Re: [leaf-user] Can Multiple openvpn processes run on LEAF?

M Lu Thu, 16 Dec 2004 19:30:16 -0800

Hi Rick,

I suggest that you use different ports, different tunX and different end-points for each instance at the beginning and refine them later if you want to. So in the CONF file you may have

dev tun0
dev tun1


the shorewall tunnels could be

openvpn                                 loc     192.168.1.0/24  vpn3
generic:udp:5001                 net     137.p.q.r       vpn4

also note that OpenVPN official port is now TCP/UDP 1194 so it may be better to have the ports listed in all config files as well as shorewall tunnels so you can upgrade to later version easily.

The script /etc/init.d/openvpn will look at the /etc/openvpn and for each CONF file it finds, it will start a openvpn deamon on it, that's why you see 2 tunnels coming up.

----- Original Message ----- From: "Tibbs, Richard" <[EMAIL PROTECTED]> To: "Martin Hejl" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, December 13, 2004 10:48 AM Subject: RE: [leaf-user] Can Multiple openvpn processes run on LEAF?


ok, apologize for this being so long. Wanted to give the list enough
info to make analysis possible...  This is the bering 1.2 (non-uclibc)

First, I have put two openvpn.conf files in /etc/openvpn, et viola, two
tunnels come up!  Somehow there is auto-svi-ing for multiple.confs.
Second, I added new tunnels to Shorewall, Shown below the .confs . But,
I can not ping the other end of either tunnel, nor pull up a web page
any more. (Errrr.....!)

The principle problem is that a route command fails (see daemon.log at
very end of email) from the second config file. (This config used to be
the first, sorry... tun0 protecting the WLAN has become tun1).
The route command is the same as the other conf file, so that makes
sense -- can't have a route with two different via's and devs, I
suppose.

But, the only thing that made the original WLAN tunnel work was not
forming a route loop on the WLAN tunnel, i.e. winxp openvpn has a route
192.168.1.254, and if I point the openvpn route on bering back to the
winxp box, nothing passes. So, in the bering openvpn.conf, I used
route 216.x.y.z (my static public IP on the net side of my bering fw).
Then everything worked.

What is the way out of this quandry ??
TIA
Rick

========== file openvp2.conf (comes up as tun0)==============

dev tun
disable-occ
local 216.x.y.z
# Our remote peer (office subnet)
remote 137.p.q.r
route 216.x.y.z
secret static.key
verb 5
mute 10

========== file openvpn.conf (comes up as tun1, was tun0)==============
dev tun
# For compatability with 2.x openvpn clients/servers
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
disable-occ
local 192.168.1.254
float
ifconfig 10.1.1.1 10.1.1.2
route 216.x.y.z
secret static.key
================================== Shorewall files (abbrev)=======
=== zones
vpn3    WLAN-OPENVPN    Openvpn to wireless internal
vpn4    WiredOPENVPN    Openvpn to office firewall
=== interfaces
vpn3    tun1
vpn4    tun0
=== policy
loc             vpn3            ACCEPT
fw              vpn3            ACCEPT
net             vpn3            ACCEPT
loc             vpn4            ACCEPT
fw              vpn4            ACCEPT
net             vpn4            ACCEPT
vpn3            loc             ACCEPT
vpn3            fw              ACCEPT
vpn3            net             ACCEPT
vpn4            loc             ACCEPT
vpn4            fw              ACCEPT
vpn4            net             ACCEPT
fw              loc             ACCEPT
=== tunnels
openvpn                 loc     192.168.1.0/24  vpn3
openvpn                 net     137.p.q.r       vpn4
=============================================================
firewall: -root-
# ip addr sho
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
   link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
   link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff
   inet 216.12.22.89/26 brd 216.12.22.127 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
   link/ether 00:02:e3:12:7d:94 brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1256 qdisc pfifo_fast qlen
10
   link/ppp
   inet 10.1.10.1 peer 10.1.10.2/32 scope global tun0
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
10
   link/ppp
   inet 10.1.1.1 peer 10.1.1.2/32 scope global tun1
7: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
   link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff
   inet 216.12.22.89/26 brd 216.12.22.127 scope global ipsec0
8: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
   link/ipip
9: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
   link/ipip
10: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
   link/ipip

firewall: -root-
#  ip route sho
10.1.10.2 dev tun0  proto kernel  scope link  src 10.1.10.1
216.12.22.89 via 10.1.10.2 dev tun0
10.1.1.2 dev tun1  proto kernel  scope link  src 10.1.1.1
216.12.22.64/26 dev eth0  proto kernel  scope link  src 216.12.22.89
216.12.22.64/26 dev ipsec0  proto kernel  scope link  src 216.12.22.89
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
default via 216.12.22.65 dev eth0

============================ daemon.log from bering. ===================

Dec 13 11:31:30 firewall openvpn[29658]: TUN/TAP device tun0 opened
Dec 13 11:31:30 firewall openvpn[29658]: ip link set dev tun0 up mtu
1256
Dec 13 11:31:30 firewall openvpn[29658]: ip addr add dev tun0 local
10.1.10.1 peer 10.1.10.2
Dec 13 11:31:30 firewall openvpn[29658]: ip route add 216.12.22.89/32
via 10.1.10.2
Dec 13 11:31:30 firewall openvpn[29658]: Data Channel MTU parms [ L:1300
D:1300 EF:44 EB:0 ET:0 EL:0 ]
< .... segment deleted for brevity...>
Dec 13 11:31:31 firewall openvpn[1512]: OpenVPN 1.6.0 i686-pc-linux-gnu
[SSL] [LZO] built on Dec  1 2004
Dec 13 11:31:31 firewall openvpn[1512]: Static Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Dec 13 11:31:31 firewall openvpn[1512]: Static Encrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Dec 13 11:31:31 firewall openvpn[1512]: Static Decrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Dec 13 11:31:31 firewall openvpn[1512]: Static Decrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Dec 13 11:31:31 firewall openvpn[1512]: TUN/TAP device tun1 opened
Dec 13 11:31:31 firewall openvpn[1512]: ip link set dev tun1 up mtu 1500
Dec 13 11:31:31 firewall openvpn[1512]: ip addr add dev tun1 local
10.1.1.1 peer 10.1.1.2
Dec 13 11:31:31 firewall openvpn[1512]: ip route add 216.12.22.89/32 via
10.1.1.2
Dec 13 11:31:31 firewall openvpn[1512]: ERROR: Linux route add command
failed: shell command exited with error status: 2
Dec 13 11:31:31 firewall openvpn[1512]: Data Channel MTU parms [ L:1576
D:1450 EF:44 EB:0 ET:32 EL:0 ]


=================================
firewall: -root-
-----Original Message-----
From: Martin Hejl [mailto:[EMAIL PROTECTED]
Sent: Sunday, December 12, 2004 3:58 PM
To: Tibbs, Richard
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Can Multiple openvpn processes run on LEAF?

Hi Richard,

Tibbs, Richard wrote:

I sent the following item to the openvpn user's list and the reply
advised it was possible by running two instances of openvpn with
separate config files.

One option would be to include an extra config file somewhere and
manually start it on home FW.  Another is to include a few lines in

the

openvpn start/stop script like /sbin/openvpn --config ... which I

could

put in several places to get start/stop/restart/reload capabilities.
What would be the best way to do this?

Depends on your definition of "best". If you don't need to constantly
restart individual links, the easiest way would be to simply stick
another "whatever.conf" into /etc/openvpn/ do "svi openvpn restart" and
the new instance should be started (remember to run it on a different
port).

If you need to start tunnels individually ("on demand"), take a look at
/etc/init.d/openvpn - that's the script that starts/stops the tunnels -
you could basically use that as a base for scripts to individually
start/stop the daemon.

Martin

P.S. I'm referring to the /etc/init.d/openvpn script found in the Bering

uClibc version of openvpn - but it should be identical to what is found
in the Bering package, unless Erich changed something in his package.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Can Multiple openvpn processes run on LEAF?

Reply via email to