LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 05-08-2006, 06:28 AM   #1
Gsee
Member
 
Registered: Mar 2004
Location: Australia
Distribution: FreeBSD, OpenBSD, Gentoo, Debian
Posts: 153

Rep: Reputation: 30
OpenAFS on an OpenVPN tun device


Hi all,

For those of you who frequent #openafs, #openvpn or #openbsd on freenode you will more than likely be familiar with my intent.

I'm attempting to configure OpenAFS to run through a simple VPN tunnel created by OpenVPN. The two boxes run OpenBSD.

My method of installing OpenAFS is via the port - /usr/ports/net/openafs. When the "make install" completes one is instructed to run /usr/local/sbin/openafs-setup which prompts for some settings and then proceeds to configure OpenAFS. If I run this script on a standard, or "real" interface the script runs fine and everything configures/runs correctly. If I attempt to run the same script on the tun0 device created by the VPN tunnel I get a series of communication (-1) errors.

Despite gaps in my understanding, I'm of the belief that this is because the server fails to communicate with itself on that particular interface. For example, if I ping 10.8.0.1 (the address of the VPN tun0 device) I fail to receive returns. Tcpdump on the same interface reveals the icmp packets reach the interface however are never returned. (Pf is not enabled). When the tunnel is configured I can successfuly ping the same interface from one of the client machines. In summary, no box can ping its own VPN interface.

Perhaps I'm off the track, but that's the best I can assume at this stage. Therefore I'm trying to find why the VPN interfaces aren't enabling a box to communicate with itself and what I must to do fix this.

If I'm off track, please be patient as this setup has been a headache of mine for a number of weeks now. More recently I've attempted running the script using the standard interface and then altering things afterwards - this has been successful until the kerberos configuration where I would get:

kinit admin@ssits
password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm ssits

I presume this is because the box can't communicate with itself on the the vpn if - but could be wrong.

Below I've attached various configuration files with brief information.

Many thanks,

Gsee

System info:
Operating System: OpenBSD 3.9
FQDN: testserver.foobar.com
local IP address: 192.168.1.108
VPN IP address: 10.8.0.1
OpenVPN version: OpenVPN 2.0.7
OpenAFS version: OpenAFS 1.4.0

/etc/hosts
192.168.1.108 testserver testserver.foobar.com
::1 localhost.foobar.com localhost
127.0.0.1 localhost.foobar.com localhost
::1 testserver.foobar.com testserver
127.0.0.1 testserver.foobar.com testserver



/etc/openvpn/server.conf

port 1194
proto udp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
daemon
user nobody
group nogroup



/etc/afs/ThisCell & /etc/openafs/ThisCell


ssits



/etc/openafs/CellServDB


>ssits #Cell name
192.168.1.108 #testserver.foobar.com

#### The script which is part of the OpenBSD port for OpenAFS configures both the ThisCell and CellServDB files - they currently have the standard interface's address set so that the script would complete. At this stage I don't think the problem is directly OpenAFS - more just the fact that the box can't communicate with itself using the VPN interface.

Any other files you need I'll happily provide.

Many thanks

Last edited by Gsee; 05-08-2006 at 06:32 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to allow tun/tap device in firewall? efm Linux - Networking 12 07-22-2005 05:47 AM
Unable to open tun device after kernel upgrade. EOHooligan Linux - Software 4 02-06-2005 10:31 AM
TUN device error palanisaravanan Linux - Networking 1 11-24-2004 01:17 AM
Getting FD for an existing tun device alanwolfen Programming 1 10-18-2004 12:39 PM
Universal tun/tap device driver support giddyupman Linux - Networking 4 05-14-2004 11:04 AM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 08:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration