[CentOS] openvpn + bridge utils in CentOS 6
Минтаиров Михаил
mikxalich at yandex.ru
Tue Nov 8 14:30:14 UTC 2011
This situation with pings is really strange...But in my case the solution was much easier . CentOS 6 was installed on VmWare virtual machine and the problem was in it network device configuration. The most hardly thing was to guess to that. After this I quickly found a solution:
http://www.jeremycole.com/blog/2010/03/11/openvpn-bridge-under-vmware-esxi/
So, to my experience, the CentOS(or RedHat) work correctly, and may be you should try to look for errors in somewhere else (as in my case it was VmWare configuration).
> Hello,
>
> I did not have read this issue before, but I have seen this problem
> also. Whenever I restart the bridge (with tap0 interfaces also) I have
> to make a first ping to the physical interface related to the tap0
> module. I also ping another machine on the same physical network. After
> that, I am able to reach the bridged one.
>
> Extrange behaviour but this works for me in this way now.
>
> I look forward RedHat fixed this bug soon.
>
> El 07/11/11 06:39, 唐建伟 escribió:
>
>> thank you very much for your follow up. wish to get good news from you soon.
>>
>> On Sat, Nov 5, 2011 at 12:26 AM, Минтаиров Михаил<mikxalich at yandex.ru>wrote:
>>> 28.09.2011, 04:58, "唐建伟"<myhnet at gmail.com>:
>>> Hello, I didn't find what to answer to you mounth ago. But now I also have
>>> an installation of centos 6 (at past I used centos 5.7) , and I have the
>>> same problems as you. First of all, did you find any solutions?
>>>
>>> I only found that the problem is in br0 device. I can't guess why but it
>>> not recive ARP REPLY packets.
>>>
>>> tcpdump on all devices (tap0, eth1, br0) give me the same:
>>>
>>> 20:12:22.012270 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>>> length 28
>>> 20:12:23.027897 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>>> length 28
>>> 20:12:24.027951 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>>> length 28
>>> //192.158.11.33 is remoute PC ip-address, and 192.168.11.3 is one of my
>>> local hosts//
>>>
>>> and no APR REPLY.
>>>
>>> Intresting that on other hand I have the same configs files on Centos 5.7.
>>> and everything work perfectly.
>>>> no, i removed the commands you mentioned, but it still doesn't work.
>>>>
>>>> Best Regards
>>>> Tang Jianwei
>>>>
>>>> On Tue, Sep 27, 2011 at 6:01 PM, Минтаиров Михаил<mikxalich at yandex.ru
>>>> wrote:
>>>>> I can't remember a reason, but at one moment I stop to use "openvpn
>>>>> --mktun --dev [dev name]" command. May be it's becouse openvpn create
>>> tap0
>>>>> by it self. So try to comment this lines:
>>>>>
>>>>> for t in $tap; do
>>>>> openvpn --mktun --dev $t
>>>>> done
>>>>>
>>>>> then restart a network, after then start openvpn and after it start
>>> bridge
>>>>> script
>>>>>> openvpn configure file
>>>>>>
>>>>>> *port 1194
>>>>>> proto udp
>>>>>> dev tap0
>>>>>> ca ca.crt
>>>>>> cert VPN_Server.crt
>>>>>> key VPN_Server.key # This file should be kept secret
>>>>>> dh dh1024.pem
>>>>>> server-bridge 192.168.119.1 255.255.255.0 192.168.119.221
>>> 192.168.119.225
>>>>>> keepalive 10 120
>>>>>> comp-lzo
>>>>>> user nobody
>>>>>> group nobody
>>>>>> persist-key
>>>>>> persist-tun
>>>>>> status openvpn-status.log
>>>>>> log-append /var/log/openvpn.log
>>>>>> verb 3
>>>>>> mute 20
>>>>>> *
>>>>>>
>>>>>> the script for bring up the bridge
>>>>>> *# Define Bridge Interface
>>>>>> br="br0"
>>>>>>
>>>>>> # Define list of TAP interfaces to be bridged,
>>>>>> # for example tap="tap0 tap1 tap2".
>>>>>> tap="tap0"
>>>>>>
>>>>>> # Define physical ethernet interface to be bridged
>>>>>> # with TAP interface(s) above.
>>>>>> eth="eth1"
>>>>>> eth_ip="192.168.119.1"
>>>>>> eth_netmask="255.255.255.0"
>>>>>> eth_broadcast="192.168.119.255"
>>>>>>
>>>>>> for t in $tap; do
>>>>>> openvpn --mktun --dev $t
>>>>>> done
>>>>>>
>>>>>> brctl addbr $br
>>>>>> brctl addif $br $eth
>>>>>>
>>>>>> for t in $tap; do
>>>>>> brctl addif $br $t
>>>>>> done
>>>>>>
>>>>>> for t in $tap; do
>>>>>> ifconfig $t 0.0.0.0 promisc up
>>>>>> done
>>>>>>
>>>>>> ifconfig $eth 0.0.0.0 promisc up
>>>>>>
>>>>>> ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast*
>>>>>>
>>>>>> On Tue, Sep 27, 2011 at 5:20 PM, Минтаиров Михаил<
>>> mikxalich at yandex.ru
>>>>>> wrote:
>>>>>>> Hm... It's very hard to guess without config files. Can you post
>>> your
>>>>>>> server and client openvpn configs... and also can your show a br0
>>>>> creation
>>>>>>> commands?
