Tap interface - 10.6.x
I need to create a few tap interfaces, before I used an open source product called TunTap (http://tuntaposx.sourceforge.net/). This doesn't appear to work on 10.6, I've removed Cisco VPN and VMware as part of the trouble shooting process without luck.
Is there a built in method to create tap interfaces on OS X 10.6 now? Are you aware of any product which will?
thanks,
greg
More appropriate for the server forums under Server Products.
Similar Messages
-
TUN/TAP interfaces, QEMU and Internet
Hi.
(The host is running Arch Linux)
I installed Debian on QEMU virtual machine (samba4 - active directory domain controller) and Windows7 on the second QEMU virtual machine. I want guests (Win7 && Debian) to be able to connect together, connect from the host to the guests and to have access to the Internet on guests. Internet on the host I got through wlan0:
inet 192.168.1.3 netmask 255.255.255.0 broadcast 192.168.1.255
I created tap interfaces for guests;
echo 1 > /proc/sys/net/ipv4/ip_forward
ip tuntap add dev tap0 mode tap user kelloco2 group kvm
ip tuntap add dev tap1 mode tap user kelloco2 group kvm
brctl addbr br0
brctl addif br0 tap0
brctl addif br0 tap1
ifconfig br0 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o wlan0 -j ACCEPT
iptables -t nat -A PREROUTING -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
ifconfig tap0 up
ifconfig tap1 up
And everything works except the Internet (guests can't connect to the Internet). I entered addresses OpenDNS.
What could be wrong?
Ofc I run the machine by adding
-net nic,macaddr=52:52:52:ac:3f:65 -net tap,ifname="tap1",script=no,downscript=no
Regards K. Sorry for language errors.
Last edited by kelloco2 (2013-10-19 15:25:24)well lets see,
i use libvirt but its just a wrapper so it can not be that different
<interface type='bridge'>
<mac address='52:54:00:64:2f:b1'/>
<source bridge='br0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
br0 is my bridge connection on host
i do not see anywhere to point a vnetlan that is in that bridge but
brctl show
bridge name bridge id STP enabled interfaces
br0 0080.fe5400642fb1 yes vnet0
vnet0 is acctual vnetlan that is uset by my guest os
tho clarify : there is none of tap0,tap1 ecuivallent -
Openvpn can't connect to network
hi all, I'm glad to come here, there maybe more active. so I post here, I'm use Archbang X86_64. up to date.
I want use openvpn connect some site blocked by gov, but when I use openvpn, it can't connect any web site. This is my client.conf:
client
remote 63.223.126.189 1194
redirect-gateway def1
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca ~/.openvpn/ca.crt
cert ~/.openvpn/client.crt
key ~/.openvpn/client.key
comp-lzo
The server is Cent OS 6.2 32bit, server.conf:
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# Comments are preceded with '#' or ';' #
# Which local IP address should OpenVPN
# listen on? (optional)
local x.x.x.x(my server ip)
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
#server 192.168.1.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 10.8.0.1 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
#push "route add dev ppp0 alayii.com"
#push "route del default dev ppp0"
#push "route add default dev tun0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
# Generate with:
# openvpn --genkey --secret ta.key
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log /var/log/openvpn.log
log-append /var/log/openvpn.log
# Set the appropriate level of log
# file verbosity.
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
#verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
my openvpn.log, I cut it to today's log:
Fri Aug 24 03:17:27 2012 222.243.122.171:35730 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Aug 24 03:17:27 2012 222.243.122.171:35730 Local Options hash (VER=V4): '530fdded'
Fri Aug 24 03:17:27 2012 222.243.122.171:35730 Expected Remote Options hash (VER=V4): '41690919'
Fri Aug 24 03:17:27 2012 222.243.122.171:35730 TLS: Initial packet from 222.243.122.171:35730, sid=7651acff 1979bea2
Fri Aug 24 03:17:30 2012 222.243.122.171:35730 VERIFY OK: depth=1, /C=CN/ST=HN/L=HN/O=Fuckgfw/OU=changeme/CN=direct.alayii.com/name=server-ca/[email protected]
Fri Aug 24 03:17:30 2012 222.243.122.171:35730 VERIFY OK: depth=0, /C=CN/ST=HN/L=HN/O=Fuckgfw/OU=changeme/CN=direct.alayii.com/name=client/[email protected]
Fri Aug 24 03:17:31 2012 222.243.122.171:35730 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 24 03:17:31 2012 222.243.122.171:35730 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 24 03:17:31 2012 222.243.122.171:35730 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 24 03:17:31 2012 222.243.122.171:35730 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 24 03:17:32 2012 222.243.122.171:35730 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Aug 24 03:17:32 2012 222.243.122.171:35730 [direct.alayii.com] Peer Connection Initiated with 222.243.122.171:35730
Fri Aug 24 03:17:32 2012 direct.alayii.com/222.243.122.171:35730 MULTI: Learn: 10.8.0.6 -> direct.alayii.com/222.243.122.171:35730
Fri Aug 24 03:17:32 2012 direct.alayii.com/222.243.122.171:35730 MULTI: primary virtual IP for direct.alayii.com/222.243.122.171:35730: 10.8.0.6
Fri Aug 24 03:17:34 2012 direct.alayii.com/222.243.122.171:35730 PUSH: Received control message: 'PUSH_REQUEST'
Fri Aug 24 03:17:34 2012 direct.alayii.com/222.243.122.171:35730 SENT CONTROL [direct.alayii.com]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Fri Aug 24 03:44:44 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:44:53 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:45:03 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:45:13 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:45:22 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:45:23 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:45:25 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:45:30 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:45:39 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:45:49 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:45:59 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:46:09 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:46:19 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:46:29 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:46:40 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:46:49 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:46:59 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:09 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:19 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:30 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:40 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:47 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:48 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:48 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:49 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:49 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:49 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:49 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:50 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:51 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:51 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:53 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:55 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:56 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:47:57 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:03 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:05 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:07 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:13 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:15 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:17 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:23 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:25 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:27 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:28 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:29 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:30 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:33 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:34 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:34 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:35 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:37 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Aug 24 03:48:40 2012 direct.alayii.com/222.243.122.171:35730 [direct.alayii.com] Inactivity timeout (--ping-restart), restarting
Fri Aug 24 03:48:40 2012 direct.alayii.com/222.243.122.171:35730 SIGUSR1[soft,ping-restart] received, client-instance restarting
openvpn-status.log
OpenVPN CLIENT LIST
Updated,Fri Aug 24 03:48:00 2012
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
direct.alayii.com,222.243.122.171:35730,1610365,1800148,Fri Aug 24 03:17:27 2012
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,direct.alayii.com,222.243.122.171:35730,Fri Aug 24 03:47:57 2012
GLOBAL STATS
Max bcast/mcast queue length,0
END
I change udp to tcp, not make sense.I have the same issue here no Service on AT&T and no touch ID, Help Apple
-
[Solved] 1:1 nat with iptables
I've got a host with 2 qemu virtual machines in it. They're set up bridged with a tap interface so they both have their own ip address and are accessible from the outside.
Their ips are:
VM1: 10.1.0.10
VM2: 10.1.0.11
Netmask for both: 255.255.255.0
Now I am trying to add iptables rules to the host machine to nat both virtual machines to subnet 172.16.0.0/24. I use the following rules for this.
iptables -P FORWARD DROP
iptables -A FORWARD -s 10.1.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.1.0.0/24 -j ACCEPT
iptables -A INPUT -s 10.1.0.0/24 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.0.10 -j SNAT --to 172.16.0.10
iptables -t nat -A POSTROUTING -s 10.1.0.11 -j SNAT --to 172.16.0.11
The host machine has 3 interfaces.
Eth0 which is the external interface connected to the internet
Tap0 which is the tap interface for the first VM
Tap1 which is the tap interface for the second VM
These are all added to a bridge called br0 that has the external connection set up.
When I try to ping google from inside VM1, I see this going through tap0.
10113.790379 10.1.0.10 -> 8.8.8.8 DNS Standard query A www.google.com
10113.834219 Cisco_42:4f:60 -> Broadcast ARP Who has 172.16.0.10? Tell 172.16.0.1
And this through eth0.
10348.090665 172.16.0.10 -> 8.8.8.8 DNS Standard query A www.google.com
10348.134424 Cisco_42:4f:60 -> Broadcast ARP Who has 172.16.0.10? Tell 172.16.0.1
So apparently the source nat is properly happening when the dns request for google goes out but then the response doesn't know where to find 172.16.0.10.
