[Openvpn-devel] New feature: --ifconfig for tap devices
One of the nice things about the --ifconfig option is that it lets you set TUN adapter endpoint addresses (i.e. the virtual IP addresses for each end of the tunnel) in a platform independent manner -- OpenVPN then translates the --ifconfig option to the appropriate ifconfig command for your platform. Up until now, the --ifconfig option has only worked for TUN adapters, but with the increasing use of TAP adapters for ethernet bridging, and the fact that the new Windows port only supports a TAP adapter, I've decided to extend --ifconfig so that it works for TAP devices as well (this feature will be included in 1.5-beta8). --ifconfig is really a convenience function -- you can call ifconfig yourself in an --up script, but letting OpenVPN run the ifconfig command for you makes the configuration simpler and more portable. The new --ifconfig will still work as always with --dev tun. However if --dev tap is specified, then the --ifconfig option will be interpreted as --ifconfig ip-addr netmask. What I need right now in order to make the TAP version of --ifconfig work correctly, is the correct ifconfig command syntax for setting the IP address and netmask of a TAP device, on all the OSes which OpenVPN supports. I've already coded templates for Linux and Windows, but I still need to know the appropriate ifconfig syntax for FreeBSD, OpenBSD, NetBSD, Solaris, and Mac OS X, with respect to setting the IP/netmask on a TAP device. So if you are using one of these OSes with OpenVPN + TAP adapter, please let us know what kind of ifconfig syntax you use in your --up script to set the adapter parameters. James
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
On Wed, 03 Sep 2003, James Yonan wrote: > One of the nice things about the --ifconfig option is that it lets you set TUN > adapter endpoint addresses (i.e. the virtual IP addresses for each end of the > tunnel) in a platform independent manner -- OpenVPN then translates the > --ifconfig option to the appropriate ifconfig command for your platform. > What I need right now in order to make the TAP version of --ifconfig work > correctly, is the correct ifconfig command syntax for setting the IP address > and netmask of a TAP device, on all the OSes which OpenVPN supports. I've > already coded templates for Linux and Windows, but I still need to know the > appropriate ifconfig syntax for FreeBSD, OpenBSD, NetBSD, Solaris, and Mac OS > X, with respect to setting the IP/netmask on a TAP device. ## FreeBSD 4.9-PRERELEASE: ifconfig tap0 inet 10.11.12.42 netmask 255.0.0.0 up (inet appears to be optional, so the Linux syntax, "ifconfig tap0 10.11.12.42 netmask 255.0.0.0 up", should also work. Untested on FreeBSD 5.x.) ## Solaris: Does Solaris support "tap"-style ethernet frame tunneling devices at all? How? Anyone got that to work? The tun-1.1 driver only installs a "tun" driver and doesn't claim ethernet bridging on Solaris. ./openvpn --secret /home/ma/openvpn-tap-discardme.key --dev tap0 \ [remote info] 4: Can't open /dev/tap: No such file or directory (errno=2) Trying --dev-node /dev/tun and --dev-type tap results in: 4: Can't set multiplexor id: No such device or address (errno=6) Did I miss anything? -- Matthias Andree Encrypt your mail: my GnuPG key ID is 0x052E7D95
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
> > What I need right now in order to make the TAP version of --ifconfig work > > correctly, is the correct ifconfig command syntax for setting the IP address > > and netmask of a TAP device, on all the OSes which OpenVPN supports. I've > > already coded templates for Linux and Windows, but I still need to know the > > appropriate ifconfig syntax for FreeBSD, OpenBSD, NetBSD, Solaris, and Mac > > OS > > X, with respect to setting the IP/netmask on a TAP device. > > ## FreeBSD 4.9-PRERELEASE: > > ifconfig tap0 inet 10.11.12.42 netmask 255.0.0.0 up > > (inet appears to be optional, so the Linux syntax, "ifconfig tap0 > 10.11.12.42 netmask 255.0.0.0 up", should also work. The above works for OpenBSD too, but do mind that openbsd usually dont come with tap drivers, I'm re-porting an older port from FreeBSD to current Open, and on my box the above works the same way as in Free. signature.asc Description: This is a digitally signed message part
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
James Yonan wrote: What I need right now in order to make the TAP version of --ifconfig work correctly, is the correct ifconfig command syntax for setting the IP address and netmask of a TAP device, on all the OSes which OpenVPN supports. I've already coded templates for Linux and Windows, but I still need to know the appropriate ifconfig syntax for FreeBSD, OpenBSD, NetBSD, Solaris, and Mac OS X, with respect to setting the IP/netmask on a TAP device. So if you are using one of these OSes with OpenVPN + TAP adapter, please let us know what kind of ifconfig syntax you use in your --up script to set the adapter parameters. not sure if tap is available on openbsd (have post it previously to james) some googling drives me to this thread http://www.monkey.org/openbsd/archive/tech/0111/msg00098.html and find /sys -iname '*tap*' returns nothing so i'm not sure openbsd stock-kernel has tap ... if someone has more information (i will ask about it on misc@) Regards Julien
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
On Sun, 07 Sep 2003, julien Touche wrote: > not sure if tap is available on openbsd (have post it previously to james) Makes me wonder if we can tunnel between Solaris/OpenBSD on one end and Winbloze on the other end. Windows apparently only supports "tap" ethertap, and Solaris and OpenBSD apparently only support "tun" IP tunnels. > some googling drives me to this thread > http://www.monkey.org/openbsd/archive/tech/0111/msg00098.html > and > find /sys -iname '*tap*' returns nothing > > so i'm not sure openbsd stock-kernel has tap ... I'd think it can be done. Tried loading a "tap" or "if_tap" module or something? FreeBSD compiles tap as a module that isn't loaded by default, you need to manually kldload it on FreeBSD. -- Matthias Andree Encrypt your mail: my GnuPG key ID is 0x052E7D95
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
Hola Julien,
On Sun, 07 Sep 2003 14:11:27 +0200
julien Touche wrote:
>
> some googling drives me to this thread
> http://www.monkey.org/openbsd/archive/tech/0111/msg00098.html
> and
> find /sys -iname '*tap*' returns nothing
>
> so i'm not sure openbsd stock-kernel has tap ...
Yep, OpenBSD has no tap-device support in the kernel.
Some days ago i was at the same point.
> if someone has more information (i will ask about it on misc@)
Someone has been porting the tap-device driver from FreeBSD
to OpenBSD. You can find more at http://diehard.n-r-g.com
Well, the port and patch you can find on this side are not complete
for an out of the box start on OpenBSD 3.3-RELEASE.
The patch is dated at November 2001, so you can expect that this won't
work on 3.3-RELEASE. So, you've to modify the files by hand.
What the patch doesn't show, is that you've to modify /sys/conf/GENERIC
( and/or GENERIC_PART ) - it needs the following line:
pseudo-device tap 2 # number of tap device
Further the file if_tap.c needs the function
tapkqfilter; it looks like the following :
int
tapkqfilter(dev_t dev,struct knote *kn)
{
return (1);
}
Without this function you'll get an error while compiling the new
kernel.
I had success on building a kernel with tap-device on OpenBSD/i386 and
on Openbsd/Sparc64 ( both 3.3 ).
So far so good. On an intel-box using it with openvpn i crashed the
kernel. Until yet no idea why and no time to get closer to the problem.
Well on the Sparc64 it's working. Means no kernel crash ;-)
Ok, i tried to get a tunnel working between a linux-intel-box and the
openbsd-sparc-box using openvpn 1.3.1. With a simple setup i only get
a "Peer Connection Initiated with ..." from openvpn on both after
pinging each side. That's all so far. Until yet i wasn't able to see
the icmp-packets via tcpdump on both tap devices.
Maybe i don't see the trees in the wood.
Steffen
--
It's not the matter to break the wall with your head,
but to find the door with your eyes !