>>>>>>>
>>>>>>> 27.09.2011, 12:01, "唐建伟"<myhnet at gmail.com>:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> no, i don't think so. anyway, i can and only can the vpn server
>>> from
>>>>> the
>>>>>>>> remote hosts.
>>>>>>>>
>>>>>>>> Best Regards
>>>>>>>> Tang Jianwei
>>>>>>>>
>>>>>>>> On Tue, Sep 27, 2011 at 3:59 PM, Минтаиров Михаил<
>>>>> mikxalich at yandex.ru
>>>>>>>> wrote:
>>>>>>>>> So, something stop packets from remote hosts. May be firewall on
>>>>> remote
>>>>>>>>> PC...? and can you run tcpdump on same remote host, to check that
>>>>> it's
>>>>>>> tap0
>>>>>>>>> device.
>>>>>>>>>
>>>>>>>>> 27.09.2011, 11:06, "唐建伟"<myhnet at gmail.com>:
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> the routing table in the remote hosts are OK. "tcpdump -n -i
>>>>> [device
>>>>>>>>> name]"
>>>>>>>>>> cannot capture any packages from remote. no mater br0 nor tap0.
>>>>>>>>>>
>>>>>>>>>> Best Regards
>>>>>>>>>> Tang Jianwei
>>>>>>>>>>
>>>>>>>>>> On Tue, Sep 27, 2011 at 2:44 PM, Минтаиров Михаил<
>>>>>>> mikxalich at yandex.ru
>>>>>>>>>> wrote:
>>>>>>>>>>> 27.09.2011, 09:52, "唐建伟"<myhnet at gmail.com>:
>>>>>>>>>>>> Hi all,
>>>>>>>>>>>>
>>>>>>>>>>>> I just intalled openvpn + bridge in CentOS 6, but i get
>>> strange
>>>>>>>>> problems:
>>>>>>>>>>>> the remote PCs cannot get the local PCs' MACs and also, the
>>>>> local
>>>>>>> PCs
>>>>>>>>>>>> cannot get the remote PCs' MACs
>>>>>>>>>>>>
>>>>>>>>>>>> but when i run "brctl showmacs br0" it will list all the
>>> MACs
>>>>> and
>>>>>>>>> also "
>>>>>>>>>>>> brctl show" will show that all the correct adapters are in
>>> br0
>>>>>>>>>>>> SELinux disabled
>>>>>>>>>>>>
>>>>>>>>>>>> any ideas?
>>>>>>>>>>> First of all you should check routing table of remote hosts.
>>> If
>>>>>>>>> everything
>>>>>>>>>>> is correct, try to monitor br0, and other devises(ethX) by
>>>>> "tcpdump
>>>>>>> -n
>>>>>>>>> -i
>>>>>>>>>>> [device name]".
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> CentOS mailing list
>>>>>>>>>>> CentOS at centos.org
>>>>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>>>>> --
>>>>>>>>>> Tang Jianwei
>>>>>>>>>> System Administrator
>>>>>>>>>> _______________________________________________
>>>>>>>>>> CentOS mailing list
>>>>>>>>>> CentOS at centos.org
>>>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>>>> _______________________________________________
>>>>>>>>> CentOS mailing list
>>>>>>>>> CentOS at centos.org
>>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>>> --
>>>>>>>> Tang Jianwei
>>>>>>>> System Administrator
>>>>>>>> _______________________________________________
>>>>>>>> CentOS mailing list
>>>>>>>> CentOS at centos.org
>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>> _______________________________________________
>>>>>>> CentOS mailing list
>>>>>>> CentOS at centos.org
>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>> --
>>>>>> Tang Jianwei
>>>>>> System Administrator
>>>>>> _______________________________________________
>>>>>> CentOS mailing list
>>>>>> CentOS at centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>> _______________________________________________
>>>>> CentOS mailing list
>>>>> CentOS at centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>> --
>>>> Tang Jianwei
>>>> System Administrator
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
> --
>
> Lorenzo Martinez Rodriguez
>
> Visit me: http://www.lorenzomartinez.es
> Mail me to: lorenzo at lorenzomartinez.es
> My blog: http://www.securitybydefault.com
> My twitter: @lawwait
> PGP Fingerprint: 97CC 2584 7A04 B2BA 00F1 76C9 0D76 83A2 9BBC BDE2
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list