[CentOS] openvpn + bridge utils in CentOS 6

Mon Nov 7 17:54:15 UTC 2011
Lorenzo Martínez Rodríguez <lorenzo at lorenzomartinez.es>

Hello,

I did not have read this issue before, but I have seen this problem 
also. Whenever I restart the bridge (with tap0 interfaces also) I have 
to make a first ping to the physical interface related to the tap0 
module. I also ping another machine on the same physical network. After 
that, I am able to reach the bridged one.

Extrange behaviour but this works for me in this way now.

I look forward RedHat fixed this bug soon.


El 07/11/11 06:39, 唐建伟 escribió:
> thank you very much for your follow up. wish to get good news from you soon.
>
> On Sat, Nov 5, 2011 at 12:26 AM, Минтаиров Михаил<mikxalich at yandex.ru>wrote:
>
>>
>> 28.09.2011, 04:58, "唐建伟"<myhnet at gmail.com>:
>> Hello, I didn't find what to answer to you mounth ago. But now I also have
>> an installation of centos 6 (at past I used centos 5.7) , and I have the
>> same problems as you. First of all, did you find any solutions?
>>
>> I only found that the problem is in br0 device. I can't guess why but it
>> not recive ARP REPLY packets.
>>
>> tcpdump on all devices (tap0, eth1, br0) give me the same:
>>
>> 20:12:22.012270 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>> length 28
>> 20:12:23.027897 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>> length 28
>> 20:12:24.027951 ARP, Request who-has 192.168.11.3 tell 192.168.11.33,
>> length 28
>> //192.158.11.33 is remoute PC ip-address, and 192.168.11.3 is one of my
>> local hosts//
>>
>> and no APR REPLY.
>>
>> Intresting that on other hand I have the same configs files on Centos 5.7.
>> and everything work perfectly.
>>
>>
>>> no, i removed the commands you mentioned, but it still doesn't work.
>>>
>>> Best Regards
>>> Tang Jianwei
>>>
>>> On Tue, Sep 27, 2011 at 6:01 PM, Минтаиров Михаил<mikxalich at yandex.ru
>>> wrote:
>>>
>>>>   I can't remember a reason, but at one moment I stop to use  "openvpn
>>>>   --mktun --dev [dev name]" command. May be it's becouse openvpn create
>> tap0
>>>>   by it self. So try to comment this lines:
>>>>
>>>>    for t in $tap; do
>>>>       openvpn --mktun --dev $t
>>>>    done
>>>>
>>>>   then restart a network, after then start openvpn and after it start
>> bridge
>>>>   script
>>>>>   openvpn configure file
>>>>>
>>>>>   *port 1194
>>>>>   proto udp
>>>>>   dev tap0
>>>>>   ca ca.crt
>>>>>   cert VPN_Server.crt
>>>>>   key VPN_Server.key  # This file should be kept secret
>>>>>   dh dh1024.pem
>>>>>   server-bridge 192.168.119.1 255.255.255.0 192.168.119.221
>> 192.168.119.225
>>>>>   keepalive 10 120
>>>>>   comp-lzo
>>>>>   user nobody
>>>>>   group nobody
>>>>>   persist-key
>>>>>   persist-tun
>>>>>   status openvpn-status.log
>>>>>   log-append  /var/log/openvpn.log
>>>>>   verb 3
>>>>>   mute 20
>>>>>   *
>>>>>
>>>>>   the script for bring up the bridge
>>>>>   *# Define Bridge Interface
>>>>>   br="br0"
>>>>>
>>>>>   # Define list of TAP interfaces to be bridged,
>>>>>   # for example tap="tap0 tap1 tap2".
>>>>>   tap="tap0"
>>>>>
>>>>>   # Define physical ethernet interface to be bridged
>>>>>   # with TAP interface(s) above.
>>>>>   eth="eth1"
>>>>>   eth_ip="192.168.119.1"
>>>>>   eth_netmask="255.255.255.0"
>>>>>   eth_broadcast="192.168.119.255"
>>>>>
>>>>>   for t in $tap; do
>>>>>       openvpn --mktun --dev $t
>>>>>   done
>>>>>
>>>>>   brctl addbr $br
>>>>>   brctl addif $br $eth
>>>>>
>>>>>   for t in $tap; do
>>>>>       brctl addif $br $t
>>>>>   done
>>>>>
>>>>>   for t in $tap; do
>>>>>       ifconfig $t 0.0.0.0 promisc up
>>>>>   done
>>>>>
>>>>>   ifconfig $eth 0.0.0.0 promisc up
>>>>>
>>>>>   ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast*
>>>>>
>>>>>   On Tue, Sep 27, 2011 at 5:20 PM, Минтаиров Михаил<
>> mikxalich at yandex.ru
>>>>> wrote:
>>>>>>    Hm... It's very hard to guess without config files. Can you post
>> your
