Multiple instances openvpn

[cazze]

Hi,

how could i run multiple instances of openvpn on a gentoo box? I would like to run the UDP and TCP server, and a client connection.

Is this possible with the default init scripts?

Thx,

kammicazze

[bigfunkymo]

the init scripts will start a new instance of OpenVPN for each conf file in /etc/openvpn

[cazze]

the init scripts will start a new instance of OpenVPN for each conf file in /etc/openvpn

are u sure of this?

i'm talking about openvpn 2.0.1.

It says my configuration file should be /etc/openvpn/*/local.conf.

Do i have to put local.conf files in each directory op the different instance of openvpn i want, like this:

/etc/openvpn/server_udp/local.conf
/etc/openpvn/server_tcp/local.conf
/etc/openvpn/client_1/local.conf
...


kammicazze

[bigfunkymo]

I have mine set up like so:

configuration file
/etc/openvpn/priest-server.conf

keys, etc
/etc/openvpn/priest-server/

client-configs:
/etc/openvpn/priest-server/client-configs/

and it works just fine for me

[yottabit]

The new OpenVPN (2.0.5-r2) init script seems to expect a single openvpn.conf in /etc/openvpn/ in order to start. This of course bjorked my config since I had two instances/configs running (one for UDP, one for TCP). I just made two copies of the init script in /etc/init.d/ and customoized one for my UDP config file and the other for my TCP config file.

Not glamorous, but it works...

[nobspangle]

which fool decided to change this.

My VPN has a version 2 style vpn for multiple single clients and a version 1 style point-point vpn for joining to remote networks.

I've just hacked the init files so it works again.

[nobspangle]

grrr always read the info

the new init script works like this

you put all your configuration files into /etc/openvpn
call your config files vpn-name.conf e.g. I've called mine RAS.conf and leeds-manchester.conf

create symlinks to the init script and call them openvpn.vpn-name

Code: Select all

ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.RAS
ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.leeds-manchester

remove the openvpn script from the default run level and add the new symlinked ones you have created

for the most part the info at the end of ebuilds is a waste of time, unless you sit there and watch your packages compile. This information should be logged to the emerge.log so you can review it easily later.

[UberLord]

which fool decided to change this.

That would be me

The new init script has been in ~ARCH for many months now with little compliant and it provides a much better solution.

for the most part the info at the end of ebuilds is a waste of time, unless you sit there and watch your packages compile. This information should be logged to the emerge.log so you can review it easily later.

Checkout portage-2.1_pre series - it supports the PORTAGE_ELOG_* stuff that makes logging and reviewing easier.

[Braempje]

This information was very valuable to me and I was unable to easily locate it. Mods: could you please make this one sticky for a while? Thanks!

[Raffi]

That would be me

Ahh... Now I have a direction to direct my grumbling.

So, is the openvpn config de jour a result of multiple personalities, indecision nor infighting among developers? Sorry, just had to say something, the regular changes have been making me very wary of upgrading certain machines.

On a more serious note, is the current setup likely to stick for a while? Should I go ahead and switch to it with some expectation of it being the standard approach?

[Raffi]

For the record, the current config setup seems to be the best one so far. Let's hope we keep it.

[UberLord]

Ahh... Now I have a direction to direct my grumbling.

Uh oh!
/me runs for the hills

So, is the openvpn config de jour a result of multiple personalities, indecision nor infighting among developers? Sorry, just had to say something, the regular changes have been making me very wary of upgrading certain machines.

Simply the case that openvpn has changed maintainers a fair few times and each maintainer as a different view to solving bugs. IMO at least 2 bugs could not have been fixed without the current script.

On a more serious note, is the current setup likely to stick for a while? Should I go ahead and switch to it with some expectation of it being the standard approach?

The counterpoint is that work still needs to be done, but the current config setup and layout is now "fixed" for as long as I'm the maintainer.

[Raffi]

The counterpoint is that work still needs to be done, but the current config setup and layout is now "fixed" for as long as I'm the maintainer.

Well I like the current way of doing thing a lot, so I hope you keep maintaining it for the foreseeable future.

Thanks.

[dcmwai]

Let me try to help.

Put the following in your openvpn.conf
#openvpn.conf
cd full/path/vpn1
config local.conf
cd full/path/vpn2
config local.conf
#end


Try this way

[BlaaT0001]

I for one am quite fund of the new baselayout. I'm now able to stop any one of my particular openvpn instances.

I do have some questions though. After emerging openvpn-2.0.5-r2 the following message appears on screen:

It is recommended that you create your tun/tap interfaces using"
"the net.tun0/net.tap0 scripts provided by baselayout instead of"
"using the 'server' directive in openvpn configuration files."
"This will insure that the interface really is up after openvpn"
"starts."
"Note that you cannot use net.tun0/net.tap0 and the server option,"
"otherwise openvpn will not start."

How would I accomplish this exactly?

Normally if I start my OpenVPN tun instance with the "server" directive set (server 172.24.1.0 255.255.255.224), Openvpn takes care of creating my tun device. The log file shows:

Code: Select all

/sbin/ifconfig tun0 172.24.1.1 pointopoint 172.24.1.2 mtu 1500
/sbin/route add -net 172.24.1.0 netmask 255.255.255.224 gw 172.24.1.2

I've tried to modify my /etc/conf.d/net file and created a symlink net.tun0 to net.lo

in /etc/conf.d/net the following line now resides:

Code: Select all

config_tun0=("172.24.1.1 pointopoint 172.24.1.2")

This doesn't do the trick though I've tried some alternatives but no luck so far.

I have managed to get the tun0 device up and running manually, but not using the baselayout scripts, not in a pointopoint mode that is.
Also, I haven't been able to add the required routes to my kernel routing table using the baselayout scripts. Is there any room for routes in the config files for networking?

When the net.tun0 device is activated the tun0 device should be configured with the right IP, in point-to-point mode and the right routes should be added to the routing table. Otherwise I'll better take my chances with Openvpn creating the tun0 device for me and adding the routes to the kernel routing table.

I can imagine though, when using Openvpn in bridge/TAP mode it's preferable to have the interfaces up and running, the bridge (net.br0) created before starting Openvpn. This way the whole bridge creation is not depending on Openvpn to run or not.

So, how should the /etc/conf.d/net file look like when using the new baselayout with Openvpn-2.0.5-r2?

Cheers,

BlaaT

[BlaaT0001]

Adding the routes is done with:

Code: Select all

routes_tun0=( "172.24.1.0 netmask 255.255.255.224 gw 172.24.1.2" )

With my tun0 device having the IP address 172.24.1.1 this would route traffice for the 172.24.1.0/27 network to OpenVPN which has a P-t-p connection with the tun0 device.

I just can't seem to manage to get the tun0 device up and running in Point-to-point mode using the /etc/conf.d/net file.

Any help anyone?

Thanks,

BlaaT

[UberLord]

You have emerged usermode-utilities haven't you?

[BlaaT0001]

Yes, I've got: sys-apps/usermode-utilities-20040406-r1

This is how my tun0 virtual nic is configured when I use OpenVPN to configure it:

Code: Select all

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.24.1.1  P-t-P:172.24.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:426 errors:0 dropped:0 overruns:0 frame:0
          TX packets:426 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:27196 (26.5 Kb)  TX bytes:28180 (27.5 Kb)

If I use the "/etc/init.d/net.tun0" script (which in linked to /etc/init.d/net.lo) and I use the following config in my /etc/conf.d/net file:

Snip from /etc/conf.d/net

Code: Select all

# OpenVPN TUN interface
config_tun0=( "172.24.1.1 pointopoint 172.24.1.2" )
routes_tun0=( "172.24.1.0 255.255.255.224 via 172.24.1.2" )

the tun0 interface does not start properly.

Output of "/etc/init.d/net.tun0 start":

Code: Select all

* Starting tun0
 *   Creating Tun/Tap interface tun0 ...                                  [ ok ]
 *   Bringing up tun0
 *     172.24.1.1                                                        [ ok ]
 *   Adding routes
 *     172.24.1.0 255.255.255.224 gw 172.24.1.2 ...                     [ !! ]

ifconfig tun0 outputs:

Code: Select all

tun0      Link encap:Ethernet  HWaddr E6:79:E7:7E:CD:B2
          inet addr:172.24.1.1  Bcast:172.24.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Notice the difference in configuration of the tun0 interface?

/etc/init.d/net.tun0 stop outputs:

Code: Select all

* Stopping tun0
 *   Bringing down tun0
 *     Destroyed Tun/Tap interface tun0                                   [ ok ]

I hope anyone has got some suggestions.

Thanks,

BlaaT

[mnagl]

Same Problem here.

Matthias

[UberLord]

This should be fixed with baselayout-1.12.0_pre17-r2

[mnagl]

Thank you very much!

How long will this probably need to go stable?

yours

Matthias

[UberLord]

How long will this probably need to go stable?

Not long now. We've already started the process by marking bash-3.1 stable. Then I will be marking the required dhcp clients around the middle of next month and probably do a pre18 which should be the last unstable version of 1.12.

So probably around 2 months.

On the other hand, the more users that use 1.12.0_pre now and report any issues makes it easier for others. So the more people that test the quicker things get done

[mrfree]

/var/log/openvpn.log

Code: Select all

Sun Aug  6 19:18:36 2006 TUN/TAP device tun0 opened
Sun Aug  6 19:18:36 2006 /sbin/ifconfig tun0 10.11.12.1 pointopoint 10.11.12.2 mtu 1500
Sun Aug  6 19:18:36 2006 /sbin/route add -net 10.11.12.0 netmask 255.255.255.0 gw 10.11.12.2
Sun Aug  6 19:18:36 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

So I've added to /etc/conf.d/net

Code: Select all

config_tun0=( "10.11.12.1 pointopoint 10.11.12.2" )
routes_tun0=( "10.11.12.0 netmask 255.255.255.0 gw 10.11.12.2" )

Code: Select all

# /etc/init.d/net.tun0 start
 * Starting tun0
 *   Bringing up tun0
 *     10.11.12.1
 *     network interface tun0 does not exist
 *     Please verify hardware or kernel module (driver)                   [ !! ]

Tun module is loaded.

Code: Select all

# lsmod | grep tun
tun                     8608  0

Code: Select all

[I--] [ ~] sys-apps/baselayout-1.12.4-r1 (0)
[I--] [  ] sys-apps/usermode-utilities-20040406-r1 (0)

[VPN-User]

Same here. Funny (is it?) thing is, it works when doing an "/etc/init.d/net.tap0 start" after login.

I wonder how a new baselayout can go stable when it has not been tested with all features?

[UberLord]

I wonder how a new baselayout can go stable when it has not been tested with all features?

I use OpenVPN to create tap interfaces every day. I know of another Gentoo developer who uses tun instead.

Maybe we didn't have enough people testing with a wide variation of configs and hardware this time - care to help next time?

Do you have hotplug enabled in the kernel?