[CentOS] openvpn + bridge utils in CentOS 6
唐建伟
myhnet at gmail.com
Wed Nov 9 01:13:41 UTC 2011
hmmm, it should be the exact problem i got, thank you very much.
On Tue, Nov 8, 2011 at 10:30 PM, Минтаиров Михаил <mikxalich at yandex.ru>wrote:
> This situation with pings is really strange...But in my case the solution
> was much easier . CentOS 6 was installed on VmWare virtual machine and the
> problem was in it network device configuration. The most hardly thing was
> to guess to that. After this I quickly found a solution:
>
> http://www.jeremycole.com/blog/2010/03/11/openvpn-bridge-under-vmware-esxi/
>
> So, to my experience, the CentOS(or RedHat) work correctly, and may be you
> should try to look for errors in somewhere else (as in my case it was
> VmWare configuration).
>
> > Hello,
> >
> > I did not have read this issue before, but I have seen this problem
> > also. Whenever I restart the bridge (with tap0 interfaces also) I have
> > to make a first ping to the physical interface related to the tap0
> > module. I also ping another machine on the same physical network. After
> > that, I am able to reach the bridged one.
> >
> > Extrange behaviour but this works for me in this way now.
> >
> > I look forward RedHat fixed this bug soon.
> >
> > El 07/11/11 06:39, 唐建伟 escribió:
> >
> >> thank you very much for your follow up. wish to get good news from you
> soon.
> >>
> >> On Sat, Nov 5, 2011 at 12:26 AM, Минтаиров Михаил<mikxalich at yandex.ru
> >wrote:
> >>> 28.09.2011, 04:58, "唐建伟"<myhnet at gmail.com>:
> >>> Hello, I didn't find what to answer to you mounth ago. But now I also
> have
> >>> an installation of centos 6 (at past I used centos 5.7) , and I have
> the
> >>> same problems as you. First of all, did you find any solutions?
> >>>
> >>> I only found that the problem is in br0 device. I can't guess why but
> it
> >>> not recive ARP REPLY packets.
> >>>
> >>> tcpdump on all devices (tap0, eth1, br0) give me the same:
> >>>
> >>> 20:12:22.012270 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
> >>> length 28
> >>> 20:12:23.027897 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
> >>> length 28
> >>> 20:12:24.027951 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
> >>> length 28
> >>> //192.158.11.33 is remoute PC ip-address, and 192.168.11.3 is one of
> my
> >>> local hosts//
> >>>
> >>> and no APR REPLY.
> >>>
> >>> Intresting that on other hand I have the same configs files on Centos
> 5.7.
> >>> and everything work perfectly.
> >>>> no, i removed the commands you mentioned, but it still doesn't work.
> >>>>
> >>>> Best Regards
> >>>> Tang Jianwei
> >>>>
> >>>> On Tue, Sep 27, 2011 at 6:01 PM, Минтаиров Михаил<
> mikxalich at yandex.ru
> >>>> wrote:
> >>>>> I can't remember a reason, but at one moment I stop to use
> "openvpn
> >>>>> --mktun --dev [dev name]" command. May be it's becouse openvpn
> create
> >>> tap0
> >>>>> by it self. So try to comment this lines:
> >>>>>
> >>>>> for t in $tap; do
> >>>>> openvpn --mktun --dev $t
> >>>>> done
> >>>>>
> >>>>> then restart a network, after then start openvpn and after it
> start
> >>> bridge
> >>>>> script
> >>>>>> openvpn configure file
> >>>>>>
> >>>>>> *port 1194
> >>>>>> proto udp
> >>>>>> dev tap0
> >>>>>> ca ca.crt
> >>>>>> cert VPN_Server.crt
> >>>>>> key VPN_Server.key # This file should be kept secret
> >>>>>> dh dh1024.pem
> >>>>>> server-bridge 192.168.119.1 255.255.255.0 192.168.119.221
> >>> 192.168.119.225
> >>>>>> keepalive 10 120
> >>>>>> comp-lzo
> >>>>>> user nobody
> >>>>>> group nobody
> >>>>>> persist-key
> >>>>>> persist-tun
> >>>>>> status openvpn-status.log
> >>>>>> log-append /var/log/openvpn.log
> >>>>>> verb 3
> >>>>>> mute 20
> >>>>>> *
> >>>>>>
> >>>>>> the script for bring up the bridge
> >>>>>> *# Define Bridge Interface
> >>>>>> br="br0"
> >>>>>>
> >>>>>> # Define list of TAP interfaces to be bridged,
> >>>>>> # for example tap="tap0 tap1 tap2".
> >>>>>> tap="tap0"
> >>>>>>
> >>>>>> # Define physical ethernet interface to be bridged
> >>>>>> # with TAP interface(s) above.
> >>>>>> eth="eth1"
> >>>>>> eth_ip="192.168.119.1"
> >>>>>> eth_netmask="255.255.255.0"
> >>>>>> eth_broadcast="192.168.119.255"
> >>>>>>
> >>>>>> for t in $tap; do
> >>>>>> openvpn --mktun --dev $t
> >>>>>> done
> >>>>>>
> >>>>>> brctl addbr $br
> >>>>>> brctl addif $br $eth
> >>>>>>
> >>>>>> for t in $tap; do
> >>>>>> brctl addif $br $t
> >>>>>> done
> >>>>>>
> >>>>>> for t in $tap; do
> >>>>>> ifconfig $t 0.0.0.0 promisc up
> >>>>>> done
> >>>>>>
> >>>>>> ifconfig $eth 0.0.0.0 promisc up
> >>>>>>
> >>>>>> ifconfig $br $eth_ip netmask $eth_netmask broadcast
> $eth_broadcast*
> >>>>>>
> >>>>>> On Tue, Sep 27, 2011 at 5:20 PM, Минтаиров Михаил<
> >>> mikxalich at yandex.ru
> >>>>>> wrote:
> >>>>>>> Hm... It's very hard to guess without config files. Can you
> post
> >>> your
> >>>>>>> server and client openvpn configs... and also can your show a
> br0
> >>>>> creation
> >>>>>>> commands?
> >>>>>>>
> >>>>>>> 27.09.2011, 12:01, "唐建伟"<myhnet at gmail.com>:
> >>>>>>>> Hi
> >>>>>>>>
> >>>>>>>> no, i don't think so. anyway, i can and only can the vpn
> server
> >>> from
> >>>>> the
> >>>>>>>> remote hosts.
> >>>>>>>>
> >>>>>>>> Best Regards
> >>>>>>>> Tang Jianwei
> >>>>>>>>
> >>>>>>>> On Tue, Sep 27, 2011 at 3:59 PM, Минтаиров Михаил<
> >>>>> mikxalich at yandex.ru
> >>>>>>>> wrote:
> >>>>>>>>> So, something stop packets from remote hosts. May be
> firewall on
> >>>>> remote
> >>>>>>>>> PC...? and can you run tcpdump on same remote host, to
> check that
> >>>>> it's
> >>>>>>> tap0
> >>>>>>>>> device.
> >>>>>>>>>
> >>>>>>>>> 27.09.2011, 11:06, "唐建伟"<myhnet at gmail.com>:
> >>>>>>>>>> Hi
> >>>>>>>>>>
> >>>>>>>>>> the routing table in the remote hosts are OK. "tcpdump -n
> -i
> >>>>> [device
> >>>>>>>>> name]"
> >>>>>>>>>> cannot capture any packages from remote. no mater br0 nor
> tap0.
> >>>>>>>>>>
> >>>>>>>>>> Best Regards
> >>>>>>>>>> Tang Jianwei
> >>>>>>>>>>
> >>>>>>>>>> On Tue, Sep 27, 2011 at 2:44 PM, Минтаиров Михаил<
> >>>>>>> mikxalich at yandex.ru
> >>>>>>>>>> wrote:
> >>>>>>>>>>> 27.09.2011, 09:52, "唐建伟"<myhnet at gmail.com>:
> >>>>>>>>>>>> Hi all,
> >>>>>>>>>>>>
> >>>>>>>>>>>> I just intalled openvpn + bridge in CentOS 6, but i get
> >>> strange
> >>>>>>>>> problems:
> >>>>>>>>>>>> the remote PCs cannot get the local PCs' MACs and
> also, the
> >>>>> local
> >>>>>>> PCs
> >>>>>>>>>>>> cannot get the remote PCs' MACs
> >>>>>>>>>>>>
> >>>>>>>>>>>> but when i run "brctl showmacs br0" it will list all
> the
> >>> MACs
> >>>>> and
> >>>>>>>>> also "
> >>>>>>>>>>>> brctl show" will show that all the correct adapters are
> in
> >>> br0
> >>>>>>>>>>>> SELinux disabled
> >>>>>>>>>>>>
> >>>>>>>>>>>> any ideas?
> >>>>>>>>>>> First of all you should check routing table of remote
> hosts.
> >>> If
> >>>>>>>>> everything
> >>>>>>>>>>> is correct, try to monitor br0, and other devises(ethX)
> by
> >>>>> "tcpdump
> >>>>>>> -n
> >>>>>>>>> -i
> >>>>>>>>>>> [device name]".
> >>>>>>>>>>> _______________________________________________
> >>>>>>>>>>> CentOS mailing list
> >>>>>>>>>>> CentOS at centos.org
> >>>>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
> >>>>>>>>>> --
> >>>>>>>>>> Tang Jianwei
> >>>>>>>>>> System Administrator
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> CentOS mailing list
> >>>>>>>>>> CentOS at centos.org
> >>>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
> >>>>>>>>> _______________________________________________
> >>>>>>>>> CentOS mailing list
> >>>>>>>>> CentOS at centos.org
> >>>>>>>>> http://lists.centos.org/mailman/listinfo/centos
> >>>>>>>> --
> >>>>>>>> Tang Jianwei
> >>>>>>>> System Administrator
> >>>>>>>> _______________________________________________
> >>>>>>>> CentOS mailing list
> >>>>>>>> CentOS at centos.org
> >>>>>>>> http://lists.centos.org/mailman/listinfo/centos
> >>>>>>> _______________________________________________
> >>>>>>> CentOS mailing list
> >>>>>>> CentOS at centos.org
> >>>>>>> http://lists.centos.org/mailman/listinfo/centos
> >>>>>> --
> >>>>>> Tang Jianwei
> >>>>>> System Administrator
> >>>>>> _______________________________________________
> >>>>>> CentOS mailing list
> >>>>>> CentOS at centos.org
> >>>>>> http://lists.centos.org/mailman/listinfo/centos
> >>>>> _______________________________________________
> >>>>> CentOS mailing list
> >>>>> CentOS at centos.org
> >>>>> http://lists.centos.org/mailman/listinfo/centos
> >>>> --
> >>>> Tang Jianwei
> >>>> System Administrator
> >>>> _______________________________________________
> >>>> CentOS mailing list
> >>>> CentOS at centos.org
> >>>> http://lists.centos.org/mailman/listinfo/centos
> >>> _______________________________________________
> >>> CentOS mailing list
> >>> CentOS at centos.org
> >>> http://lists.centos.org/mailman/listinfo/centos
> > --
> >
> > Lorenzo Martinez Rodriguez
> >
> > Visit me: http://www.lorenzomartinez.es
> > Mail me to: lorenzo at lorenzomartinez.es
> > My blog: http://www.securitybydefault.com
> > My twitter: @lawwait
> > PGP Fingerprint: 97CC 2584 7A04 B2BA 00F1 76C9 0D76 83A2 9BBC BDE2
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
Tang Jianwei
System Administrator
More information about the CentOS
mailing list