On Fri, Nov 23, 2012 at 10:01:03PM -0800, Marc Chamberlin wrote:
From what I can grok about setting up and running an openvpn server, because I want to allow a Windoz client to connect to the server, I need to set up a tap and br interface and set up an ethernet bridge. I have a few questions which I don't seem to be finding answers for -
1. openvpn supplies a sample script for creating the tap and br interfaces. I know I need to modify it and run the bridge-start script before starting up the openvpn server. Also the bridge-stop script when shutting down the openvpn service. But where and how is this script incorporated into the boot up/server start up processes if I want the openvpn server to run as an automatic service? I don't see anything that references it in the /etc/openvpn/server.conf file or in the /etc/rc.d/openvpn file.
That's not required. Either use the YaST System Services (runlevel) module and enable the openvpn service or use on the command line chkconfig -a openvpn
2. Within the bridge-start script there is a parameter called eth_ip that wants to be set to some IP address. Is this the IP address of the NIC that interfaces my server to my internal LAN?
I never needed to tweak with this parameter. I would start with the ifcfg-bridge(5) man page instead. My very basic /etc/sysconfig/network/ifcfg-br0 has: BOOTPROTO='dhcp4' BRIDGE='yes' BRIDGE_FORWARDDELAY='0' BRIDGE_PORTS='eth0' BRIDGE_STP='off' STARTMODE='onboot' NAME='Intel Ethernet controller'
3. How do I configure SuSEFirewall2 to support the tap and br interfaces? Do I just add these to the "FW_DEV_INT=" setting? (It was previously suggested that I could use the shorewall firewall instead of SuSEFirewall2, but unless SuSEFirewall2 will not support openvpn with an ethernet bridge I am reluctant to learn a whole new tool and figure out how to configure it to support this and all the other settings I currently have set/grokked in SuSEFirewall2)
Nothing special is required to support a bridged network device. For the SuSEfirewall mechanism this is fully transparent.
4. The openvpn documentation mentions that my DCHP server cannot send the IP address of the default gateway (currently this is the IP address of the NIC on my server that interfaces to my internal LAN) but I do not see how to configure my DHCP server to differentiate between my laptop when it is connecting from my internal LAN and when it is a "roadwarrior" connecting over the VPN. My dhcpd.conf is configured to give out a static internal IP address to my laptop based on the dhcp id that the laptop sends when it is requesting a lease on the IP address that the DCHP server will assign it. I want to maintain this IP address for my laptop, regardless of whether it is connecting in from the internal LAN or over the VPN. But I do not see how to send out the "option routers" setting in the dhcpd.conf file to react differently based on how the laptop is connecting to the network.
I always keep my VPN users in a separate network than the others. I believe you're adding one extra troublesome requirement here. I would try to solve the other stuff first and keep the setup as simple as possible for the beginning. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany