[CentOS] openvpn + bridge utils in CentOS 6
Lorenzo Martínez Rodríguez
lorenzo at lorenzomartinez.es
Mon Nov 7 17:54:15 UTC 2011
Hello,
I did not have read this issue before, but I have seen this problem
also. Whenever I restart the bridge (with tap0 interfaces also) I have
to make a first ping to the physical interface related to the tap0
module. I also ping another machine on the same physical network. After
that, I am able to reach the bridged one.
Extrange behaviour but this works for me in this way now.
I look forward RedHat fixed this bug soon.
El 07/11/11 06:39, 唐建伟 escribió:
> thank you very much for your follow up. wish to get good news from you soon.
>
> On Sat, Nov 5, 2011 at 12:26 AM, Минтаиров Михаил<mikxalich at yandex.ru>wrote:
>
>>
>> 28.09.2011, 04:58, "唐建伟"<myhnet at gmail.com>:
>> Hello, I didn't find what to answer to you mounth ago. But now I also have
>> an installation of centos 6 (at past I used centos 5.7) , and I have the
>> same problems as you. First of all, did you find any solutions?
>>
>> I only found that the problem is in br0 device. I can't guess why but it
>> not recive ARP REPLY packets.
>>
>> tcpdump on all devices (tap0, eth1, br0) give me the same:
>>
>> 20:12:22.012270 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>> length 28
>> 20:12:23.027897 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>> length 28
>> 20:12:24.027951 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>> length 28
>> //192.158.11.33 is remoute PC ip-address, and 192.168.11.3 is one of my
>> local hosts//
>>
>> and no APR REPLY.
>>
>> Intresting that on other hand I have the same configs files on Centos 5.7.
>> and everything work perfectly.
>>
>>
>>> no, i removed the commands you mentioned, but it still doesn't work.
>>>
>>> Best Regards
>>> Tang Jianwei
>>>
>>> On Tue, Sep 27, 2011 at 6:01 PM, Минтаиров Михаил<mikxalich at yandex.ru
>>> wrote:
>>>
>>>> I can't remember a reason, but at one moment I stop to use "openvpn
>>>> --mktun --dev [dev name]" command. May be it's becouse openvpn create
>> tap0
>>>> by it self. So try to comment this lines:
>>>>
>>>> for t in $tap; do
>>>> openvpn --mktun --dev $t
>>>> done
>>>>
>>>> then restart a network, after then start openvpn and after it start
>> bridge
>>>> script
>>>>> openvpn configure file
>>>>>
>>>>> *port 1194
>>>>> proto udp
>>>>> dev tap0
>>>>> ca ca.crt
>>>>> cert VPN_Server.crt
>>>>> key VPN_Server.key # This file should be kept secret
>>>>> dh dh1024.pem
>>>>> server-bridge 192.168.119.1 255.255.255.0 192.168.119.221
>> 192.168.119.225
>>>>> keepalive 10 120
>>>>> comp-lzo
>>>>> user nobody
>>>>> group nobody
>>>>> persist-key
>>>>> persist-tun
>>>>> status openvpn-status.log
>>>>> log-append /var/log/openvpn.log
>>>>> verb 3
>>>>> mute 20
>>>>> *
>>>>>
>>>>> the script for bring up the bridge
>>>>> *# Define Bridge Interface
>>>>> br="br0"
>>>>>
>>>>> # Define list of TAP interfaces to be bridged,
>>>>> # for example tap="tap0 tap1 tap2".
>>>>> tap="tap0"
>>>>>
>>>>> # Define physical ethernet interface to be bridged
>>>>> # with TAP interface(s) above.
>>>>> eth="eth1"
>>>>> eth_ip="192.168.119.1"
>>>>> eth_netmask="255.255.255.0"
>>>>> eth_broadcast="192.168.119.255"
>>>>>
>>>>> for t in $tap; do
>>>>> openvpn --mktun --dev $t
>>>>> done
>>>>>
>>>>> brctl addbr $br
>>>>> brctl addif $br $eth
>>>>>
>>>>> for t in $tap; do
>>>>> brctl addif $br $t
>>>>> done
>>>>>
>>>>> for t in $tap; do
>>>>> ifconfig $t 0.0.0.0 promisc up
>>>>> done
>>>>>
>>>>> ifconfig $eth 0.0.0.0 promisc up
>>>>>
>>>>> ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast*
>>>>>
>>>>> On Tue, Sep 27, 2011 at 5:20 PM, Минтаиров Михаил<
>> mikxalich at yandex.ru
>>>>> wrote:
>>>>>> Hm... It's very hard to guess without config files. Can you post
>> your
>>>>>> server and client openvpn configs... and also can your show a br0
>>>> creation
>>>>>> commands?
>>>>>>
>>>>>> 27.09.2011, 12:01, "唐建伟"<myhnet at gmail.com>:
>>>>>>> Hi
>>>>>>>
>>>>>>> no, i don't think so. anyway, i can and only can the vpn server
>> from
>>>> the
>>>>>>> remote hosts.
>>>>>>>
>>>>>>> Best Regards
>>>>>>> Tang Jianwei
>>>>>>>
>>>>>>> On Tue, Sep 27, 2011 at 3:59 PM, Минтаиров Михаил<
>>>> mikxalich at yandex.ru
>>>>>>> wrote:
>>>>>>>> So, something stop packets from remote hosts. May be firewall on
>>>> remote
>>>>>>>> PC...? and can you run tcpdump on same remote host, to check that
>>>> it's
>>>>>> tap0
>>>>>>>> device.
>>>>>>>>
>>>>>>>> 27.09.2011, 11:06, "唐建伟"<myhnet at gmail.com>:
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> the routing table in the remote hosts are OK. "tcpdump -n -i
>>>> [device
>>>>>>>> name]"
>>>>>>>>> cannot capture any packages from remote. no mater br0 nor tap0.
>>>>>>>>>
>>>>>>>>> Best Regards
>>>>>>>>> Tang Jianwei
>>>>>>>>>
>>>>>>>>> On Tue, Sep 27, 2011 at 2:44 PM, Минтаиров Михаил<
>>>>>> mikxalich at yandex.ru
>>>>>>>>> wrote:
>>>>>>>>>> 27.09.2011, 09:52, "唐建伟"<myhnet at gmail.com>:
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> I just intalled openvpn + bridge in CentOS 6, but i get
>> strange
>>>>>>>> problems:
>>>>>>>>>>> the remote PCs cannot get the local PCs' MACs and also, the
>>>> local
>>>>>> PCs
>>>>>>>>>>> cannot get the remote PCs' MACs
>>>>>>>>>>>
>>>>>>>>>>> but when i run "brctl showmacs br0" it will list all the
>> MACs
>>>> and
>>>>>>>> also "
>>>>>>>>>>> brctl show" will show that all the correct adapters are in
>> br0
>>>>>>>>>>> SELinux disabled
>>>>>>>>>>>
>>>>>>>>>>> any ideas?
>>>>>>>>>> First of all you should check routing table of remote hosts.
>> If
>>>>>>>> everything
>>>>>>>>>> is correct, try to monitor br0, and other devises(ethX) by
>>>> "tcpdump
>>>>>> -n
>>>>>>>> -i
>>>>>>>>>> [device name]".
>>>>>>>>>> _______________________________________________
>>>>>>>>>> CentOS mailing list
>>>>>>>>>> CentOS at centos.org
>>>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>>>> --
>>>>>>>>> Tang Jianwei
>>>>>>>>> System Administrator
>>>>>>>>> _______________________________________________
>>>>>>>>> CentOS mailing list
>>>>>>>>> CentOS at centos.org
>>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>>> _______________________________________________
>>>>>>>> CentOS mailing list
>>>>>>>> CentOS at centos.org
>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>> --
>>>>>>> Tang Jianwei
>>>>>>> System Administrator
>>>>>>> _______________________________________________
>>>>>>> CentOS mailing list
>>>>>>> CentOS at centos.org
>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>> _______________________________________________
>>>>>> CentOS mailing list
>>>>>> CentOS at centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>> --
>>>>> Tang Jianwei
>>>>> System Administrator
>>>>> _______________________________________________
>>>>> CentOS mailing list
>>>>> CentOS at centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>> --
>>> Tang Jianwei
>>> System Administrator
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
--
Lorenzo Martinez Rodriguez
Visit me: http://www.lorenzomartinez.es
Mail me to: lorenzo at lorenzomartinez.es
My blog: http://www.securitybydefault.com
My twitter: @lawwait
PGP Fingerprint: 97CC 2584 7A04 B2BA 00F1 76C9 0D76 83A2 9BBC BDE2
More information about the CentOS
mailing list