Originally Posted by
ahallubuntu
I understand. Let us know if you figure it out and how you did it!
Preamble:
SERVER
Code:
#=====================================
# Server Settings
#=====================================
local 192.168.1.3
dev tap0
proto udp
;proto tcp
port 1195
mode server
tls-server
tls-remote "openvpn.klingon.lan"
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
max-clients 10
push "explicit-exit-notify 3"
#=====================================
# Network & DHCP Settings
#=====================================
server-bridge
push "route-gateway 192.168.1.1"
push "redirect-gateway def1 bypass-dhcp"
client-config-dir /etc/openvpn/ccd-bridged
client-to-client
#=====================================
# Certificates & Encryption Settings
#=====================================
ca /etc/openvpn/klingon-rootca-subscriptions.crt
cert /etc/openvpn/klingon-openvpn.crt
key /etc/openvpn/klingon-openvpn.key
dh /etc/openvpn/klingon-openvpn-dh.key
tls-auth /etc/openvpn/klingon-openvpn-ta.key 0
cipher AES-128-CBC
comp-lzo
#=====================================
# Management, Logs & Security Settings
#=====================================
management localhost 5003 /etc/openvpn/passwd.key
log /etc/openvpn/log/log-klingonOpenvpnBridged0.log
status /etc/openvpn/log/status-klingonOpenvpnBridged0.log
keepalive 10 120
verb 3
mute 20
script-security 2
;user nobody
;group nogroup
;client-connect /etc/openvpn/scripts/client-connect.sh
;client-disconnect /etc/openvpn/scripts/client-disconnect.sh
CLIENT
Code:
#=====================================
# Client Settings
#=====================================
remote xxx.xxx.xxx.xxx 995
dev tap
proto udp
;proto tcp
client
ns-cert-type server
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
resolv-retry infinite
nobind
;float
#=====================================
# Certificates & Encryption Settings
#=====================================
ca /etc/openvpn/conf/klingonOpenvpn-ca.crt
cert /etc/openvpn/conf/klingonOpenvpn-client1.crt
key /etc/openvpn/conf/klingonOpenvpn-client1.key
tls-auth /etc/openvpn/conf/klingonOpenvpn-ta.key 1
cipher AES-128-CBC
comp-lzo
#=====================================
# Management, Logs & Security Settings
#=====================================
keepalive 10 60
verb 3
mute 20
script-security 2 system
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
;user nobody
;group nogroup
Here is where I am at. When launching openvpn to connect the script runs to completion with the following errors.
Code:
...
...
...
Fri Jun 21 11:09:14 2013 TUN/TAP device tap0 opened
Fri Jun 21 11:09:14 2013 TUN/TAP TX queue length set to 100
Fri Jun 21 11:09:14 2013 /etc/openvpn/update-resolv-conf tap0 1500 1590 init
Fri Jun 21 11:09:14 2013 /sbin/route add -net xxx.xxx.xxx.xxx netmask 255.255.255.255 gw 172.25.26.254
Fri Jun 21 11:09:14 2013 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.25.25.1
SIOCADDRT: No such process
Fri Jun 21 11:09:14 2013 ERROR: Linux route add command failed: external program exited with error status: 7
Fri Jun 21 11:09:14 2013 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.25.25.1
SIOCADDRT: No such process
Fri Jun 21 11:09:14 2013 ERROR: Linux route add command failed: external program exited with error status: 7
Fri Jun 21 11:09:14 2013 Initialization Sequence Completed
At this point the openvpn client is connected to the server, but since in the server.conf only "server-bridge" was used, it does not automatically bring up tap0 configured in Linux. In MS Windows on the other hand, the talk of the town is this is suppose to work transparently, but I have not tested it as yet. UPDATE: MS Windows works out of the box.
If I issue:
Code:
sudo dhclient -v tap0
Then tap0 is configured via the remote LAN's dhcp server. I can then go about as usual. When done I would have to issue and then close down the openvpn connection.
I have been trying to automate it by in the client.conf changing
Code:
...
...
...
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
...
...
...
to
Code:
...
...
...
up "dhclient -v tap0
down "dhclient -r tap0"
...
...
...
NB: for above you must add the system mode to --script-security eg. --script-security 2 system. I am not sure why since "system" is suppose to be deprecated.
The above gives me the error
Code:
...
...
...
Fri Jun 21 20:19:54 2013 TUN/TAP device tap0 opened
Fri Jun 21 20:19:54 2013 TUN/TAP TX queue length set to 100
Fri Jun 21 20:19:54 2013 dhclient -v tap0 tap0 1500 1590 init
Internet Systems Consortium DHCP Client 4.1-ESV-R4
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Cannot find device "init"
Cannot find device "up"
Cannot find device "up"
Cannot find device "1590"
Cannot find device "1500"
Failed to get interface index: No such device
Fri Jun 21 20:19:54 2013 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Fri Jun 21 20:19:54 2013 Exiting
So i tried putting these commands in /etc/openvpn/update-resolv-conf, and they successfully run BUT no dhcp server offers any lease and dhclient just times out trying to get a lease so tap0 is never configured for the remote LAN.
So it looks like openvpn has to complete it's initialization sequence first before you can run dhclient on tap0.
I am still looking for a way to automate the autoconfig for tap0 at this point.
Bookmarks