Why don't you simply set up a bridged OpenVPN tunnel between the two sites?
Tom
Ok I built a new firewall so that both sides would be the latest and greatest
now I have been studing how to fire up tap and br0 between a few scripts
i have installed I can get the devices up and I am assuming I am creating
a brouter here, and thinking otherwise you have no lan interface if you are
not using a brouter. such as no brouter two interface firewall would be
as follows eth0 wan br0 lan
where as brouter is
eth0 wan eth1 lan br0 bridged to both
I could be way off track here with the expaination of my understanding tell
me if so.
Here is what I have.:
All I have built so far is one server to try to get one up first and it will be
the server.
Client will follow.
I think I am close here with a few troubles if someone could please take a look
#####
openvpn.conf
server-bridge 10.194.79.191 255.255.255.0 10.194.79.200 10.194.79.202
client-to-client
port 1194
remote 66.224.100.194 1194
verb 5
mute 0
ca /etc/openvpn/keys/honda/ca.crt
cert /etc/openvpn/keys/honda/ca.crt
key /etc/openvpn/keys/honda/ca.key
dh dh1024.pem
proto udp
dev tap0
user nobody
group nogroup
keepalive 10 120
status servers/honda/logs/openvpn-status.log
log-append servers/honda/logs/openvpn.log
comp-lzo
persist-key
persist-tun
push "route 10.194.79.0 255.255.255.0"
#
#These opt will work on the server install
#OFF for now
#push "dhcp-option DNS 10.3.85.15"
#push "dhcp-option WINS 10.3.85.15"
###end conf
############ /etc/init,d/openvpn_bridge
#my init script has troubles I think I had to edit quite a bit
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged
tap="tap0"
# Define a list of physical ethernet interfaces to be bridged
# with TAP interface(s) above.
#
eth="eth0"
eth_ip="10.194.79.191"
eth_netmask="255.255.255.0"
eth_broadcast="10.194.79.255"
# Path to the system networking script
# For Debian
#NETWORK="/etc/init.d/networking"
# For SuSE
NETWORK="/etc/init.d/network"
# Path to the openvpn start/stop script
OPENVPN_INIT="/etc/init.d/openvpn"
# Path to the openvpn binary
OPENVPN="/usr/sbin/openvpn"
# Path to the brctl binary
BRCTL="/sbin/brctl"
# Path to the ifconfig binary
IFCONFIG="/sbin/ifconfig"
# Path to the route binary
ROUTE="/sbin/route"
do_start(){
for i in $tap; do
$OPENVPN --mktun --dev $i
done
$BRCTL addbr $br
for i in $eth; do
$BRCTL addif $br $i
done
for i in $tap; do
$BRCTL addif $br $i
done
for i in $eth; do
$IFCONFIG $i 0.0.0.0 promisc up
done
for i in $tap; do
$IFCONFIG $i 0.0.0.0 promisc up
done
$IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
$ROUTE add default gw $default_gw
$OPENVPN_INIT start
}
do_stop(){
$IFCONFIG $br down
$BRCTL delbr $br
for i in $tap; do
$OPENVPN --rmtun --dev $i
$IFCONFIG $i down
$NETWORK force-reload
done
$OPENVPN_INIT stop
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
sleep 1
do_start
;;
*)
echo "usage: $0 start|stop|restart" >&2
exit 3
;;
esac
exit 0
###end init
#####/var/log/messages after /etc/init.d/openvpn_bridge start
Jun 11 13:35:29 linux-rwu0 kernel: eth1: no IPv6 routers present
Jun 11 13:35:31 linux-rwu0 kernel: br0: Dropping NETIF_F_UFO since no
NETIF_F_HW_CSUM feature.
Jun 11 13:35:31 linux-rwu0 kernel: device tap0 entered promiscuous mode
Jun 11 13:35:31 linux-rwu0 kernel: r8169: eth0: link up
Jun 11 13:35:31 linux-rwu0 kernel: br0: port 2(tap0) entering learning state
Jun 11 13:35:31 linux-rwu0 kernel: br0: port 1(eth0) entering learning state
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Joining mDNS multicast group on
interface br0.IPv4 with address 10.194.79.191.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: New relevant interface br0.IPv4
for mDNS.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Registering new address record
for 10.194.79.191 on br0.IPv4.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Withdrawing address record for
10.194.79.191 on br0.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Leaving mDNS multicast group on
interface br0.IPv4 with address 10.194.79.191.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Interface br0.IPv4 no longer
relevant for mDNS.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Joining mDNS multicast group on
interface br0.IPv4 with address 10.194.79.191.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: New relevant interface br0.IPv4
for mDNS.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Registering new address record
for 10.194.79.191 on br0.IPv4.
