www.chmurka.net/

Re: Linux crypt(3)

2015-10-19 Thread Adam Wysocki 
Thank you for all the replies!

On Sat, 17 Oct 2015, Devin Reade wrote:

> As you're looking into solutions, make sure you're looking at the right
> problem. Your text sounds like you're migrating system account passwords,

I'm not. These are passwords for the news server. Users are authenticated 
using ckpasswd, which uses crypt().

On Sat, 17 Oct 2015, Adam Wolk wrote:

> Don't know if it works out for you but you could generate ssh keys for
> existing accounts and allow users to access the new system using that
> provided ssh key & set the passwords themselves (or just keep using key
> auth and disabling passwords :)).

I don't want to force users to do anything, I want this change to be 
transparent to them...

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"

Re: Linux crypt(3)

2015-10-19 Thread Adam Wysocki 
On Mon, 19 Oct 2015, Adam Van Ymeren wrote:

> Could you modify the existing linux system to also output a suitable
> bcrypt hash for their password the next time they log in.

Yes, that's the great idea. It didn't cross my mind before. Thank you!

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"

Linux crypt(3)

2015-10-17 Thread Adam Wysocki 
Hi misc,

I'm migrating one of my servers from Linux to OpenBSD and I need a method 
to authenticate users based on passwords treated with Linux crypt() 
function. Passwords are encrypted with salted DES, without glibc2 
extensions. For example:

$ htpasswd -nbd test test
test:MbfD9Vq5SL5aE

Where "Mb" is a random salt and the rest is encrypted password.

As OpenBSD crypt() function differs from the one in Linux libc and returns 
NULL for setting "Mb", before I start porting it from libc, maybe you have 
an easier solution? Maybe there is a library I can use (different than 
whole bloated Linux libc)?

Kind regards.

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"