Does anyone know how to solve this? Perhaps through virtual interfaces? If possible, I would like to handle this on the host OS without tinkering with the VM's internal network settings.
Last edited by Metallion (2011-03-30 06:58:41)iptables -nvL
Chain INPUT (policy ACCEPT 367 packets, 38976 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.1.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 172.16.0.0/24 0.0.0.0/0
Chain FORWARD (policy DROP 209 packets, 60314 bytes)
pkts bytes target prot opt in out source destination
445 125K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 ACCEPT all -- * * 10.1.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 10.1.0.0/24
196 53522 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 163 packets, 24684 bytes)
pkts bytes target prot opt in out source destination
iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 4221 packets, 822K bytes)
pkts bytes target prot opt in out source destination
4 336 DNAT all -- * * 0.0.0.0/0 172.16.0.10 to:10.1.0.10
Chain OUTPUT (policy ACCEPT 114 packets, 8403 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 193 packets, 33094 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 10.1.0.10 0.0.0.0/0 to:172.16.0.10
As you can see, I've set up logging for all the forwarded packets. The outgoing ones are showing up in the log but incoming ones are not. I tried setting up logging for the prerouting chain too but they still don't show up. Seems like they just aren't dnatted at all. Very strange since their destination clearly is 172.16.0.10.
Here are the relevant parts of the logs in case it helps. This is what shows when making a dns request for www.google.com
Mar 25 17:15:18 hanra kernel: [1886767.666360] IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=10.1.0.10 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14428 DF PROTO=UDP SPT=38635 DPT=53 LEN=40
Mar 25 17:15:18 hanra kernel: [1886767.666395] IN= OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=10.1.0.10 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14428 DF PROTO=UDP SPT=38635 DPT=53 LEN=40
In tshark it looks like this:
For eth0:
19649.108081 172.16.0.10 -> 8.8.8.8 DNS Standard query A www.google.com
19649.153407 8.8.8.8 -> 172.16.0.10 DNS Standard query response CNAME www.l.google.com A 74.125.235.82 A 74.125.235.80 A 74.125.235.84 A 74.125.235.83 A 74.125.235.81
For tap0
19414.807637 10.1.0.10 -> 8.8.8.8 DNS Standard query A www.google.com
Response arrives on eth0 but isn't dnatted to tap0.
Last edited by Metallion (2011-03-25 08:25:36) -
No network when instantiating a template created with OVAB in Oracle VM 2.2
Hi,
I've created an OVM template with OVAB (Oracle Virtual Assembly Builder) and the default OVAB image. When creating a new VM (vm2) with it, the VM starts but the VM cannot access the world outside the bridge (xenbr0). I can however ping another VM (vm1) in the same bridge, I can also ping the main OVM server interface (dom0 xenbr0), but I can't ping a machine on my real network.
What is strange is that vm1 was installed with PXE and is well accessing outside world. In fact the DHCP server on my real network is working well and is well configured for vm1 and vm2 but only vm1 obtains its IP address. For vm2 no answer from the DHCP server, so I have to manually set the IP address of eth0 of vm2 before performing ping tests. This is another fact that goes in the same direction as "outside network unreachable from vm2 diagnostic".
Now I understand (correct me if I am wrong) that the bridge is configured automatically by OVM, so why is it ok for vm1 and not for vm2 whereas they are in the same bridge xenbr0 ? Also a strange thing (may be ?) is that the bridges configuration shows a tap interface configured for vm1 but not for vm2:
'brctl show' output:
bridge name bridge id STP enabled interfaces
xenbr0 8000.001e6837f20e no vif36.0
vif35.0
tap35.0
eth0
xenbr1 8000.001e6837f20f no eth1
xenbr2 8000.001e6837f210 no eth2
xenbr3 8000.001e6837f211 no eth3
vm1 is 35 and has vif35.0 and tap35.0 but vm2 is 36 and has only vif36.0 : could it be the problem ?
Also vm1 is using ioemu networking driver whereas vm2 is using netfront (which I can't change as I suppose OVAB was using a PV image).
Thanks for any help/idea.
Edited by: user13344422 on 14 avr. 2011 01:32Hi,
I think more this is a networking issue inside the VM.
It may well be the default Gateway is not set correctly.
Compare the output (of the working VM and the not working VM) of:
route
cat /etc/resolv.conf
cat /etc/sysconfig/network
And the network adapters:
cat /etc/sysconfig/network-scripts/ifcfg-eth1
Regards
Sebastian -
Can't connect to the internet right after boot up
Hey guys, I have an interesting problem in which if I try to use internet right after boot up (via scripts) I can't resolve host names. However, if I try to use the internet right after boot up manually I can resolve host names. I had this problem with a script but I've since rewrote it to work around the problem; however I now seem to have this problem with openVPN and I need this to work. I'll use openVPN as my primary example but the situation was the same for my script.
Basically, openVPN starts up via systemd and it can't resolve my server's host name. Even 18 hours later. I have 'resolv-retry infinite' in my conf file which as I understand says 'if you can't resolve the host name keep trying to resolve it indefinitely'. I left my computer on overnight and openVPN still could not connect to my server, despite me being able to ping it, have MySQL get data dumps and replicate from it and other software being able to resolve the server's host name. If I restart openVPN, then it works! I rebooted the computer and let it try for a few minutes to connect and it couldn't. I restarted openVPN manually and it resolved the server's host name, 5 minutes after the computer booted up even though it couldn't connect on it's own the previous night.
Here's openVPN's status as of this post:
[email protected] - OpenVPN connection to client
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled)
Active: active (running) since Thu 2013-05-02 14:10:02 MDT; 58min ago
Process: 248 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i (code=exited, status=0/SUCCESS)
Main PID: 254 (openvpn)
CGroup: name=systemd:/system/[email protected]/client
ââ254 /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/client.conf --daemon openvpn@client
May 02 15:07:52 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
May 02 15:07:57 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
May 02 15:08:02 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
May 02 15:08:07 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
May 02 15:08:12 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
May 02 15:08:17 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
May 02 15:08:22 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
May 02 15:08:27 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
May 02 15:08:32 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
May 02 15:08:37 CCH001 openvpn@client[254]: RESOLVE: Cannot resolve host address: my.server.com: Name or service not known
Here is my conf file:
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my.server.com 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert host.crt
key host.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
Anyone have any idea what could be going on? It seems to me that when a program starts up it takes a snap shot of the current network status and it then uses it, even if it's 10 minutes later and the network has been fully loaded/configured, the program uses that snap shot and can't connect to the DNS.
Last edited by anEveryDayGuy (2013-05-02 21:20:47)'Requires=network.target' wasn't in it so I added it but nothing's changed. I've left it in because openVPN does require network.
