On Tue, Nov 27, 2012 at 08:22:38PM +0100, Per Jessen wrote:
Marc Chamberlin wrote:
On 11/26/2012 11:19 PM, Per Jessen wrote:
Marc Chamberlin wrote:
So, my feeling about the man page for ifcfg-bridge is that it is very abbreviated and requires a deep understanding of the openSuSE network setup model which I don't have. Worse, the man page for ifcfg-bridge refers to a non-existent website - http://linux-net.osdl.org/index.php.Bridge for further information, and there is nothing that I can find in the openSuSE documentation wiki's that describe how to set up openvpn either. Please file a bug report for this documentation issue and report the defect ID back to this thread.
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge might be the current location of the documentation. If that's the case add this information to the defect report too. Bug 791553
[ 8< ]
OK, I can accept this and thanks for the info. But my confusion remains, how does the bridge interface (br0) KNOW about the connection between my tap0 and eth1 interfaces. Setting up the tap0 interface, via YaST, seems to be straightforward (though there is nothing to specify an association between it an an ethernet (eth) or bridged device nor did I expect there to be), but my experiments with setting up the bridge, using YaST, do not enlighten me. If I select both interfaces, tap0 and eth1, as the devices to be bridged, which YaST seems to allow in its GUI, it does NOT set the BRIDGE_PORTS variable, in the ifcfg-br0 configuration file, to both ports/devices. (ya gotta love all this naming inconsistencies!) I'd like to help you with this, but I simply don't have any experience with openvpn and a bridged setup. I expect some of this to have been only superficially tested, so I would not be surprised if you find some yast bugs. There is no YaST bug nor is there a bug in the init scripts. I DO like a confident man! ;-)
Go one step back and reconsider what's your goal. The intention is to be able to connect two networks with the help of openvpn. Ummm sorta... My goal is to take a laptop (or desktop) located somewhere on the internet, as in "road warrior" mode, and attach it to a SOHO network located at a telescope observatory at a remote site. I don't care about the "rest" of the network that the "road warrior" laptop happens to be on and I do not wish to join that network with the network at the SOHO telescope site. Just the laptop itself....
This does not require a tap device nor does it require a bridge.
I believe the mix of the openvpn howto and the SUSE documentation leaded Marc in this direction. OK.... You need to say more because this is very confusing! My understanding, from reading the openvpn documentation, is that since I have some Windows systems on our telescope's SOHO network, and the "road warrior" laptops may or may not be Windows, and I am not running a WINS server; in order to receive NETBIOS broadcasts about files shared on all
On 11/27/2012 12:26 PM, Lars Müller wrote: these various computers (and other broadcasts from our telescope servers) I must set up openvpn to use a tap device that has been bridged to the internal interface. In my case this is eth1 with a static private IP address. Eth0 is the interface device facing the Internet and it (indirectly, see the FYI below) does have a static public IP address associated with it. I don't see how creating this bridge interface is done using YaST nor am I clear on how to do this manually. (I been doing a lot of guessing but so far no joy...)
What you need is network packet forwarding between your network and the Microsoft Windows system where openvpn will run too. On your end SUSE Firewall will be of help.
Oh boy! This is new info and I don't understand it either... Are you referring to using the FW_FORWARD variable in SuSEFirewall2? If so, how do I know what the IP address of a "road warrior" laptop will be? Do I need to configure openvpn to assign a fixed private IP address to each laptop? (I will eventually, but for now I thought you suggested I put that feature off.)
But for the beginning you can even start with a disabled firewall at all. This will make your initial setup of the VPN easier.
Take a pen and paper and make a drawing of the networki setup. The other side, the other system must be able to connect to your openvpn daemon.
If, by "the other side" you mean the "road warrior" laptops, they can reach the SOHO server where I will be running the openvpn server daemon. They do it all the time now with ssh and vnc. So for them to reach the openvpn daemon should be no different. The firewall/gateway computer, for my SOHO network, is the same computer which is also running an ssh, x11vnc, as well as others, AND the openvpn server daemon that we will be using.
If the other end runs on a windows system which is very likely connected via a router to the network your openvpn end must be reachable from the internet and therefore run on your gateway/ firewall system. If I get it right that's eth0 on your firewall system.
I'm not sure I follow you here Lars, perhaps you wrote this paragraph a bit unclear... I think we are on the same wavelength, the openvpn server daemon IS running on my gateway/firewall system. eth0 of the firewall system IS the device which interfaces to the external network. (Just an FYI, I am simplifying this description a little bit, my external network is actually another private network of Motorola Canopy wireless links that eventually reaches a router where my actual interface to the internet exists. That router just treats my firewall system as belonging to a DMZ and routes everything to it. This external net is on the private 169.254.1.x network, my internal net is on the 192.168.100.x network. My firewall's eth0 address is 169.254.1.100 and it's eth1 address (gateway for my internal network) is 192.168.10.100)
Else you'll not be able to establish a VPN connection. One end of the VPN connection must be reachable from the public, worlwide routed internet.
The firewall system, where the openvpn server daemon will be running, is reachable from the internet, as I said we do it all the time with other services.... That isn't my problem, as I said in the beginning, I think my problem is figuring out how to configure the bridge interface, either with YaST or manually. You seem to be saying that I don't need a bridge, or a tap interface, the openvpn documentation seems to be saying that I do... So I remain your confused pupil...
Cheers,
Lars
Thanks again for your time to try and educate me... Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org