🚀 go-pugleaf

RetroBBS NetNews Server

Inspired by RockSolid Light RIP Retro Guy

2 total messages Started by "werther" Fri, 12 Nov 2010 17:07
[FreeBSD 8] OpenVPN bridge
#22037
Author: "werther"
Date: Fri, 12 Nov 2010 17:07
160 lines
5320 bytes
Witam,

Mam problem z konfiguracja OpenVPN, byc moze trywialny, ale po raz pierwszy to
zestawiam, wiec prosze o wyrozumialosc i ewentualne nakierowanie na wlasciwe tory.

OpenVPN sie laczy, uzywajac klucza i PAM, TAP (v.9) na Win7 dostaje adres z
wlasciwej puli, ale niestety na tym sie konczy. Moge zapingowac IP serwera
OpenVPN (10.10.10.212) i swoje wlasne, ktore dostalem, ale nie widac zadnego
hosta w podsieci.

Robilem wg:
http://www.isgsp.net/freebsd/freebsd-openvpn.html
http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/

rc.conf wyglada tak:
----------------------------------------------------------
defaultrouter="10.10.10.1"
hostname="xxx"
ifc
gateway_enable="YES"
openvpn_enable="YES"
openvpn_if="tap bridge"
openvpn_c
openvpn_flags="--script-security 2"
----------------------------------------------------------

server.conf tak:
----------------------------------------------------------
cd /usr/local/etc/openvpn
up /usr/local/etc/openvpn/server-up.sh
down /usr/local/etc/openvpn/server-down.sh
daemon
port 1194
proto tcp
dev tap0
tls-server
tls-auth /usr/local/etc/openvpn/easy-rsa/ta.key 0
cipher AES-256-CBC
ca /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/keys/server.crt
key /usr/local/etc/openvpn/easy-rsa/keys/server.key
dh /usr/local/etc/openvpn/easy-rsa/keys/dh1024.pem
client-cert-not-required
username-as-common-name
plugin /usr/local/lib/openvpn-auth-pam.so common-auth
server-bridge 10.10.10.212 255.255.255.0 10.10.10.171 10.10.10.199
client-to-client
keepalive 12 120
duplicate-cn
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
push "redirect-gateway local"
push "dhcp-option DNS 10.10.10.211"
push "dhcp-option WINS 10.10.10.210"
push "dhcp-option DOMAIN xxxxxx"
status /var/openvpn/openvpn-status.log
log-append /var/log/openvpn.log
verb 5
----------------------------------------------------------
z tym, ze jest to juz wynik wielu roznych prob, wiec niektore opcje moga byc
nadmiarowe.
Probowalem ustawiac pierwsza opcje w server-bridge z IP glownego gatewaya:
10.10.10.1, ale z tym samym rezulatatem.

server-up.sh
----------------------------------------------------------
#!/bin/sh
/sbin/ifconfig bridge0 create
/sbin/ifconfig bridge0 addm em0 addm $dev up
/sbin/ifconfig $dev up
----------------------------------------------------------

server-down.sh
----------------------------------------------------------
#!/bin/sh
/sbin/ifconfig bridge0 deletem $dev
/sbin/ifconfig bridge0 destroy
/sbin/ifconfig $dev destroy
----------------------------------------------------------

Konfiguracja klienta tak:
----------------------------------------------------------
client
remote xxx.xxx.xxx.xxx 1194
dev tap
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert test1.crt
key test1.key
tls-auth ta.key 1
cipher AES-256-CBC
ns-cert-type server
comp-lzo
verb 5
auth-user-pass
tls-client
----------------------------------------------------------

W syslogu ani sladu bledow.

Bridge sie podnosi:
----------------------------------------------------------
em0: flags‰43<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options˜<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:94:2d:3e
	inet 10.10.10.212 netmask 0xffffff00 broadcast 10.10.10.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flagsˆ10<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags€49<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
	inet6 ::1 prefixlen 128
	inet 127.0.0.1 netmask 0xff000000
	nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags‰43<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options€000<LINKSTATE>
	ether 00:bd:ef:b1:09:00
	Opened by PID 7960
bridge0: flagsˆ43<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 36:2a:df:8c:ef:f7
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: tap0 flags3<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 4 priority 128 path cost 2000000
	member: em0 flags3<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 1 priority 128 path cost 20000
----------------------------------------------------------

Schemat sieci i tego co potrzebuje uzyskac wyglada tak:

                                                               / Serwer OpenVPN
10.10.10.212
Klient Win ----> router xxx.xxx.xxx.xxx(zew.) 10.10.10.1 (wew.)
                                                               \ Serwer 1
10.10.10.xxx
                                                               \ Serwer 2
10.10.10.xxx
                                                               \ Serwer 3
10.10.10.xxx
															   \ Serwer ...

Klient Win ma miec tylko dostep do serwerow uslug w sieci wewnetrznej, z puli
adresow przypisanych w dyrektywie server-bridge w server.conf.

Mecze sie nad tym juz kilka dobrych dni, i bede wdzieczny za jakakolwiek pomoc.

Pozdrawiam,
werther

--
Wys³ano z serwisu OnetNiusy: http://niusy.onet.pl
Re: OpenVPN bridge
#22038
Author: tobnet
Date: Sat, 13 Nov 2010 01:56
24 lines
614 bytes
tap0 nie ma przypisanego adresu ip dlatego bridge nie dzia³a

#!/bin/sh
/sbin/ifconfig bridge0 create

>> tu przypisz adres z twojej sieci ip do tap0

/sbin/ifconfig bridge0 addm em0 addm $dev up
/sbin/ifconfig $dev up

i te dwie ostatnie linijki ja bym napisa³ tak:

/sbin/ifconfig bridge0 addm em0 addm tap0 up
tu mo¿e byæ jeszcze:
sleep 2
/sbin/ifconfig bridge0 up

aha i taka ma³a rada po ka¿dym restarcie opevpn trzeba stworzyæ od
nowa bridge bo tap0 traci adres ip :-) najlepiej napisaæ jeden skrypt
niszcz±cy bridge0 restartuj±cy openvpn i tworz±cy bridge od nowa

Pozdrawiam

Tobiasz
Thread Navigation

This is a paginated view of messages in the thread with full content displayed inline.

Messages are displayed in chronological order, with the original post highlighted in green.

Use pagination controls to navigate through all messages in large threads.

Back to All Threads