From owner-freebsd-questions@FreeBSD.ORG Mon Apr 23 01:14:20 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 70B4216A401 for ; Mon, 23 Apr 2007 01:14:20 +0000 (UTC) (envelope-from list@museum.rain.com) Received: from ns.umpquanet.com (ns.umpquanet.com [204.119.0.16]) by mx1.freebsd.org (Postfix) with ESMTP id 598DD13C45D for ; Mon, 23 Apr 2007 01:14:20 +0000 (UTC) (envelope-from list@museum.rain.com) Received: from ns.umpquanet.com (localhost [127.0.0.1]) by ns.umpquanet.com (8.13.8/8.13.8) with ESMTP id l3N1EKbV011180 for ; Sun, 22 Apr 2007 18:14:20 -0700 (PDT) (envelope-from list@museum.rain.com) Received: (from james@localhost) by ns.umpquanet.com (8.13.8/8.13.8/Submit) id l3N1EKuX011179 for freebsd-questions@freebsd.org; Sun, 22 Apr 2007 18:14:20 -0700 (PDT) (envelope-from list@museum.rain.com) X-Authentication-Warning: ns.umpquanet.com: james set sender to list@museum.rain.com using -f Date: Sun, 22 Apr 2007 18:14:20 -0700 From: James Long To: freebsd-questions@freebsd.org Message-ID: <20070423011419.GA10619@ns.umpquanet.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.14 (2007-02-12) Subject: Problem with OpenVPN and ethernet bridging X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Apr 2007 01:14:20 -0000 I'm trying to get my feet wet with an ethernet bridging setup under OpenVPN. I have two hosts on a 10.0.0.0/24 network that I want to connect: dl360 is the server, and t30 is the client. These hosts are resolvable by /etc/hosts. TLS seems to be working from certs I created at cacert.org. The goal is to bridge the t30 client to the second ethernet NIC of the dl360 server. The client is assigned an IP from the bridged LAN correctly, but the client cannot ping the 172.16.16.1 IP on the server's ethernet interface. tcpdump shows traffic going out the tap0 interface on the client (ARP traffic, that is, trying to ARP for 172.16.16.1). tcpdump on the server's physical bge0 shows incoming traffic destined for UDP port 1194 on the server, but no traffic on the server's tap0 or bridge0 interfaces. The OpenVPN docs, examples, and instructions are highly linux- centric, so I'm having to read between the lines a lot. Based on http://www.mired.org/home/mwm/papers/FreeBSD-OpenVPN-Bridging.html I am not assigning IPs to the server's tap and bridge interfaces, as that page claims that such is unnecessary under FreeBSD. So my troubleshooting is focusing on the server side, since I can see that VPN traffic is reaching the public interface, but OpenVPN is not mapping that traffic onto the ethernet bridge. For now, I am creating the tap and bridge interfaces manually. Despite having: openvpn_enable="YES" openvpn_if="tap bridge" in /etc/rc.conf, I find that OpenVPN does not create the bridge interface. I am running this script by hand, followed by running "/usr/local/etc/rc.d/openvpn start": ifconfig tap0 create ifconfig bridge0 create ifconfig bridge0 addm bge1 addm tap0 up Here's ifconfig on the server: bge0: flags=8843 metric 0 mtu 1500 options=9b ether 00:08:02:a0:c6:9d inet 10.0.0.22 netmask 0xffffff00 broadcast 10.0.0.255 media: Ethernet autoselect (100baseTX ) status: active bge1: flags=8943 metric 0 mtu 1500 options=98 ether 00:08:02:a0:c6:9e inet 172.16.16.1 netmask 0xffffff00 broadcast 172.16.16.255 media: Ethernet autoselect (none) status: no carrier lo0: flags=8049 metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 tap0: flags=8942 metric 0 mtu 1500 ether 00:bd:87:77:8b:00 Opened by PID 49835 bridge0: flags=8843 metric 0 mtu 1500 ether b6:1d:6a:ae:be:a4 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0 member: tap0 flags=143 member: bge1 flags=143 Here's the openvpn.conf on the server: local dl360 port 1194 proto udp dev tap0 ca cacert.org.crt cert dl360.crt key dl360.key # This file should be kept secret dh dh1024.pem ifconfig-pool-persist ipp.txt server-bridge 172.16.16.1 255.255.255.0 172.16.16.50 172.16.16.100 keepalive 10 120 persist-key persist-tun status openvpn-status.log log openvpn.log verb 3 - - - And here's the openvpn.conf on the client: client dev tap proto udp remote dl360 1194 resolv-retry infinite nobind persist-key persist-tun ca cacert.org.crt cert t30.crt key t30.key log-append openvpn.log verb 3 - - - I have set net.inet.ip.forwarding set to 1 on the server to ensure that packets are forwarded between interfaces. What am I missing on the server side that's preventing me from pinging from 172.16.16.50 to 172.16.16.1? The client is running 6.2-STABLE circa March 13, and the server is 7.0-CURRENT circa late April 21. Thank you! Jim