Ethernet Bridge Help

[mfromo]

I have been following the following link to setup an Ethernet Bridge on my Fedora 18 system. I had OpenVPN working under a router config, but needed to change to an Ethernet Bridge for IP consistency purposes.

When I try to run OpenVPN the process is now failing attempting to run the bridge-start script.

Any help would be appreciated!

Here is the my server.conf

Code: Select all

script-security 3 system
up /etc/openvpn/bridge-start
down /etc/openvpn/bridge-stop

port 1194
proto udp
dev tap0

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem

server-bridge 192.168.0.200 255.255.255.0 192.168.0.50 192.168.0.60

keepalive 10 120
comp-lzo
persist-key
persist-tun
log-append  openvpn.log
verb 3

Here is my bridge-start file:

Code: Select all

#!/bin/sh

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.200"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

And here is my log file:

Code: Select all

Fri Jun 28 16:19:19 2013 OpenVPN 2.3.2 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on
Jun  3 2013
Fri Jun 28 16:19:19 2013 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take
 on its own IP address that is different from what the LAN adapter was previously set to
Fri Jun 28 16:19:19 2013 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that th
is might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same su
bnet.
Fri Jun 28 16:19:19 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jun 28 16:19:19 2013 Diffie-Hellman initialized with 2048 bit key
Fri Jun 28 16:19:19 2013 Socket Buffers: R=[180224->131072] S=[180224->131072]
Fri Jun 28 16:19:19 2013 TUN/TAP device tap0 opened
Fri Jun 28 16:19:19 2013 TUN/TAP TX queue length set to 100
Fri Jun 28 16:19:19 2013 /etc/openvpn/bridge-start tap0 1500 1574   init
/etc/openvpn/bridge-start: line 23: openvpn: command not found
/etc/openvpn/bridge-start: line 26: brctl: command not found
/etc/openvpn/bridge-start: line 27: brctl: command not found
/etc/openvpn/bridge-start: line 30: brctl: command not found
/etc/openvpn/bridge-start: line 34: ifconfig: command not found
/etc/openvpn/bridge-start: line 37: ifconfig: command not found
/etc/openvpn/bridge-start: line 39: ifconfig: command not found
Fri Jun 28 16:19:19 2013 WARNING: Failed running command (--up/--down): could not execute external program
Fri Jun 28 16:19:19 2013 Exiting due to fatal error

[maikcat]

do you have bridge-utils package installed?

Code: Select all

rpm -qa | grep -i bridgeutils

if you have it , try adding /sbin in your path to ifconfig & brctl commands to your startup script.

One last thing, check that your script works before you call it via openvpn.

Michael

[mfromo]

Thanks for the help. I do have bridge-utils installed and I added /sbin to the paths, which helped initially.

Now my log file shows the below and when I attempt to stop the service my network adapter gets hosed and I have to reboot the server. I know you suggested to test the script outside openvpn, but I am just learning and have not been able to figure out how to get the script to run on its own.

Code: Select all

Sun Jun 30 12:30:32 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jun 30 12:30:32 2013 Diffie-Hellman initialized with 2048 bit key
Sun Jun 30 12:30:32 2013 Socket Buffers: R=[180224->131072] S=[180224->131072]
Sun Jun 30 12:30:32 2013 TUN/TAP device tap0 opened
Sun Jun 30 12:30:32 2013 TUN/TAP TX queue length set to 100
Sun Jun 30 12:30:32 2013 /etc/openvpn/bridge-start tap0 1500 1574   init
Sun Jun 30 12:30:32 2013 ERROR: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16)
Sun Jun 30 12:30:32 2013 Exiting due to fatal error
Sun Jun 30 12:30:32 2013 UDPv4 link local (bound): [undef]
Sun Jun 30 12:30:32 2013 UDPv4 link remote: [undef]
Sun Jun 30 12:30:32 2013 MULTI: multi_init called, r=256 v=256
Sun Jun 30 12:30:32 2013 IFCONFIG POOL: base=192.168.0.50 size=11, ipv6=0
Sun Jun 30 12:30:32 2013 Initialization Sequence Completed
Sun Jun 30 12:31:01 2013 event_wait : Interrupted system call (code=4)
Sun Jun 30 12:31:01 2013 Closing TUN/TAP interface
Sun Jun 30 12:31:01 2013 /etc/openvpn/bridge-stop tap0 1500 1574   init
Sun Jun 30 12:31:01 2013 TUN/TAP device tap0 opened
Sun Jun 30 12:31:01 2013 Persist state set to: OFF
Sun Jun 30 12:31:01 2013 SIGINT[hard,] received, process exiting

Thanks again for your helping with this.

[mfromo]

My updated Bridge-Start:

Code: Select all

#!/bin/sh

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
#eth="eth0"
eth="p2p1"
eth_ip="192.168.0.200"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
    /sbin/openvpn --mktun --dev $t
done

/sbin/brctl addbr $br
/sbin/brctl addif $br $eth

for t in $tap; do
    /sbin/brctl addif $br $t
done

for t in $tap; do
    /sbin/ifconfig $t 0.0.0.0 promisc up
done

/sbin/ifconfig $eth 0.0.0.0 promisc up

/sbin/ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

[maikcat]

try to debug your script by adding

set -x

at the top of it , then runit and see where things go bad...

you can always start the br interface by hand you know...

Michael.

[mfromo]

I was able to get my bridge setup and openvpn started without any problems.
Thanks for the -x suggestions. I ran the script on its own and got it working.

Now when I connect with my client I get the TLS timeout error, but it is the same client file I successfully connected with when I was connecting with a 'dev tun' setup.

Here is my client.ovpn that I updated to match the above server.conf:

Code: Select all

client
dev tap
;dev tun
proto udp
remote XXX.XXX.XX.XXX 1194  #I XXX'd this out
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
;persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert Matt.crt
key Matt.key
ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20

Again, thanks for all the help!

[maikcat]

Now when I connect with my client I get the TLS timeout error, but it is the same client file I successfully connected with when I was connecting with a 'dev tun' setup.

dev tap switch has nothing to do with the above error...

please repost your configs used & server logs..

Michael.