As I said, I had this problem with a script so I don't think it's anything specific to openVPN. I had a weird occurrence this morning however. When I started the computer up this morning openVPN worked just fine. However when the computer rebooted openVPN couldn't resolve the host address again. -
[SOLVED] Openvpn configuration issues
Hello,
To better illustrate the following here's an overview of my network:
LAN: 10.0.0.0/24; VPN (shall be): 10.0.2.0/24
Alyx: 10.0.0.1 / 10.0.2.1 (i presume) - Is the router and openvpn server (running Debian 5.0)
Praseodym: 10.0.0.4 / 10.0.2.4 (according to ipp.txt) - Is the client (currently local; may connect from internet eventually) (running Archlinux)
When trying to connect praseodym the tun interface gets created properly (according to ifconfig) but it not only get's sent the wrong adress (10.0.2.6) but also the wrong routes (10.0.2.5 as default gateway)
This of course makes it impossible to ping either alyx or any other host in 10.0.0.0/24
I'm sure i misconfigured somewhere but i just don't manage to actually find the error; any help would be greatly appreciated :-D
This is the server.conf on Alyx (with comments removed for length):
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/alyx.crt
key /etc/openvpn/keys/alyx.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.0.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
This is the server.conf on Praseodym:
dev tun
remote alyx.lan.k-progs.org
tls-client
pull
ca /etc/openvpn/ca.crt
cert /etc/openvpn/praseodym.crt
key /etc/openvpn/praseodym.key
port 1194
comp-lzo
ping 15
ping-restart 45
ping-timer-rem
verb 3
Also, here are the log files of a connection attempt:
Log of openvpn --config /etc/openvpn/server.conf --verb 6 (On Alyx)
Tue May 3 13:51:49 2011
Tue May 3 13:51:49 2011 us=343679 Current Parameter Settings:
-- the entire config --
Tue May 3 13:51:49 2011 us=399621 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue May 3 13:51:49 2011 us=488787 Diffie-Hellman initialized with 1024 bit key
Tue May 3 13:51:49 2011 us=494972 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue May 3 13:51:50 2011 us=491474 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 3 13:51:50 2011 us=532928 TUN/TAP device tun0 opened
Tue May 3 13:51:50 2011 us=533460 TUN/TAP TX queue length set to 100
Tue May 3 13:51:50 2011 us=533981 /sbin/ifconfig tun0 10.0.2.1 pointopoint 10.0.2.2 mtu 1500
Tue May 3 13:51:50 2011 us=539295 /sbin/route add -net 10.0.2.0 netmask 255.255.255.0 gw 10.0.2.2
Tue May 3 13:51:50 2011 us=543053 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 3 13:51:50 2011 us=543631 Socket Buffers: R=[111616->131072] S=[111616->131072]
Tue May 3 13:51:50 2011 us=544091 UDPv4 link local (bound): [undef]:1194
Tue May 3 13:51:50 2011 us=544469 UDPv4 link remote: [undef]
Tue May 3 13:51:50 2011 us=544868 MULTI: multi_init called, r=256 v=256
Tue May 3 13:51:50 2011 us=545386 IFCONFIG POOL: base=10.0.2.4 size=62
Tue May 3 13:51:50 2011 us=545812 IFCONFIG POOL LIST
Tue May 3 13:51:50 2011 us=546241 Initialization Sequence Completed
Tue May 3 13:52:25 2011 us=915080 MULTI: multi_create_instance called
Tue May 3 13:52:25 2011 us=915641 10.0.0.4:1194 Re-using SSL/TLS context
Tue May 3 13:52:25 2011 us=916094 10.0.0.4:1194 LZO compression initialized
Tue May 3 13:52:25 2011 us=917062 10.0.0.4:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 3 13:52:25 2011 us=917483 10.0.0.4:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 3 13:52:25 2011 us=918064 10.0.0.4:1194 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue May 3 13:52:25 2011 us=918525 10.0.0.4:1194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue May 3 13:52:25 2011 us=919070 10.0.0.4:1194 Local Options hash (VER=V4): '530fdded'
Tue May 3 13:52:25 2011 us=919514 10.0.0.4:1194 Expected Remote Options hash (VER=V4): '41690919'
Tue May 3 13:52:25 2011 us=920072 10.0.0.4:1194 UDPv4 READ [14] from 10.0.0.4:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue May 3 13:52:25 2011 us=920566 10.0.0.4:1194 TLS: Initial packet from 10.0.0.4:1194, sid=665595c2 97acdb17
Tue May 3 13:52:25 2011 us=921066 10.0.0.4:1194 UDPv4 WRITE [26] to 10.0.0.4:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Tue May 3 13:52:25 2011 us=922376 10.0.0.4:1194 UDPv4 READ [22] from 10.0.0.4:1194: P_ACK_V1 kid=0 [ 0 ]
Tue May 3 13:52:25 2011 us=923078 10.0.0.4:1194 UDPv4 READ [114] from 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
-- repeats for a while --
Tue May 3 13:52:26 2011 us=144189 10.0.0.4:1194 VERIFY OK: depth=1, /C=DE/ST=<censored>/L=<censored>/O=K-Progs/CN=K-Progs_CA/emailAddress=<censored>
Tue May 3 13:52:26 2011 us=147233 10.0.0.4:1194 VERIFY OK: depth=0, /C=DE/ST=<censored>/L=<censored>/O=K-Progs/CN=praseodym/emailAddress=<censored>
-- continues repeating --
Tue May 3 13:52:26 2011 us=266154 10.0.0.4:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 3 13:52:26 2011 us=266590 10.0.0.4:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 3 13:52:26 2011 us=267443 10.0.0.4:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 3 13:52:26 2011 us=267804 10.0.0.4:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 3 13:52:26 2011 us=268951 10.0.0.4:1194 UDPv4 WRITE [126] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ 28 ] pid=37 DATA len=100
Tue May 3 13:52:26 2011 us=269516 10.0.0.4:1194 UDPv4 WRITE [114] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=38 DATA len=100
Tue May 3 13:52:26 2011 us=270109 10.0.0.4:1194 UDPv4 WRITE [80] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=39 DATA len=66
Tue May 3 13:52:26 2011 us=270733 10.0.0.4:1194 UDPv4 READ [22] from 10.0.0.4:1194: P_ACK_V1 kid=0 [ 37 ]
Tue May 3 13:52:26 2011 us=271968 10.0.0.4:1194 UDPv4 READ [22] from 10.0.0.4:1194: P_ACK_V1 kid=0 [ 38 ]
Tue May 3 13:52:26 2011 us=274646 10.0.0.4:1194 UDPv4 READ [22] from 10.0.0.4:1194: P_ACK_V1 kid=0 [ 39 ]
Tue May 3 13:52:26 2011 us=275075 10.0.0.4:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 3 13:52:26 2011 us=275567 10.0.0.4:1194 [praseodym] Peer Connection Initiated with 10.0.0.4:1194
Tue May 3 13:52:26 2011 us=276425 praseodym/10.0.0.4:1194 MULTI: Learn: 10.0.2.6 -> praseodym/10.0.0.4:1194
Tue May 3 13:52:26 2011 us=276825 praseodym/10.0.0.4:1194 MULTI: primary virtual IP for praseodym/10.0.0.4:1194: 10.0.2.6
Tue May 3 13:52:30 2011 us=780827 praseodym/10.0.0.4:1194 UDPv4 READ [104] from 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=90
Tue May 3 13:52:30 2011 us=781588 praseodym/10.0.0.4:1194 PUSH: Received control message: 'PUSH_REQUEST'
Tue May 3 13:52:30 2011 us=782566 praseodym/10.0.0.4:1194 SENT CONTROL [praseodym]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.0.2.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.2.6 10.0.2.5' (status=1)
Tue May 3 13:52:30 2011 us=783091 praseodym/10.0.0.4:1194 UDPv4 WRITE [22] to 10.0.0.4:1194: P_ACK_V1 kid=0 [ 29 ]
Tue May 3 13:52:30 2011 us=783693 praseodym/10.0.0.4:1194 UDPv4 WRITE [114] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=40 DATA len=100
-- repeats itself --
Tue May 3 13:53:15 2011 us=3722 praseodym/10.0.0.4:1194 UDPv4 WRITE [16] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=42 DATA len=2
Tue May 3 13:53:17 2011 us=72864 praseodym/10.0.0.4:1194 UDPv4 WRITE [16] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=42 DATA len=2
Tue May 3 13:53:17 2011 us=73807 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) -- This should be about where i killed it on praseodym
Tue May 3 13:53:19 2011 us=194021 praseodym/10.0.0.4:1194 UDPv4 WRITE [16] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=42 DATA len=2
Tue May 3 13:53:19 2011 us=194842 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
-- repeats --
Tue May 3 13:53:29 2011 us=659866 event_wait : Interrupted system call (code=4)
Tue May 3 13:53:29 2011 us=662316 TCP/UDP: Closing socket
Tue May 3 13:53:29 2011 us=662509 /sbin/route del -net 10.0.2.0 netmask 255.255.255.0
Tue May 3 13:53:29 2011 us=666153 Closing TUN/TAP interface
Tue May 3 13:53:29 2011 us=666297 /sbin/ifconfig tun0 0.0.0.0
Tue May 3 13:53:29 2011 us=687981 SIGINT[hard,] received, process exiting
Log of openvpn --config /etc/openvpn/server.conf --verb 6 (On Praseodym)
Tue May 3 14:06:03 2011
Tue May 3 14:06:03 2011 us=797132 Current Parameter Settings:
-- entire config --
Tue May 3 14:06:03 2011 us=799467 OpenVPN 2.1.4 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 13 2010
Tue May 3 14:06:03 2011 us=799532 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue May 3 14:06:03 2011 us=799543 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue May 3 14:06:03 2011 us=831145 LZO compression initialized
Tue May 3 14:06:03 2011 us=831289 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 3 14:06:03 2011 us=831353 Socket Buffers: R=[114688->131072] S=[114688->131072]
Tue May 3 14:06:03 2011 us=833330 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 3 14:06:03 2011 us=833386 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue May 3 14:06:03 2011 us=833398 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue May 3 14:06:03 2011 us=833426 Local Options hash (VER=V4): '41690919'
Tue May 3 14:06:03 2011 us=833443 Expected Remote Options hash (VER=V4): '530fdded'
Tue May 3 14:06:03 2011 us=833466 UDPv4 link local (bound): [undef]:1194
Tue May 3 14:06:03 2011 us=833480 UDPv4 link remote: 10.0.0.1:1194
Tue May 3 14:06:03 2011 us=833551 UDPv4 WRITE [14] to 10.0.0.1:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue May 3 14:06:03 2011 us=840770 UDPv4 READ [26] from 10.0.0.1:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Tue May 3 14:06:03 2011 us=840831 TLS: Initial packet from 10.0.0.1:1194, sid=a0c0d596 fa3b4a5c
Tue May 3 14:06:03 2011 us=840898 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 0 ]
Tue May 3 14:06:03 2011 us=840991 UDPv4 WRITE [114] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Tue May 3 14:06:03 2011 us=841034 UDPv4 WRITE [114] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100
Tue May 3 14:06:03 2011 us=841079 UDPv4 WRITE [25] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=11
Tue May 3 14:06:03 2011 us=843441 UDPv4 READ [22] from 10.0.0.1:1194: P_ACK_V1 kid=0 [ 1 ]
-- repeats --
Tue May 3 14:06:03 2011 us=996540 VERIFY OK: depth=1, /C=DE/ST=<censored>/L=<censored>/O=K-Progs/CN=K-Progs_CA/emailAddress=<censored>
Tue May 3 14:06:03 2011 us=996859 VERIFY OK: depth=0, /C=DE/ST=<censored>/L=<censored>/O=K-Progs/CN=alyx/emailAddress=<censored>
Tue May 3 14:06:03 2011 us=996908 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 19 ]
Tue May 3 14:06:03 2011 us=996973 UDPv4 READ [114] from 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=20 DATA len=100
-- repeats --
Tue May 3 14:06:04 2011 us=193026 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 3 14:06:04 2011 us=193041 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 3 14:06:04 2011 us=193066 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 39 ]
Tue May 3 14:06:04 2011 us=193113 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 3 14:06:04 2011 us=193140 [alyx] Peer Connection Initiated with 10.0.0.1:1194
Tue May 3 14:06:06 2011 us=525590 SENT CONTROL [alyx]: 'PUSH_REQUEST' (status=1)
Tue May 3 14:06:06 2011 us=525689 UDPv4 WRITE [104] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=90
Tue May 3 14:06:08 2011 us=697435 UDPv4 WRITE [104] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=90
Tue May 3 14:06:08 2011 us=700865 UDPv4 READ [22] from 10.0.0.1:1194: P_ACK_V1 kid=0 [ 29 ]
Tue May 3 14:06:08 2011 us=702337 UDPv4 READ [114] from 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=40 DATA len=100
Tue May 3 14:06:08 2011 us=702401 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 40 ]
Tue May 3 14:06:08 2011 us=704448 UDPv4 READ [114] from 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=41 DATA len=100
Tue May 3 14:06:08 2011 us=704484 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 41 ]
Tue May 3 14:06:08 2011 us=704814 UDPv4 READ [16] from 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=42 DATA len=2
Tue May 3 14:06:08 2011 us=704881 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.0.2.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.2.6 10.0.2.5'
Tue May 3 14:06:08 2011 us=704976 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 3 14:06:08 2011 us=704989 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 3 14:06:08 2011 us=704999 OPTIONS IMPORT: route options modified
Tue May 3 14:06:08 2011 us=705008 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue May 3 14:06:08 2011 us=705169 ROUTE default_gateway=10.0.0.1
Tue May 3 14:06:08 2011 us=757964 TUN/TAP device tun0 opened
Tue May 3 14:06:08 2011 us=758006 TUN/TAP TX queue length set to 100
Tue May 3 14:06:08 2011 us=758056 /sbin/ifconfig tun0 10.0.2.6 pointopoint 10.0.2.5 mtu 1500
Tue May 3 14:06:08 2011 us=759929 OpenVPN ROUTE: omitted no-op route: 10.0.0.1/255.255.255.255 -> 10.0.0.1
Tue May 3 14:06:08 2011 us=759970 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Tue May 3 14:06:08 2011 us=772882 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.0.2.5
Tue May 3 14:06:08 2011 us=773671 /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.2.5
Tue May 3 14:06:08 2011 us=774548 WARNING: potential route subnet conflict between local LAN [10.0.2.0/255.255.255.0] and remote VPN [10.0.2.0/255.255.255.0]
Tue May 3 14:06:08 2011 us=774590 /sbin/route add -net 10.0.2.0 netmask 255.255.255.0 gw 10.0.2.5
Tue May 3 14:06:08 2011 us=775248 Initialization Sequence Completed
Tue May 3 14:06:15 2011 us=480014 TUN READ [1500]
Tue May 3 14:06:15 2011 us=480068 UDPv4 WRITE [1541] to 10.0.0.1:1194: P_DATA_V1 kid=0 DATA len=1540
-- repeats until the logfile is about 80 MB O.o --
Tue May 3 14:06:53 2011 us=371147 TCP/UDP: Closing socket
Tue May 3 14:06:53 2011 us=371194 /sbin/route del -net 10.0.2.0 netmask 255.255.255.0
Tue May 3 14:06:53 2011 us=372114 /sbin/route del -net 10.0.0.0 netmask 255.255.255.0
Tue May 3 14:06:53 2011 us=372807 /sbin/route del -net 10.0.0.1 netmask 255.255.255.255
SIOCDELRT: No such process
Tue May 3 14:06:53 2011 us=373472 ERROR: Linux route delete command failed: external program exited with error status: 7
Tue May 3 14:06:53 2011 us=373511 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Tue May 3 14:06:53 2011 us=374202 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.0.0.1
Tue May 3 14:06:53 2011 us=374869 Closing TUN/TAP interface
Tue May 3 14:06:53 2011 us=374896 /sbin/ifconfig tun0 0.0.0.0
Tue May 3 14:06:53 2011 us=407592 SIGINT[hard,] received, process exiting
Last edited by Greg10 (2011-05-07 06:38:43)Shouldn't the push "redirect-gateway" directive take care of that?
Also I unfortunatly can only test whether I'm able to connect from the outside on saturday.
I'll see if I can get Praseodym to work in my DMZ (that'd be 10.0.1.0/24) later this day though.
Thanks for the tip :-)
Edit: Thanks a lot indeed;
Having Praseodym be 10.0.1.2 (alyx being 10.0.1.1 in the dmz) actually solved the problems i've been having (for local connectivity that is; i can't really know if it's working unless i test it from the web)
Last edited by Greg10 (2011-05-04 15:27:04) -
Installing a VPN Server in Mac OS X
Has anyone tried to install a VPN server successfully in mac os x?
I was able to get webmin installed successfully, and I know on my linux distros webmin automatically detects if a VPN server is installed (such as poptop) or at least if the option is there, but in mac os x (not the server version) there is nothing listed.
Anyone know of any other VPN servers that could be installed in mac os x, or even anything for BSD that could be compiled from source?I run the server on PowerPC and use clients on both PowerPC and Intel. Admittedly, my wife has run off the the MBP so my use on the Intel is limited these days.
If you want to route onto the network, you'll have to create routes after the TUN/TAP interface is up. The OS X FAQs on OpenVPN detail various ways to do this.
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# Comments are preceded with '#' or ';' #
# Which local IP address should OpenVPN
# listen on? (optional)
;local 192.168.2.253
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 443
# TCP or UDP server?
;proto tcp
proto tcp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/key/ca.crt
cert /etc/openvpn/key/server.crt
key /etc/openvpn/key/server.key
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/key/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 169.254.1.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge 192.168.2.1 255.255.255.0 192.168.2.240 192.168.2.245
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 10.0.0.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
# Generate with:
# openvpn --genkey --secret ta.key
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20 -
Qemu-kvm guest virtio networking halts
Hi,
I recently switched from Debian to Archlinux, but seems to have stumbled on a bug that has made the transition a bit painfull since i rely on virtualization.
Overview:
qemu-kvm guests network interface dies after "some" traffic over nfs via virtio interface.
