I get this error when I start openvpn. I end up with tap0 not being assigned an IP.
This is my server.conf:
Code:
port 1194
proto udp
dev tap0
script-security 2
up "/etc/openvpn/bridge-start"
down "/etc/openvpn/bridge-stop"
ca ca.crt
cert home-vpn.crt
key home-vpn.key # This file should be kept secret
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.50.0.4 255.255.255.0 10.50.0.50 10.50.0.100
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA512
reneg-sec 3600
crl-verify crl.pem
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
compress lz4-v2
push "compress lz4-v2"
max-clients 4
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
mute 20
explicit-exit-notify 1
This is my bridge-start script:
Code:
br="br0"
tap="tap0"
eth="enp1s0"
eth_ip="192.168.8.4"
eth_netmask="24"
eth_broadcast="192.168.8.255"
for t in $tap; do
/usr/sbin/openvpn --mktun --dev $t
done
/usr/sbin/ip link add $br type bridge
/usr/sbin/ip link set $eth master $br
for t in $tap; do
/usr/sbin/ip link set $tap master $br
done
for t in $tap; do
/usr/sbin/ip link set $t up
/usr/sbin/ip link set $t promisc on
done
/usr/sbin/ip link set $eth up
/usr/sbin/ip link set $eth promisc on
/usr/sbin/ip address add $eth_ip/$eth_netmask broadcast $eth_broadcast dev $br
I don't think there are any permissions errors. I did have some beforehand, but openvpn reports none:
Code:
ll bridge-*
-rwxr--r-x 1 openvpn root 1066 May 5 22:03 bridge-start
-rwxr--r-x 1 openvpn root 398 May 5 22:12 bridge-stop
I'm not sure what I'm doing wrong.
OpenVPN version is openvpn-2.4.5 on a Centos 7.4 (everything is up to date).
Any suggestions? I'm missing something, I've configured openvpn in bridge mode before and I'm not sure what I'm missing. It's true that there are a few changes to the previous working configuration, such as tls-auth, but that shouldn't affect the overall setup.
openvpn.log:
Code:
Sat May 5 22:31:31 2018 us=111928 Current Parameter Settings:
Sat May 5 22:31:31 2018 us=126274 config = 'server.conf'
Sat May 5 22:31:31 2018 us=126314 mode = 1
Sat May 5 22:31:31 2018 us=126322 persist_config = DISABLED
Sat May 5 22:31:31 2018 us=126328 persist_mode = 1
Sat May 5 22:31:31 2018 us=126334 show_ciphers = DISABLED
Sat May 5 22:31:31 2018 us=126340 show_digests = DISABLED
Sat May 5 22:31:31 2018 us=126346 show_engines = DISABLED
Sat May 5 22:31:31 2018 us=126352 genkey = DISABLED
Sat May 5 22:31:31 2018 us=126358 key_pass_file = '[UNDEF]'
Sat May 5 22:31:31 2018 us=126364 show_tls_ciphers = DISABLED
Sat May 5 22:31:31 2018 us=126370 connect_retry_max = 0
Sat May 5 22:31:31 2018 us=126377 Connection profiles [0]:
Sat May 5 22:31:31 2018 us=126384 proto = udp
Sat May 5 22:31:31 2018 us=126390 local = '[UNDEF]'
Sat May 5 22:31:31 2018 us=126396 local_port = '1194'
Sat May 5 22:31:31 2018 us=126402 remote = '[UNDEF]'
Sat May 5 22:31:31 2018 us=126408 remote_port = '1194'
Sat May 5 22:31:31 2018 us=126413 remote_float = DISABLED
Sat May 5 22:31:31 2018 us=126419 bind_defined = DISABLED
Sat May 5 22:31:31 2018 us=126425 NOTE: --mute triggered...
Sat May 5 22:31:31 2018 us=126435 266 variation(s) on previous 20 message(s) suppressed by --mute
Sat May 5 22:31:31 2018 us=126446 OpenVPN 2.4.5 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 1 2018
Sat May 5 22:31:31 2018 us=126459 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Sat May 5 22:31:31 2018 us=126651 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sat May 5 22:31:31 2018 us=126745 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat May 5 22:31:31 2018 us=426989 Diffie-Hellman initialized with 2048 bit key
Sat May 5 22:31:31 2018 us=528673 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat May 5 22:31:31 2018 us=528731 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat May 5 22:31:31 2018 us=528769 TLS-Auth MTU parms [ L:1654 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Sat May 5 22:31:31 2018 us=733581 TUN/TAP device tap0 opened
Sat May 5 22:31:31 2018 us=733665 TUN/TAP TX queue length set to 100
Sat May 5 22:31:31 2018 us=733736 /etc/openvpn/bridge-start tap0 1500 1654 init
Sat May 5 22:31:31 2018 ERROR: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16)
Sat May 5 22:31:31 2018 Exiting due to fatal error
Sat May 5 22:31:31 2018 us=957928 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Sat May 5 22:31:31 2018 us=957988 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat May 5 22:31:31 2018 us=958019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat May 5 22:31:31 2018 us=958044 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat May 5 22:31:31 2018 us=958054 UDPv4 link remote: [AF_UNSPEC]
Sat May 5 22:31:31 2018 us=958075 MULTI: multi_init called, r=256 v=256
Sat May 5 22:31:31 2018 us=958115 IFCONFIG POOL: base=10.50.0.50 size=51, ipv6=0
Sat May 5 22:31:31 2018 us=958150 IFCONFIG POOL LIST
Sat May 5 22:31:31 2018 us=958218 Initialization Sequence Completed