Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[wr19026]

Thanks for teh suggestion. I tried it and this is the error message that I'm getting:

Starting openvpn: Tue Aug  7 15:12:31 2007 TUN/TAP device tap0 opened
Tue Aug  7 15:12:31 2007 Persist state set to: ON
device br0 already exists; can't create bridge with the same name
device br0 is a bridge device itself; can't enslave a bridge device to a bridge device.
device tap0 is already a member of a bridge; can't enslave it to bridge br0.

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: done
                                                           [FAILED]

On this machine I initally had installed the PPTP VPN capability, so I tried it on my other server as well. Here the result was:

Starting openvpn: Tue Aug  7 16:10:39 2007 TUN/TAP device tap0 opened
Tue Aug  7 16:10:39 2007 Persist state set to: ON

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: done
                                                           [FAILED]

Similar (?) problem it seems.

These are SME Server 7.2 machines (upgraded from 7.1.3) with the most recent version of the contrib installed. Both machines are in server only mode.

[gerd]

Hi,
in a previous e-mail you said:

DHCP server (which is not the SME server) assigns in teh range of 192.168.2.1 through 192.168.2.255, so I have set the start and end range for OpenVPN connections to 192.168.2.1.150 through 192.168.1.200

Even so I don't know your configuration, I would like to recommend to separate the DHCP address range fm the OVPN addresss range; say
DHCP: 192.168.2.2 to 192.168.2.200 and the OVPN range fm 192.168.2.201 to 192.168.2.254, with a DHCP server address at 192.168.2.1. The workstation to be connected to the SME server via OVPN must have a different address range fm 192.168.2.xxx, e.g. 192.168.7.25. If your workstation is conencted also to a DHCP server, then theDHCP address range must be different (192.168.5.2 - 192.168.5.168.

Do you want to bridge two SME servers or is your idea to connect a workstation (e.g. home office) to the SME server via OVPN?? I must confess I haven't quite understood your installation......

regards

gerd

[wr19026]

I have 2 different servers I need to be able to access from anywhere. SO it's a pure roadwarrior setup that I'm trying to achieve.

However, your response has helped me. What I did was set the IP ranges on both machines to be different from the range assigned by the DHCP server.

My modem (=DHCP server) assigns in the 192.168.2.x range. In order not to overlap I set the contrib to assign in the 192.168.2.1.x range. I'll change that range and will see what happens.

EDIT: made the change and now the daemon is running as expected. Silly me....

[gerd]

Don't worry...
Aside the daemon, is your OVPN now running as expected??

gerd

[wr19026]

Don't worry...
Aside the daemon, is your OVPN now running as expected??

gerd

Works like a charm, thanks for your help! In the future I may actually consider linking multiple sites this way

[gerd]

I remember well the problems I have faced when I started with OVPN about half a year ago, and I remember well the support granted by VIP-ire. So it is not more than normal to "redistribute" what has been "received".

gerd

[wr19026]

Now that I have it working there are 3 things that I have not yet figured out - and have not been able to Google either:

1. When the subnet I'm on is the same as for the machine I establish the VPN connection with (e.g. 10.0.0.x), this seems to create problems in Windows. While wanting to access the modem on the VPN network, it points me to the (same) modem on the local network as they have identical IP addresses (e.g. 10.0.0.1). Is this normal behaviour?

2. After establishing a VPN connection I can map a network drive to my Windows PC. I can also browse the contents on the network drive and delete files etc. When trying to upload files, even small ones (0.5MB) I get the error message "Cannot copy .... Network drive no longer available" although I can still see the drive. Is there anything I can do to prevent this?

3. I searched this forum but have not been able to locate a howto that explains how to set up the server to server OpenVPN. Does anyone have a link that can be used for this?

Thanks in advance!

[Daniel B.]

Now that I have it working there are 3 things that I have not yet figured out - and have not been able to Google either:

1. When the subnet I'm on is the same as for the machine I establish the VPN connection with (e.g. 10.0.0.x), this seems to create problems in Windows. While wanting to access the modem on the VPN network, it points me to the (same) modem on the local network as they have identical IP addresses (e.g. 10.0.0.1). Is this normal behaviour?

That's not a windows issue but a general network issue, there's no real solution, a routing table is a routing table.

2. After establishing a VPN connection I can map a network drive to my Windows PC. I can also browse the contents on the network drive and delete files etc. When trying to upload files, even small ones (0.5MB) I get the error message "Cannot copy .... Network drive no longer available" although I can still see the drive. Is there anything I can do to prevent this?

It's working for all my sites. It can be a link problem (ping too slow, or not enaugh bandwidth).

3. I searched this forum but have not been able to locate a howto that explains how to set up the server to server OpenVPN. Does anyone have a link that can be used for this?

This contrib is not designed for server to server connexions, but it can be done. Here's a how-to:
http://sme.firewall-services.com/spip.php?article25


Cheers, Daniel

[wr19026]

That's not a windows issue but a general network issue, there's no real solution, a routing table is a routing table.
It's working for all my sites. It can be a link problem (ping too slow, or not enaugh bandwidth).
This contrib is not designed for server to server connexions, but it can be done. Here's a how-to:
http://sme.firewall-services.com/spip.php?article25


Cheers, Daniel

Ok, I'll test the connection when I'm using a better connection. Of course thanks for the great contrib and excellent howto.

As to the connecting server-to-server, that'll be my next project

[Daniel B.]

I everyone. I'd like to have some testers for the next release of smeserver-openvpn-bridge. I'm using it on my server, but I'd like to be sure everything is OK on different configurations. If I don't have any bug report in one week, I'll announce it officially.
There won't be many new features (but one interesting one: possibility to download a zip archive with the needed files, cert, keys config file etc...). The biggest work on this release was to make it cleaner:

- everything is performed with signal-event (sign a new cert, revoke it, generate the dh params etc...)
- the daemon is supervised
- the bridge is permanent, not just created at openvpn startup and destroyed when it stops. This should correct the bug of dhcpd and another when you shut down your server and it complains about br0.

If you want to try:

Code: [Select]

wget http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms-beta/smeserver-openvpn-bridge.fws-1.1-3.noarch.rpm
yum localinstall smeserver-openvpn-bridge.fws-1.1-3.noarch.rpm
/etc/init.d/openvpn stop

Then go to the panel in the server-manager, check the config, and click on the apply link.

I'd also like some people to test the newer openvpn (2.0.9) from dag repository:

Code: [Select]

db yum_repositories set dag repository BaseURL 'http://apt.sw.be/redhat/el4/en/$basearch/dag' EnableGroups no GPGCheck yes GPGKey http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt Name 'Dag - EL4' Visible no Exclude freetype,htop,iptraf,rsync,syslinux status disabled
expand-template /etc/yum.conf
yum --enablerepo=dag update openvpn

For me it's working, so it shouldn't be too risky.

[Franco]

Many Thanks 

I'm testing on a test server before I upgrade my own (smeserver-openvpn-bridge-fws-1.1-2).
So far so good, but I'm getting this error as I tried to shutdown the server (Will install a new ethernet interface and test it on Server-Gateway mode)

Code: [Select]

unregister_netdevice: waiting for br0 to become free. Usage count = -256

[Daniel B.]

Hi, and thanks for testing and reporting. I'm just correcting some little problem with the actual 1.1-3, I'll upload it again before announcing it.
For the error "unregister_netdevice: waiting for br0 to become free. Usage count = -256", I saw it on my test server but now I cannot reproduce it. I know this is a bridge related problem, but today, I'm testing it and the error doesn't occure.

[Franco]

I can give you access to my test system if you need stuntshell [ ] gmail.com, I also have msn, AIM,etc.. if needed.

[Daniel B.]

Hi.
I won't have time to access your server, and as this bug shutdown the connexion, I'll looz access when it'll be interesting.

I've just uploaded again the rpm and srpm, with some corrections. Maybe the bug you're talking about was because the service openvpn-bridge was started before the network, so it creates tap0 and try to enslave it in br0 while br0 haven't been created yet. This is corrected now and openvpn-bridge will be started after the network.

Anyway, I'd like to have some testers for this new rpm. And try to change ssh access, add and remove virtual domains and hostnames to be sure it won't break dhcpd. Of course, repport any positive or negative experience.

Cheers, Daniel

[Franco]

Anyway, I'd like to have some testers for this new rpm. And try to change ssh access, add and remove virtual domains and hostnames to be sure it won't break dhcpd. Of course, repport any positive or negative experience.

It does not break DHCP anymore, but the problem:

Code: [Select]

br0: port2(tap0) entering disabled state
unregister_netdevice: waiting for br0 to become free. Usage count = -2remains.

I tested this new RPM in two ways: updating (removing the old, installing the new one). I installed a fresh new system and installed the contrib. Same problem.

Thanks,