Using e1000 instead of virtio network seems to solve the problem som far... but at a cost of performance.
Any suggestions on how to resolve the issue or how to work around the problem without sacrificing performance?
How to reproduce:
Configure the guest to use virtio as network driver and attach the interface to a bridge that the hosts has a configured interface on.
Export a share with a large amount of data over nfs from the host and read that data over nfs from the guest.
( what is funny/strange is that i could not get nuttcp to force the problem... )
Detail:
My guest are connected via tap interfaces to a bridge on my host and they are using virtio.
After retreiving "some" network traffic from the host over nfs the guests interface stops receiving traffic and logs "page allocation failure. order:0, mode:0x20" ( Log included below )
- tshark on guest verifies guest sending arp requests but not receiving arp reply
- tshark on host show that the host is both receiving arp request and sending arp reply
Guests are running with the following parameters:
%sudo /usr/bin/qemu-system-x86_64 -M pc-0.11 -enable-kvm -m 512 -smp 1 -name myguest -boot c -drive file=/mnt/myguest.img,if=virtio,index=0,boot=on -net nic,vlan=0,model=virtio,name=virtio.0 -net tap,vlan=0,name=tap.0,ifname=tap0 -serial pty -parallel none -usb -vnc 0.0.0.0:10 -k sv -vga std
host is currently running:
qemu-kvm 0.11.0-1
testing/kernel26 2.6.32-1
testing/kernel26-firmware 2.6.32-1
guest is currently running
testing/kernel26 2.6.32-1
testing/kernel26-firmware 2.6.32-1
kernel from testing on both host/guest was a attempt to work around a potential issue in 2.6.30 but the fault is present with both kernels.
I don't belive that the problem lies on the archlinux guest since a Debian(Lenny) guest experiances the same problem.
The same guest on the same hardare running on Debian(Lenny) as a host works fine.
from /var/log/messages
2009-12-14T00:10:58.160723+01:00 myguest kernel: tar: page allocation failure. order:0, mode:0x20
2009-12-14T00:10:58.160809+01:00 myguest kernel: Pid: 31303, comm: tar Not tainted 2.6.32-ARCH #7
2009-12-14T00:10:58.160821+01:00 myguest kernel: Call Trace:
2009-12-14T00:10:58.160859+01:00 myguest kernel: <IRQ> [<ffffffff810d5778>] ? __alloc_pages_nodemask+0x6b8/0x700
2009-12-14T00:10:58.160864+01:00 myguest kernel: [<ffffffffa019cb4b>] ? try_fill_recv+0x8b/0x1c0 [virtio_net]
2009-12-14T00:10:58.160869+01:00 myguest kernel: [<ffffffffa019d57d>] ? virtnet_poll+0x3ad/0x6e0 [virtio_net]
2009-12-14T00:10:58.160872+01:00 myguest kernel: [<ffffffff8129146a>] ? net_rx_action+0x15a/0x2a0
2009-12-14T00:10:58.160876+01:00 myguest kernel: [<ffffffffa019c2b5>] ? skb_recv_done+0x25/0x40 [virtio_net]
2009-12-14T00:10:58.160884+01:00 myguest kernel: [<ffffffff8105d177>] ? __do_softirq+0xd7/0x240
2009-12-14T00:10:58.160887+01:00 myguest kernel: [<ffffffff810131dc>] ? call_softirq+0x1c/0x30
2009-12-14T00:10:58.160891+01:00 myguest kernel: <EOI> [<ffffffff81015315>] ? do_softirq+0x65/0xa0
2009-12-14T00:10:58.160894+01:00 myguest kernel: [<ffffffff8105d07e>] ? local_bh_enable+0xae/0xb0
2009-12-14T00:10:58.160901+01:00 myguest kernel: [<ffffffff81291f44>] ? dev_queue_xmit+0x144/0x4e0
2009-12-14T00:10:58.160905+01:00 myguest kernel: [<ffffffff812c1b36>] ? ip_queue_xmit+0x196/0x440
2009-12-14T00:10:58.160908+01:00 myguest kernel: [<ffffffff812a82de>] ? sch_direct_xmit+0x6e/0x1e0
2009-12-14T00:10:58.160912+01:00 myguest kernel: [<ffffffff812d61c8>] ? tcp_transmit_skb+0x3a8/0x750
2009-12-14T00:10:58.160915+01:00 myguest kernel: [<ffffffff812d875c>] ? tcp_write_xmit+0x1ec/0xa10
2009-12-14T00:10:58.160923+01:00 myguest kernel: [<ffffffff812890bf>] ? __alloc_skb+0x6f/0x180
2009-12-14T00:10:58.160926+01:00 myguest kernel: [<ffffffff812d8fe3>] ? __tcp_push_pending_frames+0x23/0x90
2009-12-14T00:10:58.160930+01:00 myguest kernel: [<ffffffff812cb9e9>] ? tcp_sendmsg+0x8b9/0xbb0
2009-12-14T00:10:58.160933+01:00 myguest kernel: [<ffffffff8127f95e>] ? sock_sendmsg+0x12e/0x150
2009-12-14T00:10:58.160940+01:00 myguest kernel: [<ffffffff81074040>] ? autoremove_wake_function+0x0/0x30
2009-12-14T00:10:58.160944+01:00 myguest kernel: [<ffffffff8127fd79>] ? kernel_sendmsg+0x39/0x50
2009-12-14T00:10:58.160947+01:00 myguest kernel: [<ffffffffa0291292>] ? xs_send_kvec+0x82/0x90 [sunrpc]
2009-12-14T00:10:58.160951+01:00 myguest kernel: [<ffffffffa02912f4>] ? xs_sendpages+0x54/0x200 [sunrpc]
2009-12-14T00:10:58.160955+01:00 myguest kernel: [<ffffffffa02915d8>] ? xs_tcp_send_request+0x58/0x190 [sunrpc]
2009-12-14T00:10:58.160962+01:00 myguest kernel: [<ffffffffa028ee3c>] ? xprt_transmit+0x7c/0x300 [sunrpc]
2009-12-14T00:10:58.160966+01:00 myguest kernel: [<ffffffffa028bf3f>] ? call_transmit+0x18f/0x2b0 [sunrpc]
2009-12-14T00:10:58.160969+01:00 myguest kernel: [<ffffffffa029437a>] ? __rpc_execute+0xaa/0x2b0 [sunrpc]
2009-12-14T00:10:58.160973+01:00 myguest kernel: [<ffffffffa028cae1>] ? rpc_run_task+0x31/0x80 [sunrpc]
2009-12-14T00:10:58.160980+01:00 myguest kernel: [<ffffffffa0323d1e>] ? nfs_read_rpcsetup+0x17e/0x1e0 [nfs]
2009-12-14T00:10:58.160984+01:00 myguest kernel: [<ffffffffa03238b0>] ? readpage_async_filler+0x0/0x190 [nfs]
2009-12-14T00:10:58.160988+01:00 myguest kernel: [<ffffffffa03238b0>] ? readpage_async_filler+0x0/0x190 [nfs]
2009-12-14T00:10:58.160991+01:00 myguest kernel: [<ffffffffa032158a>] ? nfs_pageio_doio+0x2a/0x70 [nfs]
2009-12-14T00:10:58.160995+01:00 myguest kernel: [<ffffffffa032161b>] ? nfs_pageio_add_request+0x4b/0xf0 [nfs]
2009-12-14T00:10:58.161003+01:00 myguest kernel: [<ffffffffa03239aa>] ? readpage_async_filler+0xfa/0x190 [nfs]
2009-12-14T00:10:58.161007+01:00 myguest kernel: [<ffffffffa03238b0>] ? readpage_async_filler+0x0/0x190 [nfs]
2009-12-14T00:10:58.161010+01:00 myguest kernel: [<ffffffff810d7dc1>] ? read_cache_pages+0xa1/0x100
2009-12-14T00:10:58.161014+01:00 myguest kernel: [<ffffffffa03234bd>] ? nfs_readpages+0x19d/0x2b0 [nfs]
2009-12-14T00:10:58.161021+01:00 myguest kernel: [<ffffffffa0324230>] ? nfs_pagein_one+0x0/0xe0 [nfs]
2009-12-14T00:10:58.161024+01:00 myguest kernel: [<ffffffff810d7709>] ? __do_page_cache_readahead+0x1c9/0x280
2009-12-14T00:10:58.161028+01:00 myguest kernel: [<ffffffff810d77dc>] ? ra_submit+0x1c/0x30
2009-12-14T00:10:58.161031+01:00 myguest kernel: [<ffffffff810d0629>] ? generic_file_aio_read+0x339/0x600
2009-12-14T00:10:58.161035+01:00 myguest kernel: [<ffffffff8110edb2>] ? do_sync_read+0xe2/0x120
2009-12-14T00:10:58.161042+01:00 myguest kernel: [<ffffffff81074040>] ? autoremove_wake_function+0x0/0x30
2009-12-14T00:10:58.161045+01:00 myguest kernel: [<ffffffff81331212>] ? preempt_schedule_irq+0x42/0x70
2009-12-14T00:10:58.161049+01:00 myguest kernel: [<ffffffff8104ad02>] ? finish_task_switch+0x42/0xc0
2009-12-14T00:10:58.161052+01:00 myguest kernel: [<ffffffff8110fb65>] ? vfs_read+0xb5/0x1a0
2009-12-14T00:10:58.161059+01:00 myguest kernel: [<ffffffff8110fd3e>] ? sys_read+0x4e/0x90
2009-12-14T00:10:58.161063+01:00 myguest kernel: [<ffffffff81012e8b>] ? device_not_available+0x1b/0x20
2009-12-14T00:10:58.161066+01:00 myguest kernel: [<ffffffff81012042>] ? system_call_fastpath+0x16/0x1b
2009-12-14T00:10:58.161068+01:00 myguest kernel: Mem-Info:
2009-12-14T00:10:58.161071+01:00 myguest kernel: DMA per-cpu:
2009-12-14T00:10:58.161077+01:00 myguest kernel: CPU 0: hi: 0, btch: 1 usd: 0
2009-12-14T00:10:58.161080+01:00 myguest kernel: DMA32 per-cpu:
2009-12-14T00:10:58.161083+01:00 myguest kernel: CPU 0: hi: 186, btch: 31 usd: 137
2009-12-14T00:10:58.161086+01:00 myguest kernel: active_anon:887 inactive_anon:896 isolated_anon:0
2009-12-14T00:10:58.161089+01:00 myguest kernel: active_file:4740 inactive_file:112288 isolated_file:0
2009-12-14T00:10:58.161092+01:00 myguest kernel: unevictable:0 dirty:8 writeback:0 unstable:0
2009-12-14T00:10:58.161099+01:00 myguest kernel: free:728 slab_reclaimable:1589 slab_unreclaimable:1798
2009-12-14T00:10:58.161102+01:00 myguest kernel: mapped:1605 shmem:17 pagetables:332 bounce:0
2009-12-14T00:10:58.161111+01:00 myguest kernel: DMA free:1988kB min:84kB low:104kB high:124kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:13860kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15352kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:16kB slab_unreclaimable:56kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
2009-12-14T00:10:58.161119+01:00 myguest kernel: lowmem_reserve[]: 0 489 489 489
2009-12-14T00:10:58.161162+01:00 myguest kernel: DMA32 free:924kB min:2784kB low:3480kB high:4176kB active_anon:3548kB inactive_anon:3584kB active_file:18960kB inactive_file:435292kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:500896kB mlocked:0kB dirty:32kB writeback:0kB mapped:6420kB shmem:68kB slab_reclaimable:6340kB slab_unreclaimable:7136kB kernel_stack:1104kB pagetables:1328kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
2009-12-14T00:10:58.161167+01:00 myguest kernel: lowmem_reserve[]: 0 0 0 0
2009-12-14T00:10:58.161171+01:00 myguest kernel: DMA: 1*4kB 0*8kB 0*16kB 2*32kB 2*64kB 2*128kB 2*256kB 0*512kB 1*1024kB 0*2048kB 0*4096kB = 1988kB
2009-12-14T00:10:58.161179+01:00 myguest kernel: DMA32: 93*4kB 1*8kB 2*16kB 0*32kB 2*64kB 3*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 924kB
2009-12-14T00:10:58.161182+01:00 myguest kernel: 117053 total pagecache pages
2009-12-14T00:10:58.161184+01:00 myguest kernel: 0 pages in swap cache
2009-12-14T00:10:58.161187+01:00 myguest kernel: Swap cache stats: add 0, delete 0, find 0/0
2009-12-14T00:10:58.161194+01:00 myguest kernel: Free swap = 0kB
2009-12-14T00:10:58.161196+01:00 myguest kernel: Total swap = 0kB
2009-12-14T00:10:58.161199+01:00 myguest kernel: 131056 pages RAM
2009-12-14T00:10:58.161201+01:00 myguest kernel: 4443 pages reserved
2009-12-14T00:10:58.161204+01:00 myguest kernel: 8899 pages shared
2009-12-14T00:10:58.161210+01:00 myguest kernel: 120326 pages non-shared
Last edited by nlights (2009-12-17 22:10:20)Mr.Elendig wrote:Bridging is the best way todo it, so you should give us some more info on your atempt at it, so that we can help you fix it.
Ok, I've followed the instructions from the wiki.
One problem is that I'm on a laptop. eth0 is wireless and eth1 is wired. I chose to use eth1 since I thought it'd be easier to get working on one device before trying to make it work on both.
1. bridge and tun modules are loaded from rc.conf
2. In /etc/conf.d/bridges I have this:
bridge_br0="eth1"
BRIDGE_INTERFACES=(br0)
3. In /etc/rc.conf I changed my networking portion to this:
eth1="eth1 up"
br0="dhcp"
INTERFACES=(eth1 br0)
4. In /etc/udev/rules.d/65-kvm.rules I have this:
KERNEL=="tun", NAME="net/%k", GROUP="kvm", MODE="0660"
5. My user is part of the kvm group, although I have also tried running qemu-kvm as root.
6. In /etc/qemu-ifup I put:
#!/bin/sh
echo "Executing /etc/qemu-ifup"
echo "Bringing up $1 for bridged mode..."
sudo /sbin/ifconfig $1 0.0.0.0 promisc up
echo "Adding $1 to br0..."
sudo /usr/sbin/brctl addif br0 $1
sleep 2
7. Using visudo I added this to the bottom:
Cmnd_Alias QEMU=/sbin/ifconfig,/sbin/modprobe,/usr/sbin/brctl,/usr/bin/tunctl
%kvm ALL=NOPASSWD: QEMU
8. I launch qemu-kvm with the following script:
USERID=`whoami`
IFACE=`sudo tunctl -b -u $USERID`
qemu-kvm -net nic -net tap,ifname="$IFACE" -vga std -m 1024 -k en-us -usbdevice tablet -localtime /dev/sda
sudo tunctl -d $IFACE &> /dev/null
My system starts with br0 getting the dhcp IP on boot, so that part is working.
When I run the qemu-kvm start script I get this error (running as user or root):
/etc/qemu-ifup: could not launch network script
Could not initialize device 'tap'
/etc/qemu-ifup is executable
Last edited by shakin (2009-06-05 19:13:14) -
OpenVPN - up/down scripts not run correctly
Hi,
I have a OpenVPN client on my computer which connects to a remote server at startup (launched by systemd). The connection i primarily used to set up a network drive. To make this process as smooth as possible I'm trying to mount with an up script and unmount with an down script. This is my config:
client
dev tun
proto udp
remote site.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca site.crt
cert site.crt
key site.key
comp-lzo
verb 3
reneg-sec 0
script-security 3
route-up /etc/openvpn/up.sh
route-pre-down /etc/openvpn/down.sh
(last two lines)
In theory, up.sh should execute when the connection is initialized and the routes are in place. And down.sh should run when the connection is still active just before the routes are removed. This seems to be the case in the log:
Sat Mar 22 08:37:50 2014 OpenVPN 2.3.2 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Nov 13 2013
Sat Mar 22 08:37:50 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Mar 22 08:37:50 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Mar 22 08:37:50 2014 WARNING: file 'site.key' is group or others accessible
Sat Mar 22 08:37:50 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Mar 22 08:37:50 2014 UDPv4 link local: [undef]
Sat Mar 22 08:37:50 2014 UDPv4 link remote: [AF_INET]xxx:1194
Sat Mar 22 08:37:50 2014 TLS: Initial packet from [AF_INET]xxx:1194, sid=cc55bb26 51a6f522
Sat Mar 22 08:37:50 2014 VERIFY OK: depth=1, C=SE, ST=Stockholm, L=Stockholm, O=xxx, CN=xxx CA, emailAddress=xxx
Sat Mar 22 08:37:50 2014 VERIFY OK: depth=0, C=SE, ST=Stockholm, L=Stockholm, O=xxx, CN=xxx, emailAddress=xxx
Sat Mar 22 08:37:50 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 22 08:37:50 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 22 08:37:50 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 22 08:37:50 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 22 08:37:50 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Mar 22 08:37:50 2014 [xxx] Peer Connection Initiated with [AF_INET]xxx:1194
Sat Mar 22 08:37:52 2014 SENT CONTROL [xxx]: 'PUSH_REQUEST' (status=1)
Sat Mar 22 08:37:52 2014 PUSH: Received control message: 'PUSH_REPLY,route xxx 255.255.255.0,route xxx 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig xxx xxx'
Sat Mar 22 08:37:52 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sat Mar 22 08:37:52 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 22 08:37:52 2014 OPTIONS IMPORT: route options modified
Sat Mar 22 08:37:52 2014 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=ec:a8:6b:ff:de:31
Sat Mar 22 08:37:52 2014 TUN/TAP device tun0 opened
Sat Mar 22 08:37:52 2014 TUN/TAP TX queue length set to 100
Sat Mar 22 08:37:52 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Mar 22 08:37:52 2014 /usr/bin/ip link set dev tun0 up mtu 1500
Sat Mar 22 08:37:52 2014 /usr/bin/ip addr add dev tun0 local xxxpeer xxx
Sat Mar 22 08:37:52 2014 /usr/bin/ip route add xxx via xxx
Sat Mar 22 08:37:52 2014 /usr/bin/ip route add xxx via xxx
Mounting network drives...
mount error(115): Operation now in progress
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
mount error(115): Operation now in progress
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Sat Mar 22 08:38:12 2014 Initialization Sequence Completed
^CSat Mar 22 08:38:18 2014 event_wait : Interrupted system call (code=4)
Sat Mar 22 08:38:18 2014 /etc/openvpn/down.sh tun0 1500 1542 xxx xxx init
Unmounting network drives...
Sat Mar 22 08:40:22 2014 /usr/bin/ip route del xxx
Sat Mar 22 08:40:22 2014 /usr/bin/ip route del xxx
Sat Mar 22 08:40:22 2014 Closing TUN/TAP interface
Sat Mar 22 08:40:22 2014 /usr/bin/ip addr del dev tun0 local xxx peer xxx
Sat Mar 22 08:40:22 2014 SIGINT[hard,] received, process exiting
But here's the problem. The up script will not mount because it doesn't seem to be able to reach the network. The routes ARE there (checked via netstat -rn in the up script) but it will not work. It works perfectly if I run the script maually diretly after OpenVPN is done. And the down script (which unmounts the drives) just hangs because the connections seems to be interrupted.
So, how can make it work so that mount and umount is handled by OpenVPN? Am i missing something?Managed to get around the problem using systemd:
[Unit]
Description=OpenVPN connection to %i
[Service]
Type=forking
ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i
ExecStartPost=/root/scripts/mount.sh
ExecStop=/root/scripts/umount.sh
[Install]
WantedBy=multi-user.target
...but I think it's cleaner to do it in the openVPN config, so I still like some help there :-)
Last edited by twarkie (2014-03-22 15:37:49) -
I've spent all day trying to sort out qemu. Want to use qemu and not vmware because my server is headless (No X) and want to run a virtual machine on it with apache server.
I'm sure if I can get my head around it, itll be fine. but I cant seem to network it so as to be able to ssh into it.
What I've done is:
1) installl arch on a virtual machine in qemu using X on my desktop.
2) install and configure openssh in the VM
3) set up tun/tap networking with qemu on my desktop pc.
3) used firestarter to share the network connection of my host pc (eth0) so that its routed to tap0 (nat? i told it to "share the internet connection so im not quite sure what it does) - the network interface on my host pc that qemu is connected to.
4) qemu connects to internet and I can ssh into it from the host pc.
Now the problem comes when I want to run the VM (using the -nographic option) on the server, which has no X and therefore cant run firestarter. I've tried installing shorewall on the server, which works, and I can change the rules to allow / disallow pings from my PC over the lan etc, but I cant get it to do what firestarter was doing for the VM, ie route ssh traffic to the virtual subnet, or pings either.
I already have a hardware firewall, so shorewall / firestarter are overkill for what I want. All I want is to be able to route ssh, http and ftp traffic to the VM from the servers "external" IP (the one on my lan).
I've tried but I cant work out what to use, firestarter did something that worked when I ran the VM on my desktop, but I cant use it on the server and I dont know what it did to enable this so as to replicate its settings on the server via command line.
I'm presuming I need to use 'route' or 'iptables' somehow? tried to understand it all, but my brains about given up for today!this is really weird! if i run the vm on my pc, witht he nographic option, and no firestarter running, i can still ping and ssh into it! it only started doing that when i ran firestarter and told it to "share the internet connection" ive flushed iptables, checked the routing tables, and everything looks the same as the server, yet the same thing on the server results in no ping.
for reference, my lan uses 192.168.1.6 for the pc and 192.168.1.2 for the server. when qemu is running (on either machine) the tap interface is given address 172.20.0.1, and the vm is set up on 172.20.0.2.
so to clarify,
ping 172.20.0.2
works on my desktop pc whent he vm is running, but not on my server when the vm is running on that. both are running up to date arch installs. the server has some different software (and a lot less of it) but I cant see whats causing it not to work on the server! arrrrgh help me! -
Tap0.device issues while attempting to start bridged network
i'm trying to get the bridged network working so i can run xen and everytime i try sudo netctl enable xenbridge-dhcp i get this error in journalctl.
-- Logs begin at Wed 2013-05-15 14:16:16 PDT, end at Tue 2013-05-28 18:26:42 PDT. --
May 28 18:25:07 kimbra sudo[23762]: pam_unix(sudo:session): session closed for user root
May 28 18:25:12 kimbra sudo[23764]: jd : TTY=pts/1 ; PWD=/home/jd ; USER=root ; COMMAND=/usr/bin/netctl start xenbridge-dhcp
May 28 18:25:12 kimbra sudo[23764]: pam_unix(sudo:session): session opened for user root by (uid=0)
May 28 18:25:12 kimbra systemd[1]: Expecting device sys-subsystem-net-devices-tap0.device...
-- Subject: Unit sys-subsystem-net-devices-tap0.device has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li … temd-devel
-- Unit sys-subsystem-net-devices-tap0.device has begun starting up.
May 28 18:26:42 kimbra systemd[1]: Job sys-subsystem-net-devices-tap0.device/start timed out.
May 28 18:26:42 kimbra systemd[1]: Timed out waiting for device sys-subsystem-net-devices-tap0.device.
-- Subject: Unit sys-subsystem-net-devices-tap0.device has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li … temd-devel
-- Documentation: http://www.freedesktop.org/wiki/Softwar … e9d022f03d
-- Unit sys-subsystem-net-devices-tap0.device has failed.
-- The result is timeout.
May 28 18:26:42 kimbra systemd[1]: Dependency failed for xen bridge.
-- Subject: Unit netctl@xenbridge\x2ddhcp.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li … temd-devel
-- Documentation: http://www.freedesktop.org/wiki/Softwar … e9d022f03d
-- Unit netctl@xenbridge\x2ddhcp.service has failed.
-- The result is dependency.
May 28 18:26:42 kimbra sudo[23764]: pam_unix(sudo:session): session closed for user root
tap0.device is not working and i can't find the uml_utilities package anywhere.
help?Sorry for the rather late response, but I've just been through this issue myself. The tunctl & brctl utilities are now part of 'uml_utliities', which is itself deprecated.
I downloaded uml_utilities and installed it.
I've encountered a bug which appears to be common to all bridged netwroking (the inbuilt VirtualBox bridging demonstrates the same problem). The nature of the bug is that if I bridge with the physical ethernet adapter, only a linux guest VM can see the outside world. THis is true whether the guest is running under VirtualBox or KVM so the issue appears to be generic.
Non-linux guests can see each other and the *host*, but not the rest of the world. Speculations as to the reason include the deprecation of Uml_Utilities, but regardless, I tried something different.
I created the bridge and assigned it a separate subnet. I added some tap interfaces. I ran a DHCP server instance listening on the bridge alone. I set forwarding on, and created a static route enabling my router to find the virtual subnet.
