Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My question is linked to OpenVPN but is, in fact, a more general question
about network interfaces and virtual interfaces.
In the OpenVPN "server.conf" file, one can find the following comment:
Code:
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
I have two machines A and B (Unix).
A is in the subnet 192.168.0.0/24.
B is in the subnet 192.168.2.0/24.
Each subnet has its own router with two interfaces:
- one private interface (192.168.x.1 where x belongs to {0, 2}),
- one public interface (with public IPs W1.X1.Y1.Z1 and W2.X2.Y2.Z2 respectively).
The routers are NAT (Network Address Translation) gateways.
The tunnels I want to create are between A and B.
The Ethernet tunnel is at the OSI physical layer.
The IP tunnel is at the OSI network layer.
Can you tell me how to create such tunnels properly?
I mean: I don't know how to create them, destroy them, supervise them, examine them.
Which are the configuration files, the log files, the key commands which have to be known to handle that problem properly?
Thank you for your help ,
all the best,
--
Léa
Last edited by leamassiot; 08-03-2009 at 09:08 AM.
I'm not familiar with OpenVPN but I am familiar with vpns in general.
The first job is to verify that both machines see each other. More specifically can A ping B and B ping A? If you can't, you have a routing issue and nothing you do with OpenVPN will ever have a chance of working.
The second step is to verify that neither machine has a firewall blocking the necessary ports. Again no chance for the poor tunnel if there's a firewall in the way.
You would likely want a routed connection which would indicate a tun device.
Finally if you're still having problems repost with details on what you've tried and what error messages you're getting.
Note that, concerning the "openvpn" command I just wanted not to have that kind of message:
Code:
# ifup tun0
SIOCSIFADDR: No such device
tun0: ERROR while getting interface flags: No such device
SIOCSIFNETMASK: No such device
SIOCSIFDSTADDR: No such device
tun0: ERROR while getting interface flags: No such device
tun0: ERROR while getting interface flags: No such device
Failed to bring up tun0.
Maybe there exists a simpler, more basic way to avoid such an issue... ?
==(3) I rebooted the system and executed the following commands:
Code:
# ifconfig -a
eth0 Link encap:Ethernet HWaddr <aa:bb:cc:dd:ee:ff>
inet addr:192.168.0.4 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: <aa::bb:cc:dd:ee>/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9922 errors:0 dropped:0 overruns:0 frame:0
TX packets:11510 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1147330 (1.0 MiB) TX bytes:1942208 (1.8 MiB)
Interrupt:20 Base address:0xa400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 B) TX bytes:560 (560.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.0.99 P-t-P:W2.X2.Y2.Z2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:94 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 W2.X2.Y2.Z2 255.255.255.0 UG 0 0 0 tun0
W2.X2.Y2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
I am not really happy with the route:
Code:
W2.X2.Y2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
It has no meaning, no?
I am about to do approximately the same thing on machine B...
Please tell me if you think it is not the proper way to do things...
==(1) So now, on machine A, I have the following routes:
Note that I suppressed the following route:
Code:
<machine A># route del W2.X2.Y2.0 gw 0.0.0.0 tun0
Code:
<machine A># route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 W2.X2.Y2.Z2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
==(2) On machine B:
Code:
<machine B># route del W1.X1.Y1.0 gw 0.0.0.0 tun0
Code:
<machine B># route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 W1.X1.Y1.Z1 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
On machine A (192.168.0.4) I can't ping machine B (192.168.2.4).
On machine B (192.168.2.4) I can't ping machine A (192.168.0.4).
All the best,
--
Léa
Seems like you've made a bit of progress.
After a quick reading of the OpenVPN docs I've learned that the default port is udp/1194. Each of the routers must forward this traffic to the proper target machine.
You shouldn't delete those routes. They tell the network how to route vpn traffic. Also, the OpenVPN software should bring up the tun interfaces by itself. My impression is that once you tell it you want a tun interface, it takes care of all the necessary details.
I'm also left with the impression that the vpn network should have its own subnet. It's not clearly spelled out in any place that I can find, but there are things that point that way. This would make sense in that it would make OpenVPN the software emulation of two NICs connected to the same network, which is what it seems to be. Sometimes developers think something is so obvious they don't mention it. Try setting your vpn interfaces in a new subnet say 10.1.1.0/24. I suspect that this is the main source of your grief.
In my quick look at the docs I've noticed that you need a 'remote' directive in your configuration file. This tells the software where to send the encrypted traffic, so it must point to the external address of the alternate router.
You've probably already done the router forwarding and remote directive, but I thought I'd include them just in case you hadn't. Of course you have to remember, I've never used OpenVPN, these are just educated guesses and a second set of eyes on the documentation.
The problem is that, if these routes are not deleted I can't access anymore the
remote machine B from A (via SSH) (fortunately I had someone on machine B who could delete
the route, otherwise I would have been stuck).
Quote:
Also, the OpenVPN software should bring up the tun interfaces by itself.
