Re: OpenVPN, tap interface and bridge
Stuart Hendersonwrote: > On 5.8 and earlier: > > # ifconfig tun1 link0 > > Then you'll be able to add it to the bridge. Thanks Giancarlo and Stuart! That solved it. > On -current (and will be the case for 5.9), use e.g. 'dev tap1' instead > (and add tap1 to the bridge interface). I'll keep that in mind, thanks. > I note you say "assign IP address directly to a bridge" - that isn't how > it works in OpenBSD, you should assign the IP to a member interface > of the bridge. Okay, I did it (for em0). em0, tun0 and tun1 are now in the bridge and as long as em0 is not concerned, bridge is working fine (machines see each other and the box). However there is another problem. I have four machines, let's call them: - mtcp - Windows 7 machine connected to OpenVPN with TCP - mudp - Linux machine connected to OpenVPN over UDP - meth - Linux machine connected directly to em0 - mbsd - OpenBSD server with bridge Machines mtcp and mudp communicate with each other and with mbsd without any problems. Machine meth and mbsd also communicate with each other. However when I try to ping mtcp from meth, this is what happens. 1. meth sends arp request, receives reply and starts sending icmp packets. This can be seen in tcpdump on meth side (tcpdump -i eth2 -n host 172.24.40.6): 11:12:59.235984 ARP, Request who-has 172.24.40.6 tell 172.24.40.2, length 28 11:12:59.445795 ARP, Reply 172.24.40.6 is-at 00:50:b6:11:XX:XX, length 46 11:12:59.445820 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 1, length 64 11:13:00.243925 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 2, length 64 11:13:01.251932 IP 172.24.40.2 > 172.24.40.6: ICMP echo request, id 26368, seq 3, length 64 2. mbsd sees only arp request and reply, but does not see icmp requests (tcpdump -i bridge0 -n host 172.24.40.6), so of course these requests are not forwarded to the pinged box (meth): 11:12:59.508367 arp who-has 172.24.40.6 tell 172.24.40.2 11:12:59.717785 arp reply 172.24.40.6 is-at 00:50:b6:11:XX:XX Any idea what can be wrong? -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos" http://www.chmurka.net/
OpenVPN, tap interface and bridge
Hi, I have an OpenVPN server running on OpenBSD. I use tunX interface in tap mode (as far as I know, it's the OpenBSD equivalent of tapX interface from Linux, so it should be bridgeable): dev tun1 dev-typetap No IP is assigned to this interface, because I want to bridge two OpenVPN interfaces and one Ethernet interface and assign IP address directly to a bridge. OpenVPN is running and ifconfig looks like that: tun1: flags=8051mtu 1500 priority: 0 groups: tun status: active However: gof@bsd:~$ sudo ifconfig bridge0 create gof@bsd:~$ sudo ifconfig bridge0 add tun1 ifconfig: bridge0: tun1: Invalid argument Bridge ifconfig: bridge0: flags=0<> groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp Can I do something to solve it? -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos" http://www.chmurka.net/
Re: OpenVPN, tap interface and bridge
Dag Richardswrote: > I run OpenVPN on a pair of carped up gateways With bridge between OpenVPN interface and other interfaces? > What are you trying to achieve with this very odd sounding config. > There may be a more straightforward way to get there. Ok, so I'll tell exactly what I want to do. I have a private network of machines in various locations. These machines are running different systems (Linux, Win7) and need to be connected with a VPN. Some of them can connect only to certain TCP port (because they are behind a fascist firewall) and some of them have less restricted network access and are able to communicate using UDP. To make it more complicated, one of these machines can connect directly to the OpenBSD box with a dedicated fast Ethernet interface, so I'd like to use that interface. OpenBSD box acts as a server for all these machines. So we have three interfaces: tun0 - for VPN clients connecting with TCP tun1 - for VPN clients communicating with UDP em0 - direct, fast interface for one client There is also em1 interface for outbound traffic (with public IP). Now all machines connect to the VPN using TCP, but I want to switch these UDP-capable to UDP and this one Ethernet-capable box to Ethernet (now this Ethernet connection is completely separate, with separate addressing). What I need to do is to have these three interfaces bridged together with one common IP address, so all computers in a VPN will be visible to each other. Take care. -- "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos" http://www.chmurka.net/