I used dnsmasq for the DHCP as it isn't used by my regular network setup, meaning that I can screw around with it trivially without breaking things. Additionally, I set up the config automatically from my vnet script. I can potentially add multiple virtual subnets this way although I haven't included support in the script as yet. The minimal config hands out addresses from the pool specified on the vnet command line, and I can set up static addresses on the same subnet by referencing the contents of /etc/host and /etc/ethers (it identifies vms by mac address).
This works perfectly, and has the advantage that the virtual network traffic will route via wireless as well as cabled ethernet. It also makes it simple to firewall the virtual subnet and reduces the risk of experiencing minor hassle when my broken vnet code stuffs the ethernet interface.
Ping me if you want a copy of the vnet script, although it's still very much a work in progress.
Last edited by salafrance (2013-09-21 20:02:12) -
Another KVM Bridged Networking Thread
Hello everyone,
I'm having some trouble getting KVM bridged networking to work following the instructions here:
http://wiki.archlinux.org/index.php/Qem … _with_QEMU
The VM I set up to test is running CentOS 5.5 and is unable to get an IP address. Here's what I run before attempting to start it:
Turn off wireless:
% sudo netcfg -a
Running 'ip link sh' shows that wlan0 is down after this.
Allow forwarding and adjust iptables:
% su -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
% sudo iptables -P FORWARD ACCEPT
% cd /proc/sys/net/bridge
% su -c 'for f in bridge-nf-*; do echo 0 > $f; done'
Start the bridge:
% sudo brctl addbr br0
% sudo brctl addif br0 eth0
% sudo ip link set up dev eth0
% sudo dhcpcd br0
Occasionally br0 times out and I have to run dhcpcd twice, but it comes up eventually. I can ping out to the Internet at this point.
I believe that when I start my VM at this point tap networking is supposed to work, but obviously I am doing something wrong. I have tried starting it both as root and as my regular user. For reference, here is my run-qemu script:
#!/bin/sh
USERID=`whoami`
IFACE=`sudo tunctl -b -u $USERID`
MAC=`echo -n "FF:FF"; for n in 1 2 3 4; do echo -n ":" && cat /dev/urandom | tr -dc '0-9A-F' | head -c 2; done`
qemu-kvm -daemonize -net nic,macaddr="${MAC}" -net tap,ifname="${IFACE}" \
-k en-us -m 512 -smp 2 $*
sudo tunctl -d $IFACE &> /dev/null
...and my /etc/qemu-ifup script:
#!/bin/sh
echo "Executing /etc/qemu-ifup"
echo "Bringing up $1 for bridged mode..."
sudo ip link set dev $1 up
echo "Adding $1 to br0..."
sudo /usr/sbin/brctl addif br0 $1
sleep 2
I originally used 'sudo /sbin/ifconfig $1 0.0.0.0 promisc up' in place of 'ip link set ...' but without any different results. I have also tried a completely empty iptables ruleset, with all chains set to ALLOW, just in case; no dice.
Does anyone have any ideas? Thanks for any help you can provide, I appreciate your time.try setting a static ip first for both br0 and the qemu tap interface, and see if the host and VM are able to communicate properly, if they cant, dont add the tap interface to br0, assign the tap interface an ip, and see if you are able to communicate with the VM.
-
Has anybody got OpenVPN2 working well under Arch? I had no trouble setting it up under Slackware, but for some reason I'm failing with Arch.
I get this error message every time I try to log on:
Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
This is after I've manually created the device /dev/net/tun using the following procedure:
# mkdir /dev/net
# mknod /dev/net/tun c 10 200
# modprobe tun
# echo 1 > /proc/sys/net/ipv4/ip_forward
I verified the existence of /dev/net/tun and the permissions seem fine on /dev/net and /dev/net/tun.
Any ideas? As I say, this same procedure works fine on Slackware 10.1, also running kernel 2.6.11.
Thanks.IceRAM wrote:2. the permissions might be ok, but the application might run with different permissions under each distributions (you might want to check this too)
=drop privileges of the current user and switch to another more restricted one (for security reasons), like apache does. The new user rights should match the node permissions.
Also, check the Udev rules. I don't know if there are rules for those nodes in the default ruleset. -
I got an account with Mullvad, and set it up the account directly with OpenVPN files rather with the client they provide.
To start the connection I run
sudo openvpn /etc/openvpn/mullvad_linux.conf
I get a connection and to terminate it I press CTRL+C with the following result
]^CSat Jul 7 22:11:58 2012 event_wait : Interrupted system call (code=4)
Sat Jul 7 22:11:58 2012 TCP/UDP: Closing socket
Sat Jul 7 22:11:58 2012 /usr/sbin/ip route del 10.9.0.1/32
Sat Jul 7 22:11:58 2012 /usr/sbin/ip route del 95.211.10.3/32
Sat Jul 7 22:11:58 2012 /usr/sbin/ip route del 0.0.0.0/1
Sat Jul 7 22:11:58 2012 /usr/sbin/ip route del 128.0.0.0/1
Sat Jul 7 22:11:58 2012 Closing TUN/TAP interface
Sat Jul 7 22:11:58 2012 /usr/sbin/ip addr del dev tun0 local 10.9.0.46 peer 10.9.0.45
Sat Jul 7 22:11:58 2012 /usr/share/openvpn/update-resolv-conf tun0 1500 1542 10.9.0.46 10.9.0.45 init
Sat Jul 7 22:11:58 2012 SIGINT[hard,] received, process exitin
I open up wireshark (after the terminated VPN connection) and the ouput provided shows that mullvad are being denied on every connection attempt as they are sending a UDP segment and my machine is responding with an IMCP Port Unreachable (even if I reboot I get the same results).
I sent a email to mullvad a got the following response "The VPN servers have a long timeout when trying to keep a tunnel alive when it is not cleanly closed for some reason. If you have made many connections then the servers send ping packets for many tunnels, each tunnel having a port of its own. "
This is my config /etc/openvpn/mullvad_linux.conf
# Notice to Mullvad customers:
# Apart from openvpn, you also need to install the
# package "resolvconf", available via apt, e.g.
# For those of you behind very restrictive firewalls,
# you can use our tunnels on tcp port 80, as well as
# on udp port 53.
client
dev tun
proto udp
#proto tcp
remote openvpn.mullvad.net 1194
#remote openvpn.mullvad.net 80
#remote openvpn.mullvad.net 53
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# Enable compression on the VPN link.
comp-lzo
# Set log file verbosity.
verb 3
remote-cert-tls server
ping-exit 60
# Allow calling of built-in executables and user-defined scripts.
script-security 2
# Parses DHCP options from openvpn to update resolv.conf
up /usr/share/openvpn/update-resolv-conf
down /usr/share/openvpn/update-resolv-conf
ping 10
ca /etc/openvpn/master.mullvad.net.crt
cert /etc/openvpn/mullvad.crt
key /etc/openvpn/mullvad.key
As for the update-resolv-conf I am using the one provided on Archlinux OpenVPN Wiki (DNS section) .
What could be causing the VPN connection to not cleanly close?
Last edited by coexistence (2012-07-08 04:21:58)I will contact Mullvad and will update back.
Yes, I am using Iptables, here is my /etc/iptables/iptables.rules.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [700:98250]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
Maybe you are looking for
-
Empty file to process in customer J2EE adapter module
Hi All, if i give an empty text file to a sender communication channel, then no message is generated by XI. i want to generate a dummy XML if empty file is given. so is it possible to make a customer-specific J2EE adapter module - then deploy it - th
-
Hi Friends, I am trying to create a JTree whose data will come from a XML Document. Whenever the tree is refreshed (There is a JPopupMenu on the tree which allows the user to call refresh), the tree must update itself with the underlying XML document
-
How to print interactive adobe form in ABAP ?
Dear all, I've create a static adobe form in ABAP environment using SFP transaction. But when i build the form and test print out, system raise an error "<b>Device type unsuitable for ADS documents</b>". So, which device type should I use to print AD
-
I have a question similar to one discussed here: http://discussions.apple.com/thread.jspa?threadID=1313370&tstart=135 I have added a CNAME record and www.mydomain.com now forwards smoothly to the content I've put up on .Mac. However, mydomain.com doe
-
Hi, I recently installed Lync 2013 with Edge server in DMZ. I have rather annoying problem. I bought godaddy UCC cert. installed it on edge server (external cert). The problem is that when I try to test connectivity (https://testconnectivity.micros