[CentOS] openvpn + bridge utils in CentOS 6

Tue Nov 8 14:30:14 UTC 2011
Минтаиров Михаил <mikxalich at yandex.ru>

This situation with pings is really strange...But in  my case the solution was much easier . CentOS 6 was installed on VmWare virtual machine and the problem was in it network device configuration. The most hardly thing was to guess to that. After this I quickly found a solution:

http://www.jeremycole.com/blog/2010/03/11/openvpn-bridge-under-vmware-esxi/

So, to my experience, the CentOS(or RedHat) work correctly, and may be you should try to look for errors in somewhere else (as in my case it was VmWare configuration).

> Hello,
>
> I did not have read this issue before, but I have seen this problem
> also. Whenever I restart the bridge (with tap0 interfaces also) I have
> to make a first ping to the physical interface related to the tap0
> module. I also ping another machine on the same physical network. After
> that, I am able to reach the bridged one.
>
> Extrange behaviour but this works for me in this way now.
>
> I look forward RedHat fixed this bug soon.
>
> El 07/11/11 06:39, 唐建伟 escribió:
>
>>  thank you very much for your follow up. wish to get good news from you soon.
>>
>>  On Sat, Nov 5, 2011 at 12:26 AM, Минтаиров Михаил<mikxalich at yandex.ru>wrote:
>>>  28.09.2011, 04:58, "唐建伟"<myhnet at gmail.com>:
>>>  Hello, I didn't find what to answer to you mounth ago. But now I also have
>>>  an installation of centos 6 (at past I used centos 5.7) , and I have the
>>>  same problems as you. First of all, did you find any solutions?
>>>
>>>  I only found that the problem is in br0 device. I can't guess why but it
>>>  not recive ARP REPLY packets.
>>>
>>>  tcpdump on all devices (tap0, eth1, br0) give me the same:
>>>
>>>  20:12:22.012270 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>>>  length 28
>>>  20:12:23.027897 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>>>  length 28
>>>  20:12:24.027951 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>>>  length 28
>>>  //192.158.11.33 is remoute PC ip-address, and 192.168.11.3 is one of my
>>>  local hosts//
>>>
>>>  and no APR REPLY.
>>>
>>>  Intresting that on other hand I have the same configs files on Centos 5.7.
>>>  and everything work perfectly.
>>>>  no, i removed the commands you mentioned, but it still doesn't work.
>>>>
>>>>  Best Regards
>>>>  Tang Jianwei
>>>>
>>>>  On Tue, Sep 27, 2011 at 6:01 PM, Минтаиров Михаил<mikxalich at yandex.ru
>>>>  wrote:
>>>>>    I can't remember a reason, but at one moment I stop to use  "openvpn
>>>>>    --mktun --dev [dev name]" command. May be it's becouse openvpn create
>>>  tap0
>>>>>    by it self. So try to comment this lines:
>>>>>
>>>>>     for t in $tap; do
>>>>>        openvpn --mktun --dev $t
>>>>>     done
>>>>>
>>>>>    then restart a network, after then start openvpn and after it start
>>>  bridge
>>>>>    script
>>>>>>    openvpn configure file
>>>>>>
>>>>>>    *port 1194
>>>>>>    proto udp
>>>>>>    dev tap0
>>>>>>    ca ca.crt
>>>>>>    cert VPN_Server.crt
>>>>>>    key VPN_Server.key  # This file should be kept secret
>>>>>>    dh dh1024.pem
>>>>>>    server-bridge 192.168.119.1 255.255.255.0 192.168.119.221
>>>  192.168.119.225
>>>>>>    keepalive 10 120
>>>>>>    comp-lzo
>>>>>>    user nobody
>>>>>>    group nobody
>>>>>>    persist-key
>>>>>>    persist-tun
>>>>>>    status openvpn-status.log
>>>>>>    log-append  /var/log/openvpn.log
>>>>>>    verb 3
>>>>>>    mute 20
>>>>>>    *
>>>>>>
>>>>>>    the script for bring up the bridge
>>>>>>    *# Define Bridge Interface
>>>>>>    br="br0"
>>>>>>
>>>>>>    # Define list of TAP interfaces to be bridged,
>>>>>>    # for example tap="tap0 tap1 tap2".
>>>>>>    tap="tap0"
>>>>>>
>>>>>>    # Define physical ethernet interface to be bridged
>>>>>>    # with TAP interface(s) above.
>>>>>>    eth="eth1"
>>>>>>    eth_ip="192.168.119.1"
>>>>>>    eth_netmask="255.255.255.0"
>>>>>>    eth_broadcast="192.168.119.255"
>>>>>>
>>>>>>    for t in $tap; do
>>>>>>        openvpn --mktun --dev $t
>>>>>>    done
>>>>>>
>>>>>>    brctl addbr $br
>>>>>>    brctl addif $br $eth
>>>>>>
>>>>>>    for t in $tap; do
>>>>>>        brctl addif $br $t
>>>>>>    done
>>>>>>
>>>>>>    for t in $tap; do
>>>>>>        ifconfig $t 0.0.0.0 promisc up
>>>>>>    done
>>>>>>
>>>>>>    ifconfig $eth 0.0.0.0 promisc up
>>>>>>
>>>>>>    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast*
>>>>>>
>>>>>>    On Tue, Sep 27, 2011 at 5:20 PM, Минтаиров Михаил<
>>>  mikxalich at yandex.ru
>>>>>>  wrote:
