FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-04-2009, 12:47 PM
Bernd Aufrecht
 
Default openvpn restart - bridge loses tap0 interface

Hi,

I am running Debian Lenny and have a small issue regarding
my bridging setup with OpenVPN.

The bridge works flawless but when I changed the OpenVPN config a couple
of days ago and did a restart the bridge suddenly stopped working. It
seems everytime I do a restart the bridge loses the tap0 interface.


Before/etc/init.d/openvpn restart
bridge name bridge id STP enabled interfaces
br0 7fff.004063e92326 no eth0
tap0

After /etc/init.d/openvpn restart
bridge name bridge id STP enabled interfaces
br0 7fff.004063e92326 no eth0

/etc/network/interfaces

auto br0
iface br0 inet dhcp
bridge_ports eth0 tap0
bridge_bridgeprio 32767
bridge_portprio eth0 129
bridge_fd 5

How can I create a permanent tap0 interface?

Is /etc/network/if-pre-up.d/bridge a good place to start
or am I missing something in the config?

Bernd


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-04-2009, 07:43 PM
"Boyd Stephen Smith Jr."
 
Default openvpn restart - bridge loses tap0 interface

On Wednesday 04 March 2009 07:47:06 Bernd Aufrecht wrote:
> How can I create a permanent tap0 interface?

Tap interfaces are by their very nature transient, so that's not very easy.
You could use tunctl to create the tap interface, but I'm not sure if
OpenVPN will use an existing tap interface the way you'd like.

> Is /etc/network/if-pre-up.d/bridge a good place to start
> or am I missing something in the config?

You should probably figure out a way to tell OpenVPN to run a script after
it has created the tap interface, and use that script to add the interface
to your persistent bridge (instead of/in addition to whatever configuration
OpenVPN is already doing to the device).
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 03-05-2009, 10:04 PM
Alex Samad
 
Default openvpn restart - bridge loses tap0 interface

On Wed, Mar 04, 2009 at 02:43:18PM -0600, Boyd Stephen Smith Jr. wrote:
> On Wednesday 04 March 2009 07:47:06 Bernd Aufrecht wrote:
> > How can I create a permanent tap0 interface?
>
> Tap interfaces are by their very nature transient, so that's not very easy.
> You could use tunctl to create the tap interface, but I'm not sure if
> OpenVPN will use an existing tap interface the way you'd like.

mine always turn up on the right tap devices
dev tap0
proto tcp-client

I explicitly set the dev name

>
> > Is /etc/network/if-pre-up.d/bridge a good place to start
> > or am I missing something in the config?
>
> You should probably figure out a way to tell OpenVPN to run a script after
> it has created the tap interface, and use that script to add the interface
> to your persistent bridge (instead of/in addition to whatever configuration
> OpenVPN is already doing to the device).
> --
> Boyd Stephen Smith Jr. ,= ,-_-. =.
> bss@iguanasuicide.net ((_/)o o(\_))
> ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
> http://iguanasuicide.net/ \_/
>



--
Sank heaven for leetle curls.
 
Old 03-08-2009, 07:18 AM
Bernd Aufrecht
 
Default openvpn restart - bridge loses tap0 interface

mine always turn up on the right tap devices
dev tap0
proto tcp-client

I explicitly set the dev name


The problem is that openvpn brings up a new tap0 device but
does not add it to the bridge.

You should probably figure out a way to tell OpenVPN to run a script after
it has created the tap interface, and use that script to add the interface
to your persistent bridge (instead of/in addition to whatever configuration
OpenVPN is already doing to the device).


Well, if there is no other way. I was hoping to avoid writing or
changing a script.


It seems there a two solutions.

1. add a permanent tap0 device
2. let a script readd the tap0 device after a openvpn restart

Bernd


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-08-2009, 07:29 AM
Alex Samad
 
Default openvpn restart - bridge loses tap0 interface

On Sun, Mar 08, 2009 at 09:18:53AM +0100, Bernd Aufrecht wrote:
>
>> mine always turn up on the right tap devices
>> dev tap0
>> proto tcp-client
>>
>> I explicitly set the dev name
>
> The problem is that openvpn brings up a new tap0 device but
> does not add it to the bridge.

sorry I must of missed somethnig you also have a brcmd bridge ? and tap0
is not being added to this bridge ?


I manage my openvpn's through /etc/networks/interfaces you can add in
pre/post - up and down, maybe there is a choice ?

>
>>> You should probably figure out a way to tell OpenVPN to run a script
>>> after it has created the tap interface, and use that script to add
>>> the interface to your persistent bridge (instead of/in addition to
>>> whatever configuration OpenVPN is already doing to the device).
>
> Well, if there is no other way. I was hoping to avoid writing or
> changing a script.
>
> It seems there a two solutions.
>
> 1. add a permanent tap0 device
> 2. let a script readd the tap0 device after a openvpn restart
>
> Bernd
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"They want the federal government controlling Social Security like it's some kind of federal program."

