OpenAFS on an OpenVPN tun device
Hi all,
For those of you who frequent #openafs, #openvpn or #openbsd on freenode you will more than likely be familiar with my intent.
I'm attempting to configure OpenAFS to run through a simple VPN tunnel created by OpenVPN. The two boxes run OpenBSD.
My method of installing OpenAFS is via the port - /usr/ports/net/openafs. When the "make install" completes one is instructed to run /usr/local/sbin/openafs-setup which prompts for some settings and then proceeds to configure OpenAFS. If I run this script on a standard, or "real" interface the script runs fine and everything configures/runs correctly. If I attempt to run the same script on the tun0 device created by the VPN tunnel I get a series of communication (-1) errors.
Despite gaps in my understanding, I'm of the belief that this is because the server fails to communicate with itself on that particular interface. For example, if I ping 10.8.0.1 (the address of the VPN tun0 device) I fail to receive returns. Tcpdump on the same interface reveals the icmp packets reach the interface however are never returned. (Pf is not enabled). When the tunnel is configured I can successfuly ping the same interface from one of the client machines. In summary, no box can ping its own VPN interface.
Perhaps I'm off the track, but that's the best I can assume at this stage. Therefore I'm trying to find why the VPN interfaces aren't enabling a box to communicate with itself and what I must to do fix this.
If I'm off track, please be patient as this setup has been a headache of mine for a number of weeks now. More recently I've attempted running the script using the standard interface and then altering things afterwards - this has been successful until the kerberos configuration where I would get:
kinit admin@ssits
password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm ssits
I presume this is because the box can't communicate with itself on the the vpn if - but could be wrong.
Below I've attached various configuration files with brief information.
Many thanks,
Gsee
System info:
Operating System: OpenBSD 3.9
FQDN: testserver.foobar.com
local IP address: 192.168.1.108
VPN IP address: 10.8.0.1
OpenVPN version: OpenVPN 2.0.7
OpenAFS version: OpenAFS 1.4.0
/etc/hosts
192.168.1.108 testserver testserver.foobar.com
::1 localhost.foobar.com localhost
127.0.0.1 localhost.foobar.com localhost
::1 testserver.foobar.com testserver
127.0.0.1 testserver.foobar.com testserver
/etc/openvpn/server.conf
port 1194
proto udp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
daemon
user nobody
group nogroup
/etc/afs/ThisCell & /etc/openafs/ThisCell
ssits
/etc/openafs/CellServDB
>ssits #Cell name
192.168.1.108 #testserver.foobar.com
#### The script which is part of the OpenBSD port for OpenAFS configures both the ThisCell and CellServDB files - they currently have the standard interface's address set so that the script would complete. At this stage I don't think the problem is directly OpenAFS - more just the fact that the box can't communicate with itself using the VPN interface.
Any other files you need I'll happily provide.
Many thanks
Last edited by Gsee; 05-08-2006 at 06:32 AM.
|