Re: OpenVPN, tap interface and bridge
I run OpenVPN on a pair of carped up gateways What are you trying to achieve with this very odd sounding config. There may be a more straightforward way to get there. Adam Wysocki wrote: Hi, I have an OpenVPN server running on OpenBSD. I use tunX interface in tap mode (as far as I know, it's the OpenBSD equivalent of tapX interface from Linux, so it should be bridgeable): dev tun1 dev-typetap No IP is assigned to this interface, because I want to bridge two OpenVPN interfaces and one Ethernet interface and assign IP address directly to a bridge. OpenVPN is running and ifconfig looks like that: tun1: flags=8051mtu 1500 priority: 0 groups: tun status: active However: gof@bsd:~$ sudo ifconfig bridge0 create gof@bsd:~$ sudo ifconfig bridge0 add tun1 ifconfig: bridge0: tun1: Invalid argument Bridge ifconfig: bridge0: flags=0<> groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp Can I do something to solve it? -- Dag H. Richards ( no title / no lettres ) The first rule of tautology club is the first rule of tautology club. This message may or may not contain proprietary information. Since it is being relayed by SMTP across an unknown number of relays to its destination, using a protocol that is traditionally plain ASCII, it's silly to pretend it is still confidential. If you are not the intended recipient of this message, there is simply nothing I can do about that. Attempting to bind you to some destruction protocol through this windbag sig paragraph is Quixotic at best..
Re: OpenVPN, tap interface and bridge
Em 02-11-2015 17:10, Adam Wysocki escreveu: > OpenVPN is running and ifconfig looks like that: > > tun1: flags=8051mtu 1500 > priority: 0 > groups: tun > status: active >From tun(4) man page: Both layer 3 and layer 2 tunneling is supported; layer 3 tunneling is the default mode. To enable layer 2 tunneling mode, where the tun interface simulates an Ethernet network interface, the link0 flag needs to be set with ifconfig(8) or by setting up a hostname.if(5) configuration file for netstart(8). Note that setting or unsetting the link0 flag causes tun to lose any configuration settings, and that it is not advisable to use the flag with any other parameters. I don't see link0 being set on your interface, at least on your ifconfig output. It won't work in tap mode without it. As for assigning the ip address, you can't assign one directly to a bridge interface. You need a vether(4) one for that. But, if what you want is to bridge an internal lan with an OpenVPN interface, for making any client being able to operate on your LAN as if they were physically present, you don't need an ip address on the bridge, only on the internal LAN interface. Cheers, Giancarlo Razzolini
Re: OpenVPN, tap interface and bridge
On 2015-11-02, Adam Wysockiwrote: > Hi, > > I have an OpenVPN server running on OpenBSD. I use tunX interface in tap > mode (as far as I know, it's the OpenBSD equivalent of tapX interface from > Linux, so it should be bridgeable): > > dev tun1 > dev-typetap > > No IP is assigned to this interface, because I want to bridge two OpenVPN > interfaces and one Ethernet interface and assign IP address directly to a > bridge. > > OpenVPN is running and ifconfig looks like that: > > tun1: flags=8051 mtu 1500 > priority: 0 > groups: tun > status: active > > However: > > gof@bsd:~$ sudo ifconfig bridge0 create > gof@bsd:~$ sudo ifconfig bridge0 add tun1 > ifconfig: bridge0: tun1: Invalid argument On 5.8 and earlier: # ifconfig tun1 link0 Then you'll be able to add it to the bridge. On -current (and will be the case for 5.9), use e.g. 'dev tap1' instead (and add tap1 to the bridge interface). I note you say "assign IP address directly to a bridge" - that isn't how it works in OpenBSD, you should assign the IP to a member interface of the bridge.