- George W. Bush
11/02/2000
 
Old 03-10-2009, 09:25 AM
Bernd Aufrecht
 
Default openvpn restart - bridge loses tap0 interface

sorry I must of missed somethnig you also have a brcmd bridge ? and tap0
is not being added to this bridge ?


Hi,

there seems to be no problem if the bridge is running an openvpn starts
as second. But if you stop openvpn, which i did to test something last
week, it takes down the tap0 device and unfortunate does not re add the
tap0 interface again if you restart.


If you are not running openvpn with a bridged setup the problem never
occurs.


Yesterday I found a good solution.

The following script and entry in the openvpn server.conf

up "/etc/openvpn/up.sh br0 tap0"

/etc/openvpn/up.sh
##########
#!/bin/sh
BR=$1
DEV=$2
/sbin/ifconfig $DEV up
/usr/sbin/brctl addif $BR $DEV
##########

Somehow i missed that option completely.

Bernd


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-11-2009, 08:07 AM
Alex Samad
 
Default openvpn restart - bridge loses tap0 interface

On Tue, Mar 10, 2009 at 11:25:08AM +0100, Bernd Aufrecht wrote:
>> sorry I must of missed somethnig you also have a brcmd bridge ? and tap0
>> is not being added to this bridge ?
>
> Hi,
>
> there seems to be no problem if the bridge is running an openvpn starts
> as second. But if you stop openvpn, which i did to test something last
> week, it takes down the tap0 device and unfortunate does not re add the
> tap0 interface again if you restart.
>
> If you are not running openvpn with a bridged setup the problem never
> occurs.
>
> Yesterday I found a good solution.
>
> The following script and entry in the openvpn server.conf
>
> up "/etc/openvpn/up.sh br0 tap0"
>
> /etc/openvpn/up.sh
> ##########
> #!/bin/sh
> BR=$1
> DEV=$2
> /sbin/ifconfig $DEV up
> /usr/sbin/brctl addif $BR $DEV
> ##########

Can i ask why you are bridging a openvpn interface ? why not route ?


>
> Somehow i missed that option completely.
>
> Bernd
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"I would have to ask the questioner. I haven't had a chance to ask the questioners the question they've been questioning. On the other hand, I firmly believe she'll be a fine secretary of labor. And I've got confidence in Linda Chavez. She is a�she'll bring an interesting perspective to the Labor Department."

- George W. Bush
01/08/2001
Austin, TX
 
Old 03-11-2009, 02:33 PM
Bernd Aufrecht
 
Default openvpn restart - bridge loses tap0 interface

Can i ask why you are bridging a openvpn interface ? why not route ?


For security reasons. My wireless access point has only WEP and so i
have it connected to my second LAN Port on my home server. I then use
openvpn to connect from from my notebook and bridge into the my local lan.


This setup separates the WiFi network completely from my lan and creates
an additional security barrier for intruders.



Bernd


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-11-2009, 03:41 PM
Jochen Schulz
 
Default openvpn restart - bridge loses tap0 interface

Bernd Aufrecht:
>
>> Can i ask why you are bridging a openvpn interface ? why not route ?
>
> For security reasons. My wireless access point has only WEP and so i
> have it connected to my second LAN Port on my home server. I then use
> openvpn to connect from from my notebook and bridge into the my local
> lan.

You could still achieve the same by routing. For the last few years I
had a similar setup, but with three address ranges:

- one for wired LAN
- one for wireless LAN (completely unencrypted, but firewalled on the
routing AP)
- one range for OpenVPN.

What's nice about this is that you can still separate trusted wifi users
from LAN users.

But my setup was a bit weird because the OpenVPN server ran in the LAN
and I had to DNAT on the AP. Almost every time I wanted to change
something, I ran into routing problems. That's why I dropped OpenVPN in
favor of WPA2. Now I still have two address ranges, but both of them are
"trusted". And since the AP is the default gateway for all clients, I
don't need to push static routes around anymore.

J.
--
Fashion is more important to me than war, famine, disease or art.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
 
Old 03-11-2009, 11:45 PM
Alex Samad
 
Default openvpn restart - bridge loses tap0 interface

On Wed, Mar 11, 2009 at 04:33:24PM +0100, Bernd Aufrecht wrote:
>
>> Can i ask why you are bridging a openvpn interface ? why not route ?
>
> For security reasons. My wireless access point has only WEP and so i
> have it connected to my second LAN Port on my home server. I then use
> openvpn to connect from from my notebook and bridge into the my local
> lan.
>
> This setup separates the WiFi network completely from my lan and creates
> an additional security barrier for intruders.

seems overly complicated, I used to do something similar, but why not
use routing at my place I use 192.168.8.0/22 for the whole area 10 for
wlan 11 lan 8 for vpn's 9 as adhoc, let the routing take care of the
rest. .1 is the dgw for all the lans

I am just curios why the extra hassle of a bridge

>
>
> Bernd
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"Has anyone had problems with the computer accounts?"
"Yes, I don't have one."
"Okay, you can send mail to one of the tutors ..."
-- E. D'Azevedo, Computer Science 372
 

Thread Tools




All times are GMT. The time now is 12:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org