>>>>>>    server and client openvpn configs... and also can your show  a br0
>>>>   creation
>>>>>>    commands?
>>>>>>
>>>>>>    27.09.2011, 12:01, "唐建伟"<myhnet at gmail.com>:
>>>>>>>    Hi
>>>>>>>
>>>>>>>    no, i don't think so. anyway, i can and only can the vpn server
>> from
>>>>   the
>>>>>>>    remote hosts.
>>>>>>>
>>>>>>>    Best Regards
>>>>>>>    Tang Jianwei
>>>>>>>
>>>>>>>    On Tue, Sep 27, 2011 at 3:59 PM, Минтаиров Михаил<
>>>>   mikxalich at yandex.ru
>>>>>>>   wrote:
>>>>>>>>     So, something stop packets from remote hosts. May be firewall on
>>>>   remote
>>>>>>>>     PC...? and can you run tcpdump on same remote host, to check that
>>>>   it's
>>>>>>    tap0
>>>>>>>>     device.
>>>>>>>>
>>>>>>>>     27.09.2011, 11:06, "唐建伟"<myhnet at gmail.com>:
>>>>>>>>>     Hi
>>>>>>>>>
>>>>>>>>>     the routing table in the remote hosts are OK. "tcpdump -n -i
>>>>   [device
>>>>>>>>     name]"
>>>>>>>>>     cannot capture any packages from remote. no mater br0 nor tap0.
>>>>>>>>>
>>>>>>>>>     Best Regards
>>>>>>>>>     Tang Jianwei
>>>>>>>>>
>>>>>>>>>     On Tue, Sep 27, 2011 at 2:44 PM, Минтаиров Михаил<
>>>>>>    mikxalich at yandex.ru
>>>>>>>>>    wrote:
>>>>>>>>>>      27.09.2011, 09:52, "唐建伟"<myhnet at gmail.com>:
>>>>>>>>>>>      Hi all,
>>>>>>>>>>>
>>>>>>>>>>>      I just intalled openvpn + bridge in CentOS 6, but i get
>> strange
>>>>>>>>     problems:
>>>>>>>>>>>      the remote PCs cannot get the local PCs'  MACs and also, the
>>>>   local
>>>>>>    PCs
>>>>>>>>>>>      cannot get the remote PCs' MACs
>>>>>>>>>>>
>>>>>>>>>>>      but when i run "brctl showmacs br0"  it will list all the
>> MACs
>>>>   and
>>>>>>>>     also "
>>>>>>>>>>>      brctl show" will show that all the correct adapters are in
>> br0
>>>>>>>>>>>      SELinux disabled
>>>>>>>>>>>
>>>>>>>>>>>      any ideas?
>>>>>>>>>>      First of all you should check routing table of remote hosts.
>> If
>>>>>>>>      everything
>>>>>>>>>>      is correct, try to monitor br0, and other devises(ethX) by
>>>>   "tcpdump
>>>>>>    -n
>>>>>>>>     -i
>>>>>>>>>>      [device name]".
>>>>>>>>>>      _______________________________________________
>>>>>>>>>>      CentOS mailing list
>>>>>>>>>>      CentOS at centos.org
>>>>>>>>>>      http://lists.centos.org/mailman/listinfo/centos
>>>>>>>>>     --
>>>>>>>>>     Tang Jianwei
>>>>>>>>>     System Administrator
>>>>>>>>>     _______________________________________________
>>>>>>>>>     CentOS mailing list
>>>>>>>>>     CentOS at centos.org
>>>>>>>>>     http://lists.centos.org/mailman/listinfo/centos
>>>>>>>>     _______________________________________________
>>>>>>>>     CentOS mailing list
>>>>>>>>     CentOS at centos.org
>>>>>>>>     http://lists.centos.org/mailman/listinfo/centos
>>>>>>>    --
>>>>>>>    Tang Jianwei
>>>>>>>    System Administrator
>>>>>>>    _______________________________________________
>>>>>>>    CentOS mailing list
>>>>>>>    CentOS at centos.org
>>>>>>>    http://lists.centos.org/mailman/listinfo/centos
>>>>>>    _______________________________________________
>>>>>>    CentOS mailing list
>>>>>>    CentOS at centos.org
>>>>>>    http://lists.centos.org/mailman/listinfo/centos
>>>>>   --
>>>>>   Tang Jianwei
>>>>>   System Administrator
>>>>>   _______________________________________________
>>>>>   CentOS mailing list
>>>>>   CentOS at centos.org
>>>>>   http://lists.centos.org/mailman/listinfo/centos
>>>>   _______________________________________________
>>>>   CentOS mailing list
>>>>   CentOS at centos.org
>>>>   http://lists.centos.org/mailman/listinfo/centos
>>> --
>>> Tang Jianwei
>>> System Administrator
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>


-- 


Lorenzo Martinez Rodriguez

Visit me:   http://www.lorenzomartinez.es
Mail me to: lorenzo at lorenzomartinez.es
My blog: http://www.securitybydefault.com
My twitter: @lawwait
PGP Fingerprint: 97CC 2584 7A04 B2BA 00F1 76C9 0D76 83A2 9BBC BDE2