Jun 11 13:35:31 linux-rwu0 openvpn[23762]: Warning: Error redirecting
stdout/stderr to --log file: servers/honda/logs/openvpn.log: No such file or
directory (errno=2)
Jun 11 13:35:31 linux-rwu0 openvpn[23762]: Options error: --remote cannot be
used with --mode server
Jun 11 13:35:31 linux-rwu0 openvpn[23762]: Use --help for more information.
Jun 11 13:35:32 linux-rwu0 avahi-daemon[3060]: Registering new address record
for fe80::214:d1ff:fe13:4311 on br0.*.
Jun 11 13:35:33 linux-rwu0 avahi-daemon[3060]: Registering new address record
for fe80::214:d1ff:fe13:4311 on eth0.*.
Jun 11 13:35:33 linux-rwu0 avahi-daemon[3060]: Registering new address record
for fe80::ec29:29ff:fea9:6d16 on tap0.*.
Jun 11 13:35:35 linux-rwu0 nm-system-settings: Adding default connection 'Auto
tap0' for /org/freedesktop/Hal/devices/net_ee_29_29_a9_6d_16
this is the shell output after starting the init script
its complaining about inet_route not sure if need a lan gateway in
openvpn.conf??
##############
linux-rwu0:/ # /etc/init.d/openvpn_bridge start
Thu Jun 11 13:45:36 2009 TUN/TAP device tap0 opened
Thu Jun 11 13:45:36 2009 Persist state set to: ON
Usage: inet_route [-vF] del {-host|-net} Target[/prefix] [gw Gw] [metric M]
[[dev] If]
inet_route [-vF] add {-host|-net} Target[/prefix] [gw Gw] [metric M]
[netmask N] [mss Mss] [window W] [irtt I]
[mod] [dyn] [reinstate] [[dev] If]
inet_route [-vF] add {-host|-net} Target[/prefix] [metric M] reject
inet_route [-FC] flush NOT supported
Starting OpenVPN
############################
ifconfig after init start
br0 Link encap:Ethernet HWaddr 00:14:D1:13:43:11
inet addr:10.194.79.191 Bcast:10.194.79.255 Mask:255.255.255.0
inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:83 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6188 (6.0 Kb) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:14:D1:13:43:11
inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:3851 errors:0 dropped:0 overruns:0 frame:0
TX packets:1433 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:442124 (431.7 Kb) TX bytes:172003 (167.9 Kb)
Interrupt:20 Base address:0xe000
eth1 Link encap:Ethernet HWaddr 00:16:17:7E:FE:D1
inet addr:10.194.79.191 Bcast:10.194.79.255 Mask:255.255.255.0
inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6806 errors:0 dropped:0 overruns:0 frame:0
TX packets:3956 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1004116 (980.5 Kb) TX bytes:1171570 (1.1 Mb)
Interrupt:23 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:580 (580.0 b) TX bytes:580 (580.0 b)
tap0 Link encap:Ethernet HWaddr EE:29:29:A9:6D:16
inet6 addr: fe80::ec29:29ff:fea9:6d16/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:18 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
linux-rwu0:/ # /etc/init.d/openvpn_bridge stop
######################################
Thu Jun 11 13:43:49 2009 TUN/TAP device tap0 opened
Thu Jun 11 13:43:49 2009 Persist state set to: OFF
tap0: unknown interface: No such device
Shutting down network interfaces:
eth0 device: Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet
(rev 10)
done
eth1 device: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+
(rev 10)
done
Shutting down service network . . . . . . . . .
done
Hint: you may set mandatory devices in /etc/sysconfig/network/config
Setting up network interfaces:
eth0 device: Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet
(rev 10)
eth0 Startmode is 'manual'
skipped
eth1 device: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+
(rev 10)
eth1 IP address: 10.194.79.191/24
done
Setting up service network . . . . . . . . . .
done
Shutting down OpenVPN
Think I am close???
Thanks
Mike
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
