On Fri, Nov 23, 2012 at 10:01:03PM -0800, Marc Chamberlin wrote:
From what I can grok about setting up and running an openvpn server, because I want to allow a Windoz client to connect to the server, I need to set up a tap and br interface and set up an ethernet bridge. I have a few questions which I don't seem to be finding answers for -
1. openvpn supplies a sample script for creating the tap and br interfaces. I know I need to modify it and run the bridge-start script before starting up the openvpn server. Also the bridge-stop script when shutting down the openvpn service. But where and how is this script incorporated into the boot up/server start up processes if I want the openvpn server to run as an automatic service? I don't see anything that references it in the /etc/openvpn/server.conf file or in the /etc/rc.d/openvpn file. That's not required.
Either use the YaST System Services (runlevel) module and enable the openvpn service or use on the command line
chkconfig -a openvpn Thanks Lars for your reply, but my confusion is growing! If the bridge-start script is no longer required to set up the tap0 interface,
On 11/24/2012 9:48 AM, Lars Müller wrote: then how is it to done in openSuSE? And doesn't this script need to be run each time the server computer is rebootedl in order to keep the tap0 and br0 interfaces persistent across reboots? And yes, I plan to enable the openvpn service in the YaST Runlevel module, but I don't fully grok how the tap0 and br0 interfaces are to be defined.....
2. Within the bridge-start script there is a parameter called eth_ip that wants to be set to some IP address. Is this the IP address of the NIC that interfaces my server to my internal LAN? I never needed to tweak with this parameter. I would start with the ifcfg-bridge(5) man page instead.
My very basic /etc/sysconfig/network/ifcfg-br0 has:
BOOTPROTO='dhcp4' BRIDGE='yes' BRIDGE_FORWARDDELAY='0' BRIDGE_PORTS='eth0' BRIDGE_STP='off' STARTMODE='onboot' NAME='Intel Ethernet controller'
I think I understand that this is how to create the br0 bridge interface manually. Though I don't understand how this connects it to the tap0 interface. What is the difference between setting up the br0 interface this way and using the administration utility - brctl? Going back to the previously mentioned bridge-start script, it appears to be using the brctl utility to set up the br0 bridge interface, and to also do things like forward all the ports to/from my eth1 and the tap0 interface. Please be patient with me, I am really struggling hard to grok all this!!!!
3. How do I configure SuSEFirewall2 to support the tap and br interfaces? Do I just add these to the "FW_DEV_INT=" setting? (It was previously suggested that I could use the shorewall firewall instead of SuSEFirewall2, but unless SuSEFirewall2 will not support openvpn with an ethernet bridge I am reluctant to learn a whole new tool and figure out how to configure it to support this and all the other settings I currently have set/grokked in SuSEFirewall2) Nothing special is required to support a bridged network device. For the SuSEfirewall mechanism this is fully transparent.
OK, I will ignore SuSEfirewall for now... Seems non-intuitive but then I don't fully comprehend iptables either, so how firewalls work is a bit of a mystery to me....
4. The openvpn documentation mentions that my DCHP server cannot send the IP address of the default gateway (currently this is the IP address of the NIC on my server that interfaces to my internal LAN) but I do not see how to configure my DHCP server to differentiate between my laptop when it is connecting from my internal LAN and when it is a "roadwarrior" connecting over the VPN. My dhcpd.conf is configured to give out a static internal IP address to my laptop based on the dhcp id that the laptop sends when it is requesting a lease on the IP address that the DCHP server will assign it. I want to maintain this IP address for my laptop, regardless of whether it is connecting in from the internal LAN or over the VPN. But I do not see how to send out the "option routers" setting in the dhcpd.conf file to react differently based on how the laptop is connecting to the network. I always keep my VPN users in a separate network than the others. I believe you're adding one extra troublesome requirement here. I would try to solve the other stuff first and keep the setup as simple as possible for the beginning.
OK, I will use the server-bridge directive for now, until I get this working... I can use a separate range of IP address just to get this working, but eventually I have some constraints when I try to use our remote telescope server. That will require I have a static IP address assigned to each of our computers and laptops, regardless of whether they are connected directly on our internal network, or being used remotely as "roadwarriors".
Lars
-- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org