# [quick quide] OpenVPN and dhcpd (questions solved for me)

## pholthau

QUESTIONS IN THIS POST NOT VALID ANYMORE SEE COMMENT #5 FOR ANSWERS  :Wink: 

Hello folks,

I like to setup the following:

I want to have an OpenVPN connection in which the clients get the IP adresses from

my local dhcp Server (dhcpd). I constantly get the following error messages:

```

openvpn[24716]: thrall/<client ip>:32836 MULTI: no dynamic or static remote --ifconfig address is available for thrall/<client ip>:32836

```

And the client does not get an IP adress.

The configuration files are as follows:

/etc/dhcp/dhcpd.conf:

```

option domain-name "homenetwork";

default-lease-time 14400;

max-lease-time 86400;

ddns-update-style interim;

ddns-ttl 14400;

deny-client-updates;

allow unknown-clients;

authoritative;

log-facility local7;

class "openvpn" {

        match if substring (hardware,1,2) = 00:FF;

}

subnet 192.168.1.0 netmask 255.255.255.0 {

        pool {

                deny members of "openvpn";

                option domain-name-servers 192.168.1.103;

                ddns-updates off;

                range 192.168.1.20 192.168.1.100;

                option routers 192.168.1.1;

        }

}

subnet 10.8.0.0 netmask 255.255.255.0 {

        pool {

                ddns-domainname "homenetwork.";

                ddns-rev-domainname "0.8.10.in-addr.arpa.";

                ddns-updates on;

                allow members of "openvpn";

                range 10.8.0.20 10.8.0.100;

                option domain-name-servers 10.8.0.1;

        }

        zone homenetwork {

                primary 10.8.0.1;

        }

        zone 0.8.10.in-addr.arpa {

                primary 10.8.0.1;

        }

}

```

SERVER /etc/openvpn/openvpn.conf

```

mode server

port 5000

proto udp

dev tap0

tls-server

ca privnet/ca.crt

cert privnet/kael.crt

key privnet/kael.key

dh privnet/dh1024.pem

ifconfig 10.8.0.1 255.255.255.0

#with these lines not commented, i also don't get an ip but there is no error message in syslog

#ifconfig-pool 10.8.0.20 10.8.0.100 255.255.255.0

#push "route-gateway 192.168.1.0"

persist-tun

persist-key

keepalive 10 120

comp-lzo

user nobody

group nobody

status openvpn-status.log

verb 3

```

CLIENT  /etc/openvpn/openvpn.conf

```

remote <remote ip> <port>

proto udp

dev tap0

tls-client

ca privnet/ca.crt

cert privnet/thrall.crt

key privnet/thrall.key

persist-tun

persist-key

resolv-retry infinite

nobind

comp-lzo

verb 3

```

Please someone help me, i searched the web/forums/wikis/howtos but i found no answer to my problem.

Thanks!

----------

## Stever

I've never used OpenVPN in bridge mode, but IIRC you have to set up the bridging on the server before starting openvpn.  Have you read http://openvpn.net/bridge.html and/or http://gentoo-wiki.com/HOWTO_setup_a_gentoo_bridge?

----------

## pholthau

I thought that this might be unnecessary because of the following (but please correct me if i am wrong, maybe i misunderstood that part)

http://openvpn.net/faq.html

 *Quote:*   

> 
> 
> I want to set up an ethernet bridge on the 192.168.1.0/24 subnet. How do I configure OpenVPN so that it will cooperate with the existing DHCP server on the LAN?
> 
> There are two ways to do this.
> ...

 

I tried to use the second method...

----------

## Stever

I think in either case you must first set up the bridge.

From http://openvpn.net/bridge.html:

 *Quote:*   

> When using an ethernet bridging configuration, the first step is to construct the ethernet bridge -- a kind of virtual network interface which is a container for other ethernet interfaces, either real as in physical NICs or virtual as in TAP interfaces. The ethernet bridge interface must be set up before OpenVPN is actually started.