>>>>>>>     Hm... It's very hard to guess without config files. Can you post
>>>  your
>>>>>>>     server and client openvpn configs... and also can your show  a br0
>>>>>    creation
>>>>>>>     commands?
>>>>>>>
>>>>>>>     27.09.2011, 12:01, "唐建伟"<myhnet at gmail.com>:
>>>>>>>>     Hi
>>>>>>>>
>>>>>>>>     no, i don't think so. anyway, i can and only can the vpn server
>>>  from
>>>>>    the
>>>>>>>>     remote hosts.
>>>>>>>>
>>>>>>>>     Best Regards
>>>>>>>>     Tang Jianwei
>>>>>>>>
>>>>>>>>     On Tue, Sep 27, 2011 at 3:59 PM, Минтаиров Михаил<
>>>>>    mikxalich at yandex.ru
>>>>>>>>    wrote:
>>>>>>>>>      So, something stop packets from remote hosts. May be firewall on
>>>>>    remote
>>>>>>>>>      PC...? and can you run tcpdump on same remote host, to check that
>>>>>    it's
>>>>>>>     tap0
>>>>>>>>>      device.
>>>>>>>>>
>>>>>>>>>      27.09.2011, 11:06, "唐建伟"<myhnet at gmail.com>:
>>>>>>>>>>      Hi
>>>>>>>>>>
>>>>>>>>>>      the routing table in the remote hosts are OK. "tcpdump -n -i
>>>>>    [device
>>>>>>>>>      name]"
>>>>>>>>>>      cannot capture any packages from remote. no mater br0 nor tap0.
>>>>>>>>>>
>>>>>>>>>>      Best Regards
>>>>>>>>>>      Tang Jianwei
>>>>>>>>>>
>>>>>>>>>>      On Tue, Sep 27, 2011 at 2:44 PM, Минтаиров Михаил<
>>>>>>>     mikxalich at yandex.ru
>>>>>>>>>>     wrote:
>>>>>>>>>>>       27.09.2011, 09:52, "唐建伟"<myhnet at gmail.com>:
>>>>>>>>>>>>       Hi all,
>>>>>>>>>>>>
>>>>>>>>>>>>       I just intalled openvpn + bridge in CentOS 6, but i get
>>>  strange
>>>>>>>>>      problems:
>>>>>>>>>>>>       the remote PCs cannot get the local PCs'  MACs and also, the
>>>>>    local
>>>>>>>     PCs
>>>>>>>>>>>>       cannot get the remote PCs' MACs
>>>>>>>>>>>>
>>>>>>>>>>>>       but when i run "brctl showmacs br0"  it will list all the
>>>  MACs
>>>>>    and
>>>>>>>>>      also "
>>>>>>>>>>>>       brctl show" will show that all the correct adapters are in
>>>  br0
>>>>>>>>>>>>       SELinux disabled
>>>>>>>>>>>>
>>>>>>>>>>>>       any ideas?
>>>>>>>>>>>       First of all you should check routing table of remote hosts.
>>>  If
>>>>>>>>>       everything
>>>>>>>>>>>       is correct, try to monitor br0, and other devises(ethX) by
>>>>>    "tcpdump
>>>>>>>     -n
>>>>>>>>>      -i
>>>>>>>>>>>       [device name]".
>>>>>>>>>>>       _______________________________________________
>>>>>>>>>>>       CentOS mailing list
>>>>>>>>>>>       CentOS at centos.org
>>>>>>>>>>>       http://lists.centos.org/mailman/listinfo/centos
>>>>>>>>>>      --
>>>>>>>>>>      Tang Jianwei
>>>>>>>>>>      System Administrator
>>>>>>>>>>      _______________________________________________
>>>>>>>>>>      CentOS mailing list
>>>>>>>>>>      CentOS at centos.org
>>>>>>>>>>      http://lists.centos.org/mailman/listinfo/centos
>>>>>>>>>      _______________________________________________
>>>>>>>>>      CentOS mailing list
>>>>>>>>>      CentOS at centos.org
>>>>>>>>>      http://lists.centos.org/mailman/listinfo/centos
>>>>>>>>     --
>>>>>>>>     Tang Jianwei
>>>>>>>>     System Administrator
>>>>>>>>     _______________________________________________
>>>>>>>>     CentOS mailing list
>>>>>>>>     CentOS at centos.org
>>>>>>>>     http://lists.centos.org/mailman/listinfo/centos
>>>>>>>     _______________________________________________
>>>>>>>     CentOS mailing list
>>>>>>>     CentOS at centos.org
>>>>>>>     http://lists.centos.org/mailman/listinfo/centos
>>>>>>    --
>>>>>>    Tang Jianwei
>>>>>>    System Administrator
>>>>>>    _______________________________________________
>>>>>>    CentOS mailing list
>>>>>>    CentOS at centos.org
>>>>>>    http://lists.centos.org/mailman/listinfo/centos
>>>>>    _______________________________________________
>>>>>    CentOS mailing list
>>>>>    CentOS at centos.org
>>>>>    http://lists.centos.org/mailman/listinfo/centos
>>>>  --
>>>>  Tang Jianwei
>>>>  System Administrator
>>>>  _______________________________________________
>>>>  CentOS mailing list
>>>>  CentOS at centos.org
>>>>  http://lists.centos.org/mailman/listinfo/centos
>>>  _______________________________________________
>>>  CentOS mailing list
>>>  CentOS at centos.org
>>>  http://lists.centos.org/mailman/listinfo/centos
> --
>
> Lorenzo Martinez Rodriguez
>
> Visit me:   http://www.lorenzomartinez.es
> Mail me to: lorenzo at lorenzomartinez.es
> My blog: http://www.securitybydefault.com
> My twitter: @lawwait
> PGP Fingerprint: 97CC 2584 7A04 B2BA 00F1 76C9 0D76 83A2 9BBC BDE2
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos