[CentOS] openvpn + bridge utils in CentOS 6

Fri Nov 4 16:26:20 UTC 2011
Минтаиров Михаил <mikxalich at yandex.ru>


28.09.2011, 04:58, "唐建伟" <myhnet at gmail.com>:
Hello, I didn't find what to answer to you mounth ago. But now I also have an installation of centos 6 (at past I used centos 5.7) , and I have the same problems as you. First of all, did you find any solutions?
 
I only found that the problem is in br0 device. I can't guess why but it not recive ARP REPLY packets. 

tcpdump on all devices (tap0, eth1, br0) give me the same:

20:12:22.012270 ARP, Request who-has 192.168.11.3 tell 192.168.11.33, length 28
20:12:23.027897 ARP, Request who-has 192.168.11.3 tell 192.168.11.33, length 28
20:12:24.027951 ARP, Request who-has 192.168.11.3 tell 192.168.11.33, length 28
//192.158.11.33 is remoute PC ip-address, and 192.168.11.3 is one of my local hosts//

and no APR REPLY.

Intresting that on other hand I have the same configs files on Centos 5.7. and everything work perfectly.


> no, i removed the commands you mentioned, but it still doesn't work.
>
> Best Regards
> Tang Jianwei
>
> On Tue, Sep 27, 2011 at 6:01 PM, Минтаиров Михаил <mikxalich at yandex.ru>wrote:
>
>>  I can't remember a reason, but at one moment I stop to use  "openvpn
>>  --mktun --dev [dev name]" command. May be it's becouse openvpn create tap0
>>  by it self. So try to comment this lines:
>>
>>   for t in $tap; do
>>      openvpn --mktun --dev $t
>>   done
>>
>>  then restart a network, after then start openvpn and after it start bridge
>>  script
>>>  openvpn configure file
>>>
>>>  *port 1194
>>>  proto udp
>>>  dev tap0
>>>  ca ca.crt
>>>  cert VPN_Server.crt
>>>  key VPN_Server.key  # This file should be kept secret
>>>  dh dh1024.pem
>>>  server-bridge 192.168.119.1 255.255.255.0 192.168.119.221 192.168.119.225
>>>  keepalive 10 120
>>>  comp-lzo
>>>  user nobody
>>>  group nobody
>>>  persist-key
>>>  persist-tun
>>>  status openvpn-status.log
>>>  log-append  /var/log/openvpn.log
>>>  verb 3
>>>  mute 20
>>>  *
>>>
>>>  the script for bring up the bridge
>>>  *# Define Bridge Interface
>>>  br="br0"
>>>
>>>  # Define list of TAP interfaces to be bridged,
>>>  # for example tap="tap0 tap1 tap2".
>>>  tap="tap0"
>>>
>>>  # Define physical ethernet interface to be bridged
>>>  # with TAP interface(s) above.
>>>  eth="eth1"
>>>  eth_ip="192.168.119.1"
>>>  eth_netmask="255.255.255.0"
>>>  eth_broadcast="192.168.119.255"
>>>
>>>  for t in $tap; do
>>>      openvpn --mktun --dev $t
>>>  done
>>>
>>>  brctl addbr $br
>>>  brctl addif $br $eth
>>>
>>>  for t in $tap; do
>>>      brctl addif $br $t
>>>  done
>>>
>>>  for t in $tap; do
>>>      ifconfig $t 0.0.0.0 promisc up
>>>  done
>>>
>>>  ifconfig $eth 0.0.0.0 promisc up
>>>
>>>  ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast*
>>>
>>>  On Tue, Sep 27, 2011 at 5:20 PM, Минтаиров Михаил <mikxalich at yandex.ru
>>> wrote:
>>>>   Hm... It's very hard to guess without config files. Can you post your
>>>>   server and client openvpn configs... and also can your show  a br0
>>  creation
>>>>   commands?
>>>>
>>>>   27.09.2011, 12:01, "唐建伟" <myhnet at gmail.com>:
>>>>>   Hi
>>>>>
