Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

OpenVPN ebuild: use net.tun0/net.tap0 [SOLVED]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lagalopex
Guru
Guru


Joined: 16 Oct 2004
Posts: 565
PostPosted: Tue Aug 15, 2006 6:59 pm    Post subject: OpenVPN ebuild: use net.tun0/net.tap0 [SOLVED] Reply with quote
I emerged net-misc/openvpn-2.0.6 and saw this message:
Quote:
* It is recommended that you create your tun/tap interfaces using
* the net.tun0/net.tap0 scripts provided by baselayout instead of
* using the 'server' directive in openvpn configuration files.
* This will insure that the interface really is up after openvpn
* starts.
* Note that you cannot use net.tun0/net.tap0 and the server option,
* otherwise openvpn will not start.


As you can see, this is is done to insure that the interface is up. But its only for server? Why does this "problem" not exist in the client as well? Where is the point to do it in this uncommon way?

So I was searching for howtos covering this very gentoo specific handling of the interface. Because I cant get this working... it will be a server for multiple clients...

Last edited by lagalopex on Tue Aug 15, 2006 11:34 pm; edited 1 time in total
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
PostPosted: Tue Aug 15, 2006 7:06 pm    Post subject: Reply with quote
Well, for the client too - but for the most part OpenVPN can manage the interface. It's just a recommendation - you can do either really.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
lagalopex
Guru
Guru


Joined: 16 Oct 2004
Posts: 565
PostPosted: Tue Aug 15, 2006 9:34 pm    Post subject: Reply with quote
I just want to know, why the interface (obviously) is handled incorrect by openvpn (at least sometimes)? And what are problems pointing to this issue?

And, as its for the client as well, why is "client" not mentioned?

How should they be configured? I mean its hard to guess the ip for the client. (The server always takes .1 and .2?)
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
PostPosted: Tue Aug 15, 2006 10:28 pm    Post subject: Reply with quote
Well for a server some services may need to bind to the vpn interface right away. Openvpn has a nasty habbit of returning right away and then opening then vpn interface. What's more is we have no way of knowing what the interface will actually be. So using the tuntap network module solves this issue as you can force openvpn to bind to an existing tun/tap device.

Client's don't normally have this issue.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
lagalopex
Guru
Guru


Joined: 16 Oct 2004
Posts: 565
PostPosted: Tue Aug 15, 2006 10:56 pm    Post subject: Reply with quote
Ok, so a 'tuntap_tun0="tun"' in /etc/conf.d/net would be enough?
Or adding a 'config_tun0=( "192.168.2.1/24")' is needed?

But I still dont really know how I should configure the server, without the "server 192.168.2.0 255.255.255.0"-line.
Following the man-page the server-line would expand to:
Code:
mode server
tls-server
ifconfig 192.168.2.1 192.168.2.2
ifconfig-pool 192.168.2.4 192.168.2.251
route  192.168.2.0 255.255.255.0
push "route 192.168.2.1"

Is it as easy as removing the "ifconfig 192.168.2.1 192.168.2.2"-line?

Last edited by lagalopex on Tue Aug 15, 2006 11:06 pm; edited 1 time in total
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
PostPosted: Tue Aug 15, 2006 11:01 pm    Post subject: Reply with quote
Here's my server config

Code:
dev vpn
dev-type tap
comp-lzo
keepalive 10 60
ping-timer-rem
ca /etc/ssl/certs/marplesCA.pem
cert /etc/ssl/certs/marples.name.pem
key /etc/ssl/private/marples.name.pem
tls-auth ta.key 0
dh dh1024.pem

mode server
tls-server
ifconfig-pool 10.73.1.100 10.73.1.200 255.255.255.0

push "route-metric 500"
push "route-gateway 10.73.1.1"
push "route 0.0.0.0 0.0.0.0"
push "route 10.73.0.0 255.255.255.0"

ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.73.1.1"
push "dhcp-option DOMAIN marples.name"

client-config-dir /etc/openvpn/ccd
client-to-client

ns-cert-type client


And my relevant conf.d/net

Code:
tuntap_vpn="tap"
config_vpn=( "10.73.1.1/24" )


HTH
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
lagalopex
Guru
Guru


Joined: 16 Oct 2004
Posts: 565
PostPosted: Tue Aug 15, 2006 11:34 pm    Post subject: Reply with quote
Works! Thanks a lot!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy