[Openvpn-devel] New feature: --ifconfig for tap devices
One of the nice things about the --ifconfig option is that it lets you set TUN adapter endpoint addresses (i.e. the virtual IP addresses for each end of the tunnel) in a platform independent manner -- OpenVPN then translates the --ifconfig option to the appropriate ifconfig command for your platform. Up until now, the --ifconfig option has only worked for TUN adapters, but with the increasing use of TAP adapters for ethernet bridging, and the fact that the new Windows port only supports a TAP adapter, I've decided to extend --ifconfig so that it works for TAP devices as well (this feature will be included in 1.5-beta8). --ifconfig is really a convenience function -- you can call ifconfig yourself in an --up script, but letting OpenVPN run the ifconfig command for you makes the configuration simpler and more portable. The new --ifconfig will still work as always with --dev tun. However if --dev tap is specified, then the --ifconfig option will be interpreted as --ifconfig ip-addr netmask. What I need right now in order to make the TAP version of --ifconfig work correctly, is the correct ifconfig command syntax for setting the IP address and netmask of a TAP device, on all the OSes which OpenVPN supports. I've already coded templates for Linux and Windows, but I still need to know the appropriate ifconfig syntax for FreeBSD, OpenBSD, NetBSD, Solaris, and Mac OS X, with respect to setting the IP/netmask on a TAP device. So if you are using one of these OSes with OpenVPN + TAP adapter, please let us know what kind of ifconfig syntax you use in your --up script to set the adapter parameters. James
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
On Wed, 03 Sep 2003, James Yonan wrote: > One of the nice things about the --ifconfig option is that it lets you set TUN > adapter endpoint addresses (i.e. the virtual IP addresses for each end of the > tunnel) in a platform independent manner -- OpenVPN then translates the > --ifconfig option to the appropriate ifconfig command for your platform. > What I need right now in order to make the TAP version of --ifconfig work > correctly, is the correct ifconfig command syntax for setting the IP address > and netmask of a TAP device, on all the OSes which OpenVPN supports. I've > already coded templates for Linux and Windows, but I still need to know the > appropriate ifconfig syntax for FreeBSD, OpenBSD, NetBSD, Solaris, and Mac OS > X, with respect to setting the IP/netmask on a TAP device. ## FreeBSD 4.9-PRERELEASE: ifconfig tap0 inet 10.11.12.42 netmask 255.0.0.0 up (inet appears to be optional, so the Linux syntax, "ifconfig tap0 10.11.12.42 netmask 255.0.0.0 up", should also work. Untested on FreeBSD 5.x.) ## Solaris: Does Solaris support "tap"-style ethernet frame tunneling devices at all? How? Anyone got that to work? The tun-1.1 driver only installs a "tun" driver and doesn't claim ethernet bridging on Solaris. ./openvpn --secret /home/ma/openvpn-tap-discardme.key --dev tap0 \ [remote info] 4: Can't open /dev/tap: No such file or directory (errno=2) Trying --dev-node /dev/tun and --dev-type tap results in: 4: Can't set multiplexor id: No such device or address (errno=6) Did I miss anything? -- Matthias Andree Encrypt your mail: my GnuPG key ID is 0x052E7D95
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
> > What I need right now in order to make the TAP version of --ifconfig work > > correctly, is the correct ifconfig command syntax for setting the IP address > > and netmask of a TAP device, on all the OSes which OpenVPN supports. I've > > already coded templates for Linux and Windows, but I still need to know the > > appropriate ifconfig syntax for FreeBSD, OpenBSD, NetBSD, Solaris, and Mac > > OS > > X, with respect to setting the IP/netmask on a TAP device. > > ## FreeBSD 4.9-PRERELEASE: > > ifconfig tap0 inet 10.11.12.42 netmask 255.0.0.0 up > > (inet appears to be optional, so the Linux syntax, "ifconfig tap0 > 10.11.12.42 netmask 255.0.0.0 up", should also work. The above works for OpenBSD too, but do mind that openbsd usually dont come with tap drivers, I'm re-porting an older port from FreeBSD to current Open, and on my box the above works the same way as in Free. signature.asc Description: This is a digitally signed message part
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
James Yonan wrote: What I need right now in order to make the TAP version of --ifconfig work correctly, is the correct ifconfig command syntax for setting the IP address and netmask of a TAP device, on all the OSes which OpenVPN supports. I've already coded templates for Linux and Windows, but I still need to know the appropriate ifconfig syntax for FreeBSD, OpenBSD, NetBSD, Solaris, and Mac OS X, with respect to setting the IP/netmask on a TAP device. So if you are using one of these OSes with OpenVPN + TAP adapter, please let us know what kind of ifconfig syntax you use in your --up script to set the adapter parameters. not sure if tap is available on openbsd (have post it previously to james) some googling drives me to this thread http://www.monkey.org/openbsd/archive/tech/0111/msg00098.html and find /sys -iname '*tap*' returns nothing so i'm not sure openbsd stock-kernel has tap ... if someone has more information (i will ask about it on misc@) Regards Julien
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
On Sun, 07 Sep 2003, julien Touche wrote: > not sure if tap is available on openbsd (have post it previously to james) Makes me wonder if we can tunnel between Solaris/OpenBSD on one end and Winbloze on the other end. Windows apparently only supports "tap" ethertap, and Solaris and OpenBSD apparently only support "tun" IP tunnels. > some googling drives me to this thread > http://www.monkey.org/openbsd/archive/tech/0111/msg00098.html > and > find /sys -iname '*tap*' returns nothing > > so i'm not sure openbsd stock-kernel has tap ... I'd think it can be done. Tried loading a "tap" or "if_tap" module or something? FreeBSD compiles tap as a module that isn't loaded by default, you need to manually kldload it on FreeBSD. -- Matthias Andree Encrypt your mail: my GnuPG key ID is 0x052E7D95
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
Hola Julien, On Sun, 07 Sep 2003 14:11:27 +0200 julien Touche wrote: > > some googling drives me to this thread > http://www.monkey.org/openbsd/archive/tech/0111/msg00098.html > and > find /sys -iname '*tap*' returns nothing > > so i'm not sure openbsd stock-kernel has tap ... Yep, OpenBSD has no tap-device support in the kernel. Some days ago i was at the same point. > if someone has more information (i will ask about it on misc@) Someone has been porting the tap-device driver from FreeBSD to OpenBSD. You can find more at http://diehard.n-r-g.com Well, the port and patch you can find on this side are not complete for an out of the box start on OpenBSD 3.3-RELEASE. The patch is dated at November 2001, so you can expect that this won't work on 3.3-RELEASE. So, you've to modify the files by hand. What the patch doesn't show, is that you've to modify /sys/conf/GENERIC ( and/or GENERIC_PART ) - it needs the following line: pseudo-device tap 2 # number of tap device Further the file if_tap.c needs the function tapkqfilter; it looks like the following : int tapkqfilter(dev_t dev,struct knote *kn) { return (1); } Without this function you'll get an error while compiling the new kernel. I had success on building a kernel with tap-device on OpenBSD/i386 and on Openbsd/Sparc64 ( both 3.3 ). So far so good. On an intel-box using it with openvpn i crashed the kernel. Until yet no idea why and no time to get closer to the problem. Well on the Sparc64 it's working. Means no kernel crash ;-) Ok, i tried to get a tunnel working between a linux-intel-box and the openbsd-sparc-box using openvpn 1.3.1. With a simple setup i only get a "Peer Connection Initiated with ..." from openvpn on both after pinging each side. That's all so far. Until yet i wasn't able to see the icmp-packets via tcpdump on both tap devices. Maybe i don't see the trees in the wood. Steffen -- It's not the matter to break the wall with your head, but to find the door with your eyes !