Yes, I think so too but my problem is that "tun0" interfaces do not exist on my systems and OpenVPN apparently
doesn't create them. It probably has to be done prior to running the OpenVPN daemon. I was asking how to do this.
Maybe, the command mentionned above (post #3: "openvpn --mktun --dev tun0") is ok.
CORRECTION:
I am sorry, "tun0" interface is automatically created when "/etc/init.d/openvpn" is started.
We may not execute the command "openvpn --mktun --dev tun0".
Quote:
I'm also left with the impression that the vpn network should have its own subnet. It's not clearly
spelled out in any place that I can find, but there are things that point that way. This would make
sense in that it would make OpenVPN the software emulation of two NICs connected to the same network,
which is what it seems to be. Sometimes developers think something is so obvious they don't mention it.
Try setting your vpn interfaces in a new subnet say 10.1.1.0/24. I suspect that this is the main source
of your grief.
Yes... really not obvious to me.
Quote:
You've probably already done the router forwarding and remote directive
Yes, I did it.
Thanks for reminding .
Regards,
--
Léa
Last edited by leamassiot; 08-05-2009 at 03:32 AM.
In "/etc/openvpn/server.conf" there is the following directive:
Quote:
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
I think this is what Mike alluded to in his post...
Well, my two subnets are 192.168.0.0/24 and 192.168.2.0/24
so, what is this 10.8.0.0/24 subnet?
Shouldn't I replace it with 192.168.2.0/24 (the OpenVPN server being
192.168.0.4)?
Thank you for your help,
all the best,
--
Léa
Last edited by leamassiot; 08-05-2009 at 03:34 AM.
Here are the OpenVPN configuration files for the server and the client.
I changed the minimum number of things I could (see highlighted in bold).
I removed the comments to have a more compact view (maybe I shouldn't have, yout tell me).
(1) MACHINE A (OpenVPN server)
/etc/openvpn/server.conf
(I changed nothing in this file).
Code:
;local a.b.c.d
port 1194
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
(2) MACHINE B (OpenVPN client)
/etc/openvpn/client.conf
Code:
client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
;remote my-server-1 1194
;remote my-server-2 1194
remote W1.X1.Y1.Z1 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20
I changed only one thing in that file (the "remote" directive).
"W1.X1.Y1.Z1" is the public IP of the router (192.168.0.1) which is on the same subnet as machine A (192.168.0.4) which is the OpenVPN server.
(3) I started the OpenVPN server (on machine A (192.168.0.4)):
Do you have an idea about what has to be done?
Thank you for your help,
all the best,
--
Léa
Congratulations! You have a working VPN.
Imagine if both machines were in the same room, but on different networks and you wanted to connect them. You would add a NIC to each and connect them together. You couldn't have the new interfaces on either of the existing networks because that would confuse the routing. So you would create a new network, in this case the 10.8.0.0/24 network, and address both of the cards to be on that network. Once that was done, you could reach each machine from the other using that network.
If that's all you want to do, you're done. Just use the 10.8.0.x address for all your traffic. If you want to reach computers beyond the two connected ones or you just want to use the 192.168.x.x addresses, you have to set up the proper routing rules and enable IP forwarding, same as if you had two ethernet interfaces in each machine. See the OpenVPN FAQ on this.
(5) But, but but... 192.168.0.4 cannot ping neither 192.168.2.4 nor, for example 192.168.2.14.
Why is that so???
I think perhaps the problem is within your client. Your VPN-client need to act as a gateway for it to send tcp-packets to other computers on your subnet.
Check in sysctl.conf and pay attention to the comments.
You might need to make a few changes there.
I can't say for sure that this is your problem but it's worth checking out.
I have done this once, a couple of years ago, but I forgot how it was done.
This assumes that you didn't tell ping which interface to use.
We know that 10.8.0.2->10.8.0.5 and 10.8.0.5->10.8.0.2 work because these two links are also used when we ping the other way, and that works. So we're left with two links
10.8.0.5->192.168.2.4 and 192.168.2.4->10.8.0.5
Your routing table is right, so 192.168.2.4->10.8.0.5 is ok.
Which leaves 10.8.0.5->192.168.2.4 which should be taken care of by the IP forwarding on that machine. Did you forget?
Which leaves 10.8.0.5->192.168.2.4 which should be taken care of by the IP forwarding on that machine. Did you forget?
Yes, I forgot... Please tell me how to do that!!!
Thanks,
all the best,
--
Léa
As per the OpenVPN FAQ...
echo 1 > /proc/sys/net/ipv4/ip_forward
Didn't you do this on the 192.168.0.4 machine? This is the magic command that allows interfaces to pass packets to each other.
Actually, I suspect that the sysctl.conf entry 'net.ipv4.ip_forward' probably does that too, but you may have to reboot, or at least restart your network for it to take effect. The echo command above takes effect immediately, but is cleared by the next boot.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.