[opensuse] Need help setting up openvpn server
From what I can grok about setting up and running an openvpn server, because I want to allow a Windoz client to connect to the server, I need to set up a tap and br interface and set up an ethernet bridge. I have a few questions which I don't seem to be finding answers for - 1. openvpn supplies a sample script for creating the tap and br interfaces. I know I need to modify it and run the bridge-start script before starting up the openvpn server. Also the bridge-stop script when shutting down the openvpn service. But where and how is this script incorporated into the boot up/server start up processes if I want the openvpn server to run as an automatic service? I don't see anything that references it in the /etc/openvpn/server.conf file or in the /etc/rc.d/openvpn file. 2. Within the bridge-start script there is a parameter called eth_ip that wants to be set to some IP address. Is this the IP address of the NIC that interfaces my server to my internal LAN? 3. How do I configure SuSEFirewall2 to support the tap and br interfaces? Do I just add these to the "FW_DEV_INT=" setting? (It was previously suggested that I could use the shorewall firewall instead of SuSEFirewall2, but unless SuSEFirewall2 will not support openvpn with an ethernet bridge I am reluctant to learn a whole new tool and figure out how to configure it to support this and all the other settings I currently have set/grokked in SuSEFirewall2) 4. The openvpn documentation mentions that my DCHP server cannot send the IP address of the default gateway (currently this is the IP address of the NIC on my server that interfaces to my internal LAN) but I do not see how to configure my DHCP server to differentiate between my laptop when it is connecting from my internal LAN and when it is a "roadwarrior" connecting over the VPN. My dhcpd.conf is configured to give out a static internal IP address to my laptop based on the dhcp id that the laptop sends when it is requesting a lease on the IP address that the DCHP server will assign it. I want to maintain this IP address for my laptop, regardless of whether it is connecting in from the internal LAN or over the VPN. But I do not see how to send out the "option routers" setting in the dhcpd.conf file to react differently based on how the laptop is connecting to the network. Thanks for any help/elucidation that you kind gurus can offer this poor beginner... I probably will have more questions but they can wait for now.... Marc.. -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marc Chamberlin wrote:
From what I can grok about setting up and running an openvpn server, because I want to allow a Windoz client to connect to the server, I need to set up a tap and br interface and set up an ethernet bridge. I have a few questions which I don't seem to be finding answers for -
1. openvpn supplies a sample script for creating the tap and br interfaces. I know I need to modify it and run the bridge-start script before starting up the openvpn server. Also the bridge-stop script when shutting down the openvpn service. But where and how is this script incorporated into the boot up/server start up processes if I want the openvpn server to run as an automatic service? I don't see anything that references it in the /etc/openvpn/server.conf file or in the /etc/rc.d/openvpn file.
Hi Marc I would look to putting those scripts into the network config in /etc/sysconfig/network. Maybe use YaST network configuration to create the config files instead of using those scripts. This no doubt sounds a little daunting to a beginner, are you sure you need bridging?
4. The openvpn documentation mentions that my DCHP server cannot send the IP address of the default gateway (currently this is the IP address of the NIC on my server that interfaces to my internal LAN) but I do not see how to configure my DHCP server to differentiate between my laptop when it is connecting from my internal LAN and when it is a "roadwarrior" connecting over the VPN.
I only use openvpn in a static config, so I could be way off here. To my knowledge, you don't use DHCP with openvpn - dynamic addresses are managed by openvpn, and you can push out DHCP options too (for configuration of nameserver, routing etc).
My dhcpd.conf is configured to give out a static internal IP address to my laptop based on the dhcp id that the laptop sends when it is requesting a lease on the IP address that the DCHP server will assign it. I want to maintain this IP address for my laptop, regardless of whether it is connecting in from the internal LAN or over the VPN.
Okay, then you just configure that static address in your openvpn config. Ignore your DHCP server.
But I do not see how to send out the "option routers" setting in the dhcpd.conf file to react differently based on how the laptop is connecting to the network.
