Re: [Openvpn-devel] OpenVPN in the Hypervisor
The wiki was a loss (my backup was only a symlink :-( ), but I've re-written what I did to get this running. Now available at: http://teeks99.com/sys/OpenVPN-VMs/Tryout.html Tom On Fri, May 11, 2012 at 4:29 PM, Tom Kent wrote: > Thanks for making that clear, it worked great...not sure why I was > confused about it in the other message. > > I was able to get everything up and running. I've documented my adventures > here: > http://teeks99.com/sys/doku.php?id=openvpn_vm_segregated_net > > Thanks for all the input, > Tom > > > On Fri, May 11, 2012 at 2:41 AM, Gert Doering wrote: > >> Hi, >> >> On Thu, May 10, 2012 at 08:45:04PM -0400, Tom Kent wrote: >> > The other thing I tried was to have openvpn up and running, then to >> attach >> > the VM to the tap0 device that it created...that ended with this error: >> > libvirtError: internal error Failed to add tap interface to bridge. >> tap0 is >> > not a bridge device >> >> Try what David suggested: creating a bridge device. >> >> Start OpenVPN with "tap0", then run >> >> "brctl addbr br0" >> "brctl addif br0 tap0" >> >> and then have libvirt attach to br0. >> >> gert >> -- >> USENET is *not* the non-clickable part of WWW! >> // >> www.muc.de/~gert/ >> Gert Doering - Munich, Germany >> g...@greenie.muc.de >> fax: +49-89-35655025 >> g...@net.informatik.tu-muenchen.de >> > >
Re: [Openvpn-devel] OpenVPN in the Hypervisor
A little help please. I just accidently deleted the wiki from my server. If anyone still has that page open in their web browse, please copy-paste the text and e-mail it to me. On Fri, May 11, 2012 at 4:29 PM, Tom Kent wrote: > Thanks for making that clear, it worked great...not sure why I was > confused about it in the other message. > > I was able to get everything up and running. I've documented my adventures > here: > http://teeks99.com/sys/doku.php?id=openvpn_vm_segregated_net > > Thanks for all the input, > Tom > > > On Fri, May 11, 2012 at 2:41 AM, Gert Doering wrote: > >> Hi, >> >> On Thu, May 10, 2012 at 08:45:04PM -0400, Tom Kent wrote: >> > The other thing I tried was to have openvpn up and running, then to >> attach >> > the VM to the tap0 device that it created...that ended with this error: >> > libvirtError: internal error Failed to add tap interface to bridge. >> tap0 is >> > not a bridge device >> >> Try what David suggested: creating a bridge device. >> >> Start OpenVPN with "tap0", then run >> >> "brctl addbr br0" >> "brctl addif br0 tap0" >> >> and then have libvirt attach to br0. >> >> gert >> -- >> USENET is *not* the non-clickable part of WWW! >> // >> www.muc.de/~gert/ >> Gert Doering - Munich, Germany >> g...@greenie.muc.de >> fax: +49-89-35655025 >> g...@net.informatik.tu-muenchen.de >> > >
Re: [Openvpn-devel] OpenVPN in the Hypervisor
Thanks for making that clear, it worked great...not sure why I was confused about it in the other message. I was able to get everything up and running. I've documented my adventures here: http://teeks99.com/sys/doku.php?id=openvpn_vm_segregated_net Thanks for all the input, Tom On Fri, May 11, 2012 at 2:41 AM, Gert Doering wrote: > Hi, > > On Thu, May 10, 2012 at 08:45:04PM -0400, Tom Kent wrote: > > The other thing I tried was to have openvpn up and running, then to > attach > > the VM to the tap0 device that it created...that ended with this error: > > libvirtError: internal error Failed to add tap interface to bridge. tap0 > is > > not a bridge device > > Try what David suggested: creating a bridge device. > > Start OpenVPN with "tap0", then run > > "brctl addbr br0" > "brctl addif br0 tap0" > > and then have libvirt attach to br0. > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > g...@greenie.muc.de > fax: +49-89-35655025 > g...@net.informatik.tu-muenchen.de >
Re: [Openvpn-devel] OpenVPN in the Hypervisor
Hmm, that wasn't very successful. I guess I'm not sure what you mean when you say to have open vpn use the tap interface right away. My VM has a couple tap (I assume) interfaces vibr0 vibr1 (I can make more), which say "br" in the name, but aren't actually bridged to anything physical, they are just "virtual" networks, local to the machine. I tried to specify the name of one of those in the openvpn config file (in place of tap0), but it didn't seem to work. The other thing I tried was to have openvpn up and running, then to attach the VM to the tap0 device that it created...that ended with this error: libvirtError: internal error Failed to add tap interface to bridge. tap0 is not a bridge device Neither of these surprised me, this was how I thought the tap stuff worked, but it sounded from your message like you knew of something else. Could you please clarify the idea you had on how to get openvpn connected to the hypervisor? On Tue, May 8, 2012 at 3:37 AM, Gert Doering wrote: > Hi, > > On Mon, May 07, 2012 at 09:03:17PM -0400, Tom Kent wrote: > > The idea I had, and wanted to run by, was if it would be possible to > > integrate an openvpn client into the hypervisor's virtual network card. > > This would make it so that from the moment the VM boots up, it is only > > connected to the private LAN served by the OpenVPN server. The VM would > see > > just another NIC, but instead of routing the data directly to the > > Hypervisor's NIC (tap) or NATing it or whatever, it would go to an > OpenVPN > > client library (that wouldn't need a tun/tap device on the hypervisor) > > which sends the data to the server over the udp connection. > > If your hypervisor uses a tap interface, you can just have openvpn use > that tap interface "right away". So don't bridge tap0 to eth0 on the > Hypervisor, but just have tap0 available for the VMs, and run OpenVPN > with "--dev tap0". > > This might be somewhat more expensive performance-wise - but it will > be much cheaper programmer-time-wise, as all you need is already there > and well-tested :-) > > gert > > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > g...@greenie.muc.de > fax: +49-89-35655025 > g...@net.informatik.tu-muenchen.de >
Re: [Openvpn-devel] OpenVPN in the Hypervisor
> But... I don't think that OpenVPN is the right approach as it is not > peer-to-peer solution. I agree that this is not the optimal solution, especially for large/high bandwith setups. I was just looking for something that I could get going with what I have today. My ideal setup would be a central arbiter that hands out routing and encryption info each for each p2p connection that is desired, but I don't know of anything that does this currently. > If your hypervisor uses a tap interface, you can just have openvpn use that tap interface "right away". I guess I need to read up a bit more on how tap interfaces work. I guess I assumed that the hypervisor was controlling that, so there wouldn't be room for openvpn to jump on it. But assuming it is as you say, that seems very promising, and much easier to get going than I though. I think I'm going to try this out here in the next few days, and see how easily I can get something setup. If I have luck I'll put up a blog post about it. Thanks for the input, Tom
[Openvpn-devel] OpenVPN in the Hypervisor
I had an idea I wanted to run by people and see if its feasiblehere goes. I've been hearing a lot about "virtualized" networking for VMs and that got me thinking. It seems like OpenVPN would be a good tool that could join a group of VMs into their own private LAN, basically segregating them from the internet even though they're just machines hosted by amazon, rackspace, or in my own server room. This could all be done now by setting all the VMs up with the openvpn client and getting them to connect, etc. The down side is that this is a lot of configuration, and the machines would still be exposed to the larger network. The idea I had, and wanted to run by, was if it would be possible to integrate an openvpn client into the hypervisor's virtual network card. This would make it so that from the moment the VM boots up, it is only connected to the private LAN served by the OpenVPN server. The VM would see just another NIC, but instead of routing the data directly to the Hypervisor's NIC (tap) or NATing it or whatever, it would go to an OpenVPN client library (that wouldn't need a tun/tap device on the hypervisor) which sends the data to the server over the udp connection. Is this something that would be technically feasible? Practically feasible? I've only used the binaries before, is the client in a state (is there a libopenvpn) where it could be plugged into another program like QEMU/KVM? Thanks for any input, Tom
