Hi Rick,
I suggest that you use different ports, different tunX and different end-points for each instance at the beginning and refine them later if you want to. So in the CONF file you may have
dev tun0 dev tun1
the shorewall tunnels could be
openvpn loc 192.168.1.0/24 vpn3 generic:udp:5001 net 137.p.q.r vpn4
also note that OpenVPN official port is now TCP/UDP 1194 so it may be better to have the ports listed in all config files as well as shorewall tunnels so you can upgrade to later version easily.
The script /etc/init.d/openvpn will look at the /etc/openvpn and for each CONF file it finds, it will start a openvpn deamon on it, that's why you see 2 tunnels coming up.
----- Original Message ----- From: "Tibbs, Richard" <[EMAIL PROTECTED]>
To: "Martin Hejl" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, December 13, 2004 10:48 AM
Subject: RE: [leaf-user] Can Multiple openvpn processes run on LEAF?
ok, apologize for this being so long. Wanted to give the list enough info to make analysis possible... This is the bering 1.2 (non-uclibc)
First, I have put two openvpn.conf files in /etc/openvpn, et viola, two tunnels come up! Somehow there is auto-svi-ing for multiple.confs. Second, I added new tunnels to Shorewall, Shown below the .confs . But, I can not ping the other end of either tunnel, nor pull up a web page any more. (Errrr.....!)
The principle problem is that a route command fails (see daemon.log at very end of email) from the second config file. (This config used to be the first, sorry... tun0 protecting the WLAN has become tun1). The route command is the same as the other conf file, so that makes sense -- can't have a route with two different via's and devs, I suppose.
But, the only thing that made the original WLAN tunnel work was not forming a route loop on the WLAN tunnel, i.e. winxp openvpn has a route 192.168.1.254, and if I point the openvpn route on bering back to the winxp box, nothing passes. So, in the bering openvpn.conf, I used route 216.x.y.z (my static public IP on the net side of my bering fw). Then everything worked.
What is the way out of this quandry ?? TIA Rick
========== file openvp2.conf (comes up as tun0)==============
dev tun disable-occ local 216.x.y.z # Our remote peer (office subnet) remote 137.p.q.r route 216.x.y.z secret static.key verb 5 mute 10
========== file openvpn.conf (comes up as tun1, was tun0)============== dev tun # For compatability with 2.x openvpn clients/servers tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 disable-occ local 192.168.1.254 float ifconfig 10.1.1.1 10.1.1.2 route 216.x.y.z secret static.key ================================== Shorewall files (abbrev)======= === zones vpn3 WLAN-OPENVPN Openvpn to wireless internal vpn4 WiredOPENVPN Openvpn to office firewall === interfaces vpn3 tun1 vpn4 tun0 === policy loc vpn3 ACCEPT fw vpn3 ACCEPT net vpn3 ACCEPT loc vpn4 ACCEPT fw vpn4 ACCEPT net vpn4 ACCEPT vpn3 loc ACCEPT vpn3 fw ACCEPT vpn3 net ACCEPT vpn4 loc ACCEPT vpn4 fw ACCEPT vpn4 net ACCEPT fw loc ACCEPT === tunnels openvpn loc 192.168.1.0/24 vpn3 openvpn net 137.p.q.r vpn4 ============================================================= firewall: -root- # ip addr sho 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff inet 216.12.22.89/26 brd 216.12.22.127 scope global eth0 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:e3:12:7d:94 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1256 qdisc pfifo_fast qlen 10 link/ppp inet 10.1.10.1 peer 10.1.10.2/32 scope global tun0 6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 10 link/ppp inet 10.1.1.1 peer 10.1.1.2/32 scope global tun1 7: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff inet 216.12.22.89/26 brd 216.12.22.127 scope global ipsec0 8: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 9: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 10: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip
firewall: -root- # ip route sho 10.1.10.2 dev tun0 proto kernel scope link src 10.1.10.1 216.12.22.89 via 10.1.10.2 dev tun0 10.1.1.2 dev tun1 proto kernel scope link src 10.1.1.1 216.12.22.64/26 dev eth0 proto kernel scope link src 216.12.22.89 216.12.22.64/26 dev ipsec0 proto kernel scope link src 216.12.22.89 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 216.12.22.65 dev eth0
============================ daemon.log from bering. ===================
Dec 13 11:31:30 firewall openvpn[29658]: TUN/TAP device tun0 opened Dec 13 11:31:30 firewall openvpn[29658]: ip link set dev tun0 up mtu 1256 Dec 13 11:31:30 firewall openvpn[29658]: ip addr add dev tun0 local 10.1.10.1 peer 10.1.10.2 Dec 13 11:31:30 firewall openvpn[29658]: ip route add 216.12.22.89/32 via 10.1.10.2 Dec 13 11:31:30 firewall openvpn[29658]: Data Channel MTU parms [ L:1300 D:1300 EF:44 EB:0 ET:0 EL:0 ] < .... segment deleted for brevity...> Dec 13 11:31:31 firewall openvpn[1512]: OpenVPN 1.6.0 i686-pc-linux-gnu [SSL] [LZO] built on Dec 1 2004 Dec 13 11:31:31 firewall openvpn[1512]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Dec 13 11:31:31 firewall openvpn[1512]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 13 11:31:31 firewall openvpn[1512]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Dec 13 11:31:31 firewall openvpn[1512]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 13 11:31:31 firewall openvpn[1512]: TUN/TAP device tun1 opened Dec 13 11:31:31 firewall openvpn[1512]: ip link set dev tun1 up mtu 1500 Dec 13 11:31:31 firewall openvpn[1512]: ip addr add dev tun1 local 10.1.1.1 peer 10.1.1.2 Dec 13 11:31:31 firewall openvpn[1512]: ip route add 216.12.22.89/32 via 10.1.1.2 Dec 13 11:31:31 firewall openvpn[1512]: ERROR: Linux route add command failed: shell command exited with error status: 2 Dec 13 11:31:31 firewall openvpn[1512]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:0 ET:32 EL:0 ]
================================= firewall: -root- -----Original Message----- From: Martin Hejl [mailto:[EMAIL PROTECTED] Sent: Sunday, December 12, 2004 3:58 PM To: Tibbs, Richard Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Can Multiple openvpn processes run on LEAF?
Hi Richard,
Tibbs, Richard wrote:
theI sent the following item to the openvpn user's list and the reply advised it was possible by running two instances of openvpn with separate config files.
One option would be to include an extra config file somewhere and manually start it on home FW. Another is to include a few lines in
openvpn start/stop script like /sbin/openvpn --config ... which Icould
put in several places to get start/stop/restart/reload capabilities.
What would be the best way to do this?
Depends on your definition of "best". If you don't need to constantly restart individual links, the easiest way would be to simply stick another "whatever.conf" into /etc/openvpn/ do "svi openvpn restart" and the new instance should be started (remember to run it on a different port).
If you need to start tunnels individually ("on demand"), take a look at /etc/init.d/openvpn - that's the script that starts/stops the tunnels - you could basically use that as a base for scripts to individually start/stop the daemon.
Martin
P.S. I'm referring to the /etc/init.d/openvpn script found in the Bering
uClibc version of openvpn - but it should be identical to what is found in the Bering package, unless Erich changed something in his package.
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html