See "push" in openvpn. -- Per Jessen, Zürich (3.4°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Nov 23, 2012 at 10:01:03PM -0800, Marc Chamberlin wrote:
From what I can grok about setting up and running an openvpn server, because I want to allow a Windoz client to connect to the server, I need to set up a tap and br interface and set up an ethernet bridge. I have a few questions which I don't seem to be finding answers for -
1. openvpn supplies a sample script for creating the tap and br interfaces. I know I need to modify it and run the bridge-start script before starting up the openvpn server. Also the bridge-stop script when shutting down the openvpn service. But where and how is this script incorporated into the boot up/server start up processes if I want the openvpn server to run as an automatic service? I don't see anything that references it in the /etc/openvpn/server.conf file or in the /etc/rc.d/openvpn file.
That's not required. Either use the YaST System Services (runlevel) module and enable the openvpn service or use on the command line chkconfig -a openvpn
2. Within the bridge-start script there is a parameter called eth_ip that wants to be set to some IP address. Is this the IP address of the NIC that interfaces my server to my internal LAN?
I never needed to tweak with this parameter. I would start with the ifcfg-bridge(5) man page instead. My very basic /etc/sysconfig/network/ifcfg-br0 has: BOOTPROTO='dhcp4' BRIDGE='yes' BRIDGE_FORWARDDELAY='0' BRIDGE_PORTS='eth0' BRIDGE_STP='off' STARTMODE='onboot' NAME='Intel Ethernet controller'
3. How do I configure SuSEFirewall2 to support the tap and br interfaces? Do I just add these to the "FW_DEV_INT=" setting? (It was previously suggested that I could use the shorewall firewall instead of SuSEFirewall2, but unless SuSEFirewall2 will not support openvpn with an ethernet bridge I am reluctant to learn a whole new tool and figure out how to configure it to support this and all the other settings I currently have set/grokked in SuSEFirewall2)
Nothing special is required to support a bridged network device. For the SuSEfirewall mechanism this is fully transparent.
4. The openvpn documentation mentions that my DCHP server cannot send the IP address of the default gateway (currently this is the IP address of the NIC on my server that interfaces to my internal LAN) but I do not see how to configure my DHCP server to differentiate between my laptop when it is connecting from my internal LAN and when it is a "roadwarrior" connecting over the VPN. My dhcpd.conf is configured to give out a static internal IP address to my laptop based on the dhcp id that the laptop sends when it is requesting a lease on the IP address that the DCHP server will assign it. I want to maintain this IP address for my laptop, regardless of whether it is connecting in from the internal LAN or over the VPN. But I do not see how to send out the "option routers" setting in the dhcpd.conf file to react differently based on how the laptop is connecting to the network.
I always keep my VPN users in a separate network than the others. I believe you're adding one extra troublesome requirement here. I would try to solve the other stuff first and keep the setup as simple as possible for the beginning. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Fri, Nov 23, 2012 at 10:01:03PM -0800, Marc Chamberlin wrote:
From what I can grok about setting up and running an openvpn server, because I want to allow a Windoz client to connect to the server, I need to set up a tap and br interface and set up an ethernet bridge. I have a few questions which I don't seem to be finding answers for -
1. openvpn supplies a sample script for creating the tap and br interfaces. I know I need to modify it and run the bridge-start script before starting up the openvpn server. Also the bridge-stop script when shutting down the openvpn service. But where and how is this script incorporated into the boot up/server start up processes if I want the openvpn server to run as an automatic service? I don't see anything that references it in the /etc/openvpn/server.conf file or in the /etc/rc.d/openvpn file. That's not required.
Either use the YaST System Services (runlevel) module and enable the openvpn service or use on the command line
chkconfig -a openvpn Thanks Lars for your reply, but my confusion is growing! If the bridge-start script is no longer required to set up the tap0 interface,
On 11/24/2012 9:48 AM, Lars Müller wrote: then how is it to done in openSuSE? And doesn't this script need to be run each time the server computer is rebootedl in order to keep the tap0 and br0 interfaces persistent across reboots? And yes, I plan to enable the openvpn service in the YaST Runlevel module, but I don't fully grok how the tap0 and br0 interfaces are to be defined.....
2. Within the bridge-start script there is a parameter called eth_ip that wants to be set to some IP address. Is this the IP address of the NIC that interfaces my server to my internal LAN? I never needed to tweak with this parameter. I would start with the ifcfg-bridge(5) man page instead.
My very basic /etc/sysconfig/network/ifcfg-br0 has:
BOOTPROTO='dhcp4' BRIDGE='yes' BRIDGE_FORWARDDELAY='0' BRIDGE_PORTS='eth0' BRIDGE_STP='off' STARTMODE='onboot' NAME='Intel Ethernet controller'
I think I understand that this is how to create the br0 bridge interface manually. Though I don't understand how this connects it to the tap0 interface. What is the difference between setting up the br0 interface this way and using the administration utility - brctl? Going back to the previously mentioned bridge-start script, it appears to be using the brctl utility to set up the br0 bridge interface, and to also do things like forward all the ports to/from my eth1 and the tap0 interface. Please be patient with me, I am really struggling hard to grok all this!!!!
3. How do I configure SuSEFirewall2 to support the tap and br interfaces? Do I just add these to the "FW_DEV_INT=" setting? (It was previously suggested that I could use the shorewall firewall instead of SuSEFirewall2, but unless SuSEFirewall2 will not support openvpn with an ethernet bridge I am reluctant to learn a whole new tool and figure out how to configure it to support this and all the other settings I currently have set/grokked in SuSEFirewall2) Nothing special is required to support a bridged network device. For the SuSEfirewall mechanism this is fully transparent.
OK, I will ignore SuSEfirewall for now... Seems non-intuitive but then I don't fully comprehend iptables either, so how firewalls work is a bit of a mystery to me....
4. The openvpn documentation mentions that my DCHP server cannot send the IP address of the default gateway (currently this is the IP address of the NIC on my server that interfaces to my internal LAN) but I do not see how to configure my DHCP server to differentiate between my laptop when it is connecting from my internal LAN and when it is a "roadwarrior" connecting over the VPN. My dhcpd.conf is configured to give out a static internal IP address to my laptop based on the dhcp id that the laptop sends when it is requesting a lease on the IP address that the DCHP server will assign it. I want to maintain this IP address for my laptop, regardless of whether it is connecting in from the internal LAN or over the VPN. But I do not see how to send out the "option routers" setting in the dhcpd.conf file to react differently based on how the laptop is connecting to the network. I always keep my VPN users in a separate network than the others. I believe you're adding one extra troublesome requirement here. I would try to solve the other stuff first and keep the setup as simple as possible for the beginning.
OK, I will use the server-bridge directive for now, until I get this working... I can use a separate range of IP address just to get this working, but eventually I have some constraints when I try to use our remote telescope server. That will require I have a static IP address assigned to each of our computers and laptops, regardless of whether they are connected directly on our internal network, or being used remotely as "roadwarriors".
Lars
-- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Nov 24, 2012 at 01:29:20PM -0800, Marc Chamberlin wrote:
On 11/24/2012 9:48 AM, Lars Müller wrote:
On Fri, Nov 23, 2012 at 10:01:03PM -0800, Marc Chamberlin wrote:
From what I can grok about setting up and running an openvpn server, because I want to allow a Windoz client to connect to the server, I need to set up a tap and br interface and set up an ethernet bridge. I have a few questions which I don't seem to be finding answers for -
1. openvpn supplies a sample script for creating the tap and br interfaces. I know I need to modify it and run the bridge-start script before starting up the openvpn server. Also the bridge-stop script when shutting down the openvpn service. But where and how is this script incorporated into the boot up/server start up processes if I want the openvpn server to run as an automatic service? I don't see anything that references it in the /etc/openvpn/server.conf file or in the /etc/rc.d/openvpn file. That's not required.
Either use the YaST System Services (runlevel) module and enable the openvpn service or use on the command line
chkconfig -a openvpn Thanks Lars for your reply, but my confusion is growing! If the bridge-start script is no longer required to set up the tap0 interface, then how is it to done in openSuSE?
It's all handled by the network service scripts. Since a long time. That's nothing new. Please read the man page of ifcfg-bridge Nothing more is required.
And doesn't this script need to be run each time the server computer is rebootedl in order to keep the tap0 and br0 interfaces persistent across reboots?
As soon as you create a bridged device configuration and this device is in start mode STARTMODE="auto" all is done for you. This also is persistent across reboots.
And yes, I plan to enable the openvpn service in the YaST Runlevel module, but I don't fully grok how the tap0 and br0 interfaces are to be defined.....
No additional define is required.
2. Within the bridge-start script there is a parameter called eth_ip that wants to be set to some IP address. Is this the IP address of the NIC that interfaces my server to my internal LAN? I never needed to tweak with this parameter. I would start with the ifcfg-bridge(5) man page instead.
My very basic /etc/sysconfig/network/ifcfg-br0 has:
BOOTPROTO='dhcp4' BRIDGE='yes' BRIDGE_FORWARDDELAY='0' BRIDGE_PORTS='eth0' BRIDGE_STP='off' STARTMODE='onboot' NAME='Intel Ethernet controller' I think I understand that this is how to create the br0 bridge interface manually.
Either with an editor or you do it via YaST. If you go via YaST you'll see as the result a file named like /etc/sysconfig/network/ifcfg-br0 List /etc/sysconfig/network/ before and afterwards. You also might create a copy of /etc/sysconfig/network/ and later run diff -r <copy of etc/sysconfig/network> /etc/sysconfig/network/
Though I don't understand how this connects it to the tap0 interface. What is the difference between setting up the br0 interface this way and using the administration utility - brctl?
The ifcfg-br0 abstracts all the brctl details for you. If you like to know how all this is plumped together you're able to check the scripts. But that's not required. Good luck! Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Sat, Nov 24, 2012 at 01:29:20PM -0800, Marc Chamberlin wrote:
On 11/24/2012 9:48 AM, Lars Müller wrote:
On Fri, Nov 23, 2012 at 10:01:03PM -0800, Marc Chamberlin wrote:
From what I can grok about setting up and running an openvpn server, because I want to allow a Windoz client to connect to the server, I need to set up a tap and br interface and set up an ethernet bridge. I have a few questions which I don't seem to be finding answers for -
1. openvpn supplies a sample script for creating the tap and br interfaces. I know I need to modify it and run the bridge-start script before starting up the openvpn server. Also the bridge-stop script when shutting down the openvpn service. But where and how is this script incorporated into the boot up/server start up processes if I want the openvpn server to run as an automatic service? I don't see anything that references it in the /etc/openvpn/server.conf file or in the /etc/rc.d/openvpn file. That's not required.
Either use the YaST System Services (runlevel) module and enable the openvpn service or use on the command line
chkconfig -a openvpn Thanks Lars for your reply, but my confusion is growing! If the bridge-start script is no longer required to set up the tap0 interface, then how is it to done in openSuSE? It's all handled by the network service scripts. Since a long time. That's nothing new. Please read the man page of ifcfg-bridge
Nothing more is required. Lars - I have read the man page for ifcfg-bridge, but I am afraid it is insufficient in helping me to understand how it works and how I need to apply it to setting up a bridge interface for openVPN. For example, which ports do I actually bridge and list in the BRIDGE_PORTS variable? tap0? eth1? both? (eth1 is the name of the interface to my interior network, eth0 is the name of the interface to my exterior (internet) network. I have been fooling around with all the combinations but so far no joy in getting openVPN to work as I would expect.. That probably means I have something else wrong, but I need to know how to configure
On 11/25/2012 5:50 AM, Lars Müller wrote: this variable as a starting point in order to be able to move on to figure out what else I am doing wrong.. The openVPN website, and man pages for openvpn all describe one model for setting up openvpn, and use the scripts that I mentioned previously. I cannot find a description of the model that openSuSE is using, which is apparently some kind of a wrapper to try and make it easier to configure. That is fine, but without a description of what is really going on, how the openSuSE way of configuring openvpn and its interfaces maps to how openvpn is telling us to do it, makes it difficult for an outsider to understand how to use the openSuSE tools, methods, and model. So, my feeling about the man page for ifcfg-bridge is that it is very abbreviated and requires a deep understanding of the openSuSE network setup model which I don't have. Worse, the man page for ifcfg-bridge refers to a non-existent website - http://linux-net.osdl.org/index.php.Bridge for further information, and there is nothing that I can find in the openSuSE documentation wiki's that describe how to set up openvpn either. I have also studied the documentation included in /usr/share/doc/packages/openvpn and found nothing helpful there, in particular the document that I would expect to contain information on how to set up openvpn under openSuSE - README.SUSE contains a ridiculously small amount of near useless information. The openvpn man pages and documentation are apparently non-applicable so that just make it all the more confusing! I have also tried to read the man page on brctl, again it is proving to be inadequate in helping me to grok all this..
And doesn't this script need to be run each time the server computer is rebootedl in order to keep the tap0 and br0 interfaces persistent across reboots? As soon as you create a bridged device configuration and this device is in start mode
STARTMODE="auto"
all is done for you. This also is persistent across reboots.
And yes, I plan to enable the openvpn service in the YaST Runlevel module, but I don't fully grok how the tap0 and br0 interfaces are to be defined..... No additional define is required.
OK, this part I understand... The scripts will manage automagically to create (once defined) and start up the various interfaces....
2. Within the bridge-start script there is a parameter called eth_ip that wants to be set to some IP address. Is this the IP address of the NIC that interfaces my server to my internal LAN? I never needed to tweak with this parameter. I would start with the ifcfg-bridge(5) man page instead.
My very basic /etc/sysconfig/network/ifcfg-br0 has:
BOOTPROTO='dhcp4' BRIDGE='yes' BRIDGE_FORWARDDELAY='0' BRIDGE_PORTS='eth0' BRIDGE_STP='off' STARTMODE='onboot' NAME='Intel Ethernet controller' I think I understand that this is how to create the br0 bridge interface manually. Either with an editor or you do it via YaST. If you go via YaST you'll see as the result a file named like /etc/sysconfig/network/ifcfg-br0
Yes, I have discovered (wasn't obvious!) that YaST has the ability to configure the tap0 and br0 interfaces, but I still do not know how to set up the br0 bridge, either manually or through YaST. Creating the tap0 interface seems pretty straightforward, but what do I have to do to tie eth1 and tap0 together in this br0 interface? Or DO I tie them together here? Again, understanding exactly what has to be bridged, where, and how is not explained in any of the places that I have looked. In your example above, you refer to eth0 being bridged (I am assuming that is equivalent to my eth1 internal network interface) but I don't see any reference to the tap0 interface that the openvpn documentation is telling me is required also. Additionally, using YaST to set up my bridge interface - br0 - has brought up a new bit of confusion. If I check my eth1 interface as being one of the devices that I want bridge, I get a popup error telling me "At least one selected device is already configured. Adapt the configuration for bridge (IP address 0.0.0.0/32)?" and I have no option but to let it do so. And when I do, the IP address I had and want statically assigned to eth1 (in my case 192.168.10.100) gets removed and replaced with 0.0.0.0/32. This does NOT make any sense to me and it seems like changing the address of my eth1 interface will screw up my internal network since that is the gateway address all the other devices on my network will be looking for. I am guessing that, in the list of Bridged Devices for br0, I want to check both the tap0 and eth1 devices to be bridged? That intuitively seems to be where I can tie these two interfaces together, but I don't see you doing that in your example nor do I find any example/document telling me this is what to do.... Lastly, since I am setting up the openvpn connection on my server/gateway system (where I am also running a dhcp server) I am guessing I want to also assign the same static IP address (as I assigned to eth1) of 192.168.10.100 to the bridge (br0) interface, and set the BOOTPROTO variable to 'static'?
Good luck! Lars Thanks I need it! And again thanks for taking some time to help me... Marc..
-- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marc Chamberlin wrote:
So, my feeling about the man page for ifcfg-bridge is that it is very abbreviated and requires a deep understanding of the openSuSE network setup model which I don't have. Worse, the man page for ifcfg-bridge refers to a non-existent website - http://linux-net.osdl.org/index.php.Bridge for further information, and there is nothing that I can find in the openSuSE documentation wiki's that describe how to set up openvpn either.
How about this: http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.se... I don't think I used this when I set up my openvpn some six years ago, but that document appears to be quite comprehensive.
Additionally, using YaST to set up my bridge interface - br0 - has brought up a new bit of confusion. If I check my eth1 interface as being one of the devices that I want bridge, I get a popup error telling me "At least one selected device is already configured. Adapt the configuration for bridge (IP address 0.0.0.0/32)?" and I have no option but to let it do so.
Right.
And when I do, the IP address I had and want statically assigned to eth1 (in my case 192.168.10.100) gets removed and replaced with 0.0.0.0/32.
You have to assign your static address to the bridge interface instead. -- Per Jessen, Zürich (6.3°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marc Chamberlin wrote:
So, my feeling about the man page for ifcfg-bridge is that it is very abbreviated and requires a deep understanding of the openSuSE network setup model which I don't have. Worse, the man page for ifcfg-bridge refers to a non-existent website - http://linux-net.osdl.org/index.php.Bridge for further information, and there is nothing that I can find in the openSuSE documentation wiki's that describe how to set up openvpn either. How about this:
http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.se...
I don't think I used this when I set up my openvpn some six years ago, but that document appears to be quite comprehensive. Thanks Pers for your reply, but no, I have to disagree, this document is not comprehensive. I have read this document and it does NOT describe how to set up a bridged interface at all. It simply assumes you have
On 11/26/2012 11:19 PM, Per Jessen wrote: these interfaces already set up, there is not a single line describing how to configure the ifcfg files for tun, tap, or br interfaces either manually or through YaST.
Additionally, using YaST to set up my bridge interface - br0 - has brought up a new bit of confusion. If I check my eth1 interface as being one of the devices that I want bridge, I get a popup error telling me "At least one selected device is already configured. Adapt the configuration for bridge (IP address 0.0.0.0/32)?" and I have no option but to let it do so. Right.
And when I do, the IP address I had and want statically assigned to eth1 (in my case 192.168.10.100) gets removed and replaced with 0.0.0.0/32. You have to assign your static address to the bridge interface instead.
OK, I can accept this and thanks for the info. But my confusion remains, how does the bridge interface (br0) KNOW about the connection between my tap0 and eth1 interfaces. Setting up the tap0 interface, via YaST, seems to be straightforward (though there is nothing to specify an association between it an an ethernet (eth) or bridged device nor did I expect there to be), but my experiments with setting up the bridge, using YaST, do not enlighten me. If I select both interfaces, tap0 and eth1, as the devices to be bridged, which YaST seems to allow in its GUI, it does NOT set the BRIDGE_PORTS variable, in the ifcfg-br0 configuration file, to both ports/devices. (ya gotta love all this naming inconsistencies!) It ONLY sets it to tap0 and if I bring the YaST network card setup back up and edit the br0 interface it indeed ONLY shows the tap0 device as being bridged, despite the fact that I had originally selected both the tap0 and eth1 devices for bridging. In other words, from examples I have seen about bridge interfaces (not related to openvpn usage), and from what YaST is doing, it appears that the bridge interface can only know about one device to bridge. (That doesn't make a lot of intuitive sense to me, bridging something seems to mean, at least to me, that I am connecting two things together! In this case a tap interface and an eth interface) So if I can only set one interface) as the device to be bridge, how will openvpn KNOW to use what tap/bridge/eth interface combo, (since I can give them any name I like, and worse what if there are multiple ones) to use? In other words, how is the tap interface to be correlated to which bridged interface and to which ethernet (ethx) interface? The openvpn startup scripts, supplied by the openvpn package, make this all explicit, but Lars is telling me that these are no longer used in openSuSE. I don't have the code behind YaST to study, (nor should that be necessary and probably would not help either) and without a description of the openSuSE model on how to configure the ifcfg files, I am lost... SO either I am still missing something (documentation elsewhere?), or perhaps there is a bug in YaST and it is not setting up a bridge interface properly? Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marc Chamberlin wrote:
On 11/26/2012 11:19 PM, Per Jessen wrote:
Marc Chamberlin wrote:
So, my feeling about the man page for ifcfg-bridge is that it is very abbreviated and requires a deep understanding of the openSuSE network setup model which I don't have. Worse, the man page for ifcfg-bridge refers to a non-existent website - http://linux-net.osdl.org/index.php.Bridge for further information, and there is nothing that I can find in the openSuSE documentation wiki's that describe how to set up openvpn either. How about this:
http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.se...
I don't think I used this when I set up my openvpn some six years ago, but that document appears to be quite comprehensive.
Thanks Pers for your reply, but no, I have to disagree, this document is not comprehensive. I have read this document and it does NOT describe how to set up a bridged interface at all. It simply assumes you have these interfaces already set up, there is not a single line describing how to configure the ifcfg files for tun, tap, or br interfaces either manually or through YaST.
You're right, I was focussing on the openvpn setup, and it looked as if it was described in reasonable detail.
And when I do, the IP address I had and want statically assigned to eth1 (in my case 192.168.10.100) gets removed and replaced with 0.0.0.0/32.
You have to assign your static address to the bridge interface instead.
OK, I can accept this and thanks for the info. But my confusion remains, how does the bridge interface (br0) KNOW about the connection between my tap0 and eth1 interfaces. Setting up the tap0 interface, via YaST, seems to be straightforward (though there is nothing to specify an association between it an an ethernet (eth) or bridged device nor did I expect there to be), but my experiments with setting up the bridge, using YaST, do not enlighten me. If I select both interfaces, tap0 and eth1, as the devices to be bridged, which YaST seems to allow in its GUI, it does NOT set the BRIDGE_PORTS variable, in the ifcfg-br0 configuration file, to both ports/devices. (ya gotta love all this naming inconsistencies!)
I'd like to help you with this, but I simply don't have any experience with openvpn and a bridged setup. I expect some of this to have been only superficially tested, so I would not be surprised if you find some yast bugs. -- Per Jessen, Zürich (6.0°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Nov 27, 2012 at 08:22:38PM +0100, Per Jessen wrote:
Marc Chamberlin wrote:
On 11/26/2012 11:19 PM, Per Jessen wrote:
Marc Chamberlin wrote:
So, my feeling about the man page for ifcfg-bridge is that it is very abbreviated and requires a deep understanding of the openSuSE network setup model which I don't have. Worse, the man page for ifcfg-bridge refers to a non-existent website - http://linux-net.osdl.org/index.php.Bridge for further information, and there is nothing that I can find in the openSuSE documentation wiki's that describe how to set up openvpn either.
Please file a bug report for this documentation issue and report the defect ID back to this thread. http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge might be the current location of the documentation. If that's the case add this information to the defect report too. [ 8< ]
OK, I can accept this and thanks for the info. But my confusion remains, how does the bridge interface (br0) KNOW about the connection between my tap0 and eth1 interfaces. Setting up the tap0 interface, via YaST, seems to be straightforward (though there is nothing to specify an association between it an an ethernet (eth) or bridged device nor did I expect there to be), but my experiments with setting up the bridge, using YaST, do not enlighten me. If I select both interfaces, tap0 and eth1, as the devices to be bridged, which YaST seems to allow in its GUI, it does NOT set the BRIDGE_PORTS variable, in the ifcfg-br0 configuration file, to both ports/devices. (ya gotta love all this naming inconsistencies!)
I'd like to help you with this, but I simply don't have any experience with openvpn and a bridged setup. I expect some of this to have been only superficially tested, so I would not be surprised if you find some yast bugs.
There is no YaST bug nor is there a bug in the init scripts. Go one step back and reconsider what's your goal. The intention is to be able to connect two networks with the help of openvpn. This does not require a tap device nor does it require a bridge. I believe the mix of the openvpn howto and the SUSE documentation leaded Marc in this direction. What you need is network packet forwarding between your network and the Microsoft Windows system where openvpn will run too. On your end SUSE Firewall will be of help. But for the beginning you can even start with a disabled firewall at all. This will make your initial setup of the VPN easier. Take a pen and paper and make a drawing of the networki setup. The other side, the other system must be able to connect to your openvpn daemon. If the other end runs on a windows system which is very likely connected via a router to the network your openvpn end must be reachable from the internet and therefore run on your gateway/ firewall system. If I get it right that's eth0 on your firewall system. Else you'll not be able to establish a VPN connection. One end of the VPN connection must be reachable from the public, worlwide routed internet. Cheers, Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Tue, Nov 27, 2012 at 08:22:38PM +0100, Per Jessen wrote:
Marc Chamberlin wrote:
On 11/26/2012 11:19 PM, Per Jessen wrote:
Marc Chamberlin wrote:
So, my feeling about the man page for ifcfg-bridge is that it is very abbreviated and requires a deep understanding of the openSuSE network setup model which I don't have. Worse, the man page for ifcfg-bridge refers to a non-existent website - http://linux-net.osdl.org/index.php.Bridge for further information, and there is nothing that I can find in the openSuSE documentation wiki's that describe how to set up openvpn either. Please file a bug report for this documentation issue and report the defect ID back to this thread.