>>>>>   no, i don't think so. anyway, i can and only can the vpn server from
>>  the
>>>>>   remote hosts.
>>>>>
>>>>>   Best Regards
>>>>>   Tang Jianwei
>>>>>
>>>>>   On Tue, Sep 27, 2011 at 3:59 PM, Минтаиров Михаил <
>>  mikxalich at yandex.ru
>>>>>  wrote:
>>>>>>    So, something stop packets from remote hosts. May be firewall on
>>  remote
>>>>>>    PC...? and can you run tcpdump on same remote host, to check that
>>  it's
>>>>   tap0
>>>>>>    device.
>>>>>>
>>>>>>    27.09.2011, 11:06, "唐建伟" <myhnet at gmail.com>:
>>>>>>>    Hi
>>>>>>>
>>>>>>>    the routing table in the remote hosts are OK. "tcpdump -n -i
>>  [device
>>>>>>    name]"
>>>>>>>    cannot capture any packages from remote. no mater br0 nor tap0.
>>>>>>>
>>>>>>>    Best Regards
>>>>>>>    Tang Jianwei
>>>>>>>
>>>>>>>    On Tue, Sep 27, 2011 at 2:44 PM, Минтаиров Михаил <
>>>>   mikxalich at yandex.ru
>>>>>>>   wrote:
>>>>>>>>     27.09.2011, 09:52, "唐建伟" <myhnet at gmail.com>:
>>>>>>>>>     Hi all,
>>>>>>>>>
>>>>>>>>>     I just intalled openvpn + bridge in CentOS 6, but i get strange
>>>>>>    problems:
>>>>>>>>>     the remote PCs cannot get the local PCs'  MACs and also, the
>>  local
>>>>   PCs
>>>>>>>>>     cannot get the remote PCs' MACs
>>>>>>>>>
>>>>>>>>>     but when i run "brctl showmacs br0"  it will list all the MACs
>>  and
>>>>>>    also "
>>>>>>>>>     brctl show" will show that all the correct adapters are in br0
>>>>>>>>>
>>>>>>>>>     SELinux disabled
>>>>>>>>>
>>>>>>>>>     any ideas?
>>>>>>>>     First of all you should check routing table of remote hosts. If
>>>>>>     everything
>>>>>>>>     is correct, try to monitor br0, and other devises(ethX) by
>>  "tcpdump
>>>>   -n
>>>>>>    -i
>>>>>>>>     [device name]".
>>>>>>>>     _______________________________________________
>>>>>>>>     CentOS mailing list
>>>>>>>>     CentOS at centos.org
>>>>>>>>     http://lists.centos.org/mailman/listinfo/centos
>>>>>>>    --
>>>>>>>    Tang Jianwei
>>>>>>>    System Administrator
>>>>>>>    _______________________________________________
>>>>>>>    CentOS mailing list
>>>>>>>    CentOS at centos.org
>>>>>>>    http://lists.centos.org/mailman/listinfo/centos
>>>>>>    _______________________________________________
>>>>>>    CentOS mailing list
>>>>>>    CentOS at centos.org
>>>>>>    http://lists.centos.org/mailman/listinfo/centos
>>>>>   --
>>>>>   Tang Jianwei
>>>>>   System Administrator
>>>>>   _______________________________________________
>>>>>   CentOS mailing list
>>>>>   CentOS at centos.org
>>>>>   http://lists.centos.org/mailman/listinfo/centos
>>>>   _______________________________________________
>>>>   CentOS mailing list
>>>>   CentOS at centos.org
>>>>   http://lists.centos.org/mailman/listinfo/centos
>>>  --
>>>  Tang Jianwei
>>>  System Administrator
>>>  _______________________________________________
>>>  CentOS mailing list
>>>  CentOS at centos.org
>>>  http://lists.centos.org/mailman/listinfo/centos
>>  _______________________________________________
>>  CentOS mailing list
>>  CentOS at centos.org
>>  http://lists.centos.org/mailman/listinfo/centos
> --
> Tang Jianwei
> System Administrator
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos