Re: OpenVPN, tap interface and bridge

[Adam Wysocki]

Stuart Henderson  wrote:

> On 5.8 and earlier:
> 
> # ifconfig tun1 link0
> 
> Then you'll be able to add it to the bridge.

Thanks Giancarlo and Stuart! That solved it.

> On -current (and will be the case for 5.9), use e.g. 'dev tap1' instead
> (and add tap1 to the bridge interface).

I'll keep that in mind, thanks.

> I note you say "assign IP address directly to a bridge" - that isn't how
> it works in OpenBSD, you should assign the IP to a member interface
> of the bridge.

Okay, I did it (for em0). em0, tun0 and tun1 are now in the bridge and as 
long as em0 is not concerned, bridge is working fine (machines see each 
other and the box). However there is another problem.

I have four machines, let's call them:

- mtcp - Windows 7 machine connected to OpenVPN with TCP
- mudp - Linux machine connected to OpenVPN over UDP
- meth - Linux machine connected directly to em0
- mbsd - OpenBSD server with bridge

Machines mtcp and mudp communicate with each other and with mbsd without 
any problems. Machine meth and mbsd also communicate with each other.

However when I try to ping mtcp from meth, this is what happens.

1. meth sends arp request, receives reply and starts sending icmp packets. 
This can be seen in tcpdump on meth side (tcpdump -i eth2 -n host 
172.24.40.6):

11:12:59.235984 ARP, Request who-has 172.24.40.6 tell 172.24.40.2, length 28
11:12:59.445795 ARP, Reply 172.24.40.6 is-at 00:50:b6:11:XX:XX, length 46
11:12:59.445820 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 
1, length 64
11:13:00.243925 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 
2, length 64
11:13:01.251932 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 
3, length 64

2. mbsd sees only arp request and reply, but does not see icmp requests 
(tcpdump -i bridge0 -n host 172.24.40.6), so of course these requests are 
not forwarded to the pinged box (meth):

11:12:59.508367 arp who-has 172.24.40.6 tell 172.24.40.2
11:12:59.717785 arp reply 172.24.40.6 is-at 00:50:b6:11:XX:XX

Any idea what can be wrong?

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
http://www.chmurka.net/

OpenVPN, tap interface and bridge

[Adam Wysocki]

Hi,

I have an OpenVPN server running on OpenBSD. I use tunX interface in tap
mode (as far as I know, it's the OpenBSD equivalent of tapX interface from
Linux, so it should be bridgeable):

dev tun1
dev-typetap

No IP is assigned to this interface, because I want to bridge two OpenVPN
interfaces and one Ethernet interface and assign IP address directly to a
bridge.

OpenVPN is running and ifconfig looks like that:

tun1: flags=8051 mtu 1500
priority: 0
groups: tun
status: active

However:

gof@bsd:~$ sudo ifconfig bridge0 create
gof@bsd:~$ sudo ifconfig bridge0 add tun1
ifconfig: bridge0: tun1: Invalid argument

Bridge ifconfig:

bridge0: flags=0<>
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp

Can I do something to solve it?

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
http://www.chmurka.net/

Re: OpenVPN, tap interface and bridge

[Adam Wysocki]

Dag Richards  wrote:

> I run OpenVPN on a pair of carped up gateways 

With bridge between OpenVPN interface and other interfaces?

> What are you trying to achieve with this very odd sounding config.
> There may be a more straightforward way to get there.

Ok, so I'll tell exactly what I want to do.

I have a private network of machines in various locations. These machines 
are running different systems (Linux, Win7) and need to be connected with 
a VPN. Some of them can connect only to certain TCP port (because they are 
behind a fascist firewall) and some of them have less restricted network 
access and are able to communicate using UDP. To make it more complicated, 
one of these machines can connect directly to the OpenBSD box with a 
dedicated fast Ethernet interface, so I'd like to use that interface.

OpenBSD box acts as a server for all these machines.

So we have three interfaces:

tun0 - for VPN clients connecting with TCP
tun1 - for VPN clients communicating with UDP
em0 - direct, fast interface for one client

There is also em1 interface for outbound traffic (with public IP).

Now all machines connect to the VPN using TCP, but I want to switch these 
UDP-capable to UDP and this one Ethernet-capable box to Ethernet (now this 
Ethernet connection is completely separate, with separate addressing). What 
I need to do is to have these three interfaces bridged together with one 
common IP address, so all computers in a VPN will be visible to each other.

Take care.

-- 
"qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
http://www.chmurka.net/

Re: OpenVPN, tap interface and bridge

[Dag Richards]

I run OpenVPN on a pair of carped up gateways 

What are you trying to achieve with this very odd sounding config.
There may be a more straightforward way to get there.


Adam Wysocki wrote:

Hi,

I have an OpenVPN server running on OpenBSD. I use tunX interface in tap
mode (as far as I know, it's the OpenBSD equivalent of tapX interface from
Linux, so it should be bridgeable):

dev tun1
dev-typetap

No IP is assigned to this interface, because I want to bridge two OpenVPN
interfaces and one Ethernet interface and assign IP address directly to a
bridge.

OpenVPN is running and ifconfig looks like that:

tun1: flags=8051 mtu 1500
priority: 0
groups: tun
status: active

However:

gof@bsd:~$ sudo ifconfig bridge0 create
gof@bsd:~$ sudo ifconfig bridge0 add tun1
ifconfig: bridge0: tun1: Invalid argument

Bridge ifconfig:

bridge0: flags=0<>
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp

Can I do something to solve it?



--
Dag H. Richards  ( no title / no lettres )

The first rule of tautology club is the first rule of tautology club.

This message may or may not contain proprietary information.
Since it is being relayed by SMTP across an unknown number of
relays to its destination, using a protocol that is traditionally
plain ASCII, it's silly to pretend it is still confidential.
If you are not the intended recipient of this message,
there is simply nothing I can do about that. Attempting to bind you
to some destruction protocol through this windbag sig paragraph is
Quixotic at best..

Re: OpenVPN, tap interface and bridge

[Giancarlo Razzolini]

Em 02-11-2015 17:10, Adam Wysocki escreveu:
> OpenVPN is running and ifconfig looks like that:
>
> tun1: flags=8051 mtu 1500
> priority: 0
> groups: tun
> status: active
>From tun(4) man page:

 Both layer 3 and layer 2 tunneling is supported; layer 3 tunneling
is the
 default mode.  To enable layer 2 tunneling mode, where the tun
interface
 simulates an Ethernet network interface, the link0 flag needs to be set
 with ifconfig(8) or by setting up a hostname.if(5) configuration
file for
 netstart(8).  Note that setting or unsetting the link0 flag causes
tun to
 lose any configuration settings, and that it is not advisable to
use the
 flag with any other parameters.

I don't see link0 being set on your interface, at least on your ifconfig
output. It won't work in tap mode without it. As for assigning the ip
address, you can't assign one directly to a bridge interface. You need a
vether(4) one for that. But, if what you want is to bridge an internal
lan with an OpenVPN interface, for making any client being able to
operate on your LAN as if they were physically present, you don't need
an ip address on the bridge, only on the internal LAN interface.

Cheers,
Giancarlo Razzolini

Re: OpenVPN, tap interface and bridge

[Stuart Henderson]

On 2015-11-02, Adam Wysocki  wrote:
> Hi,
>
> I have an OpenVPN server running on OpenBSD. I use tunX interface in tap
> mode (as far as I know, it's the OpenBSD equivalent of tapX interface from
> Linux, so it should be bridgeable):
>
> dev tun1
> dev-typetap
>
> No IP is assigned to this interface, because I want to bridge two OpenVPN
> interfaces and one Ethernet interface and assign IP address directly to a
> bridge.
>
> OpenVPN is running and ifconfig looks like that:
>
> tun1: flags=8051 mtu 1500
> priority: 0
> groups: tun
> status: active
>
> However:
>
> gof@bsd:~$ sudo ifconfig bridge0 create
> gof@bsd:~$ sudo ifconfig bridge0 add tun1
> ifconfig: bridge0: tun1: Invalid argument

On 5.8 and earlier:

# ifconfig tun1 link0

Then you'll be able to add it to the bridge.

On -current (and will be the case for 5.9), use e.g. 'dev tap1' instead
(and add tap1 to the bridge interface).

I note you say "assign IP address directly to a bridge" - that isn't how
it works in OpenBSD, you should assign the IP to a member interface
of the bridge.