 

As I said though, I have never actually done bridging before, I am just going by the OpenVPN docs and what I remember from when I was deciding between bridging and routing OpenVPN configurations.  Maybe someone who actually has an OpenVPN bridge setup can chime in and give a more definitive answer.

----------

## pholthau

Thanks,

I will check out the links you posted! 

I'd like to mention: Bridging (if I understood it correctly) is not really what i want.

I would like to have a virtual network with a seperate ip adress pool (10.8.0.*)

in which clients can use samba shares/ cups printer/ nfs etc.

Local clients (adress pool 192.168.1.*) should gain their ip adressees from the same dhcp

server as the virtual clients.

----------

## pholthau

Ok, I got it working.

The vpn is fully functional and uses

ip adresses assigned by the server's dhcpd.

I will post my configs here, for the case that anyone encounters the same problem again:

packages:

```

net-misc/openvpn-2.0.6

net-misc/dhcp-3.0.3-r9

```

=======

Client

=======

/etc/openvpn/openvpn.conf

```

remote <server> <port>

proto tcp-client

dev tap0

tls-client

ca privnet/ca.crt

cert privnet/thrall.crt

key privnet/thrall.key

keepalive 10 120

persist-tun

persist-key

resolv-retry infinite

nobind

comp-lzo

verb 3

```

/etc/conf.d/net

I needed to set a value for the mac address because it used to change every time i fired net.tap0 up.

A fixed mac is needed for the dhcp server to work correctly.

```

config_tap0=( "dhcp" )

mac_tap0="00:FF:22:33:44:55"

RC_NEED_tap0="openvpn"

```

Additionally i modified

/etc/init.d/openvpn

to need a network device which is NOT net.tap0  :Wink: 

```

[..]

depend() {

        need net.eth1

        before netmount

}

[..]

```

Remember:

link /etc/init.d/net.tap0 to /etc/init.d/net.lo

Start the client via

/etc/init.d/net.tap0 start

=======

Server

=======

/etc/openvpn/openvpn.conf

```

server 10.8.0.0 255.255.255.0

port <port>

proto tcp

dev tap0

tls-server

push "route 10.8.0.0 255.255.255.0"

ca privnet/ca.crt

cert privnet/kael.crt

key privnet/kael.key

dh privnet/dh1024.pem

client-to-client

persist-tun

persist-key

keepalive 10 120

comp-lzo

user nobody

group nobody

status openvpn-status.log

verb 3

```

/etc/dhcp/dhcpd.conf

This way we can assign ip adresses in the vpn. note that this configuration also updates the local nameserver. If you don't want/need that you can safely ignore any "ddns" statements and "zone" blocks.

```

option domain-name "homenetwork";

default-lease-time 14400;

max-lease-time 86400;

ddns-update-style interim;

ddns-ttl 14400;

deny-client-updates;

allow unknown-clients;

authoritative;

log-facility local7;

key DHCP_UPDATER {

        algorithm HMAC-MD5.SIG-ALG.REG.INT;

        secret <secret>;

};

class "openvpn" {

        match if substring (hardware,1,2) = 00:FF;

}

subnet 192.168.1.0 netmask 255.255.255.0 {

        pool {

                deny members of "openvpn";

                option domain-name-servers 192.168.1.103;

                ddns-updates off;

                range 192.168.1.20 192.168.1.100;

                option routers 192.168.1.1;

        }

}

subnet 10.8.0.0 netmask 255.255.255.0 {

        pool {

                ddns-domainname "homenetwork.";

                ddns-rev-domainname "0.8.10.in-addr.arpa.";

                ddns-updates on;

                allow members of "openvpn";

                range 10.8.0.20 10.8.0.100;

                option domain-name-servers 10.8.0.1, 192.168.1.103;

        }

        zone homenetwork {

                primary 10.8.0.1;

                key DHCP_UPDATER;

        }

        zone 0.8.10.in-addr.arpa. {

                primary 10.8.0.1;

                key DHCP_UPDATER;

        }

}

```

Start the server via

/etc/init.d/openvpn start

the network device will be created automatically for you.

HTH someone  :Wink:  If you need more information or find serious errors in what i posted, please contact me.

Patrick

----------