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge might be the current location of the documentation. If that's the case add this information to the defect report too. Bug 791553
[ 8< ]
OK, I can accept this and thanks for the info. But my confusion remains, how does the bridge interface (br0) KNOW about the connection between my tap0 and eth1 interfaces. Setting up the tap0 interface, via YaST, seems to be straightforward (though there is nothing to specify an association between it an an ethernet (eth) or bridged device nor did I expect there to be), but my experiments with setting up the bridge, using YaST, do not enlighten me. If I select both interfaces, tap0 and eth1, as the devices to be bridged, which YaST seems to allow in its GUI, it does NOT set the BRIDGE_PORTS variable, in the ifcfg-br0 configuration file, to both ports/devices. (ya gotta love all this naming inconsistencies!) I'd like to help you with this, but I simply don't have any experience with openvpn and a bridged setup. I expect some of this to have been only superficially tested, so I would not be surprised if you find some yast bugs. There is no YaST bug nor is there a bug in the init scripts. I DO like a confident man! ;-)
Go one step back and reconsider what's your goal. The intention is to be able to connect two networks with the help of openvpn. Ummm sorta... My goal is to take a laptop (or desktop) located somewhere on the internet, as in "road warrior" mode, and attach it to a SOHO network located at a telescope observatory at a remote site. I don't care about the "rest" of the network that the "road warrior" laptop happens to be on and I do not wish to join that network with the network at the SOHO telescope site. Just the laptop itself....
This does not require a tap device nor does it require a bridge.
I believe the mix of the openvpn howto and the SUSE documentation leaded Marc in this direction. OK.... You need to say more because this is very confusing! My understanding, from reading the openvpn documentation, is that since I have some Windows systems on our telescope's SOHO network, and the "road warrior" laptops may or may not be Windows, and I am not running a WINS server; in order to receive NETBIOS broadcasts about files shared on all
On 11/27/2012 12:26 PM, Lars Müller wrote: these various computers (and other broadcasts from our telescope servers) I must set up openvpn to use a tap device that has been bridged to the internal interface. In my case this is eth1 with a static private IP address. Eth0 is the interface device facing the Internet and it (indirectly, see the FYI below) does have a static public IP address associated with it. I don't see how creating this bridge interface is done using YaST nor am I clear on how to do this manually. (I been doing a lot of guessing but so far no joy...)
What you need is network packet forwarding between your network and the Microsoft Windows system where openvpn will run too. On your end SUSE Firewall will be of help.
Oh boy! This is new info and I don't understand it either... Are you referring to using the FW_FORWARD variable in SuSEFirewall2? If so, how do I know what the IP address of a "road warrior" laptop will be? Do I need to configure openvpn to assign a fixed private IP address to each laptop? (I will eventually, but for now I thought you suggested I put that feature off.)
But for the beginning you can even start with a disabled firewall at all. This will make your initial setup of the VPN easier.
Take a pen and paper and make a drawing of the networki setup. The other side, the other system must be able to connect to your openvpn daemon.
If, by "the other side" you mean the "road warrior" laptops, they can reach the SOHO server where I will be running the openvpn server daemon. They do it all the time now with ssh and vnc. So for them to reach the openvpn daemon should be no different. The firewall/gateway computer, for my SOHO network, is the same computer which is also running an ssh, x11vnc, as well as others, AND the openvpn server daemon that we will be using.
If the other end runs on a windows system which is very likely connected via a router to the network your openvpn end must be reachable from the internet and therefore run on your gateway/ firewall system. If I get it right that's eth0 on your firewall system.
I'm not sure I follow you here Lars, perhaps you wrote this paragraph a bit unclear... I think we are on the same wavelength, the openvpn server daemon IS running on my gateway/firewall system. eth0 of the firewall system IS the device which interfaces to the external network. (Just an FYI, I am simplifying this description a little bit, my external network is actually another private network of Motorola Canopy wireless links that eventually reaches a router where my actual interface to the internet exists. That router just treats my firewall system as belonging to a DMZ and routes everything to it. This external net is on the private 169.254.1.x network, my internal net is on the 192.168.100.x network. My firewall's eth0 address is 169.254.1.100 and it's eth1 address (gateway for my internal network) is 192.168.10.100)
Else you'll not be able to establish a VPN connection. One end of the VPN connection must be reachable from the public, worlwide routed internet.
The firewall system, where the openvpn server daemon will be running, is reachable from the internet, as I said we do it all the time with other services.... That isn't my problem, as I said in the beginning, I think my problem is figuring out how to configure the bridge interface, either with YaST or manually. You seem to be saying that I don't need a bridge, or a tap interface, the openvpn documentation seems to be saying that I do... So I remain your confused pupil...
Cheers,
Lars
Thanks again for your time to try and educate me... Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Lars Müller -
Marc Chamberlin -
Per Jessen