# How I got openvpn up and running.

## will_k

Quick and dirty:

#emerge openvpn bridge-utils

add bridging and tap/tun to kernel

Device Drivers  --->Networking support  ---><M>     Universal TUN/TAP device driver support

Device Drivers  --->Networking support  --->Networking options  ---><M> 802.1d Ethernet Bridging

install & reboot with new kernel

#mkdir /dev/net

#mknod /dev/net/tun c 10 200

add "alias char-major-10-200 tun" to /etc/modules.conf if not there

#echo 1 > /proc/sys/net/ipv4/ip_forward

add "bridge" and "tun" to /etc/modules.autoload.d/kernel-2.x

reboot

nano-w /etc/init.d/net.tap0

"

#!/sbin/runscript

start() {

        ebegin "Bringing tap0 up"

        /usr/sbin/openvpn --mktun --dev tap0

        /sbin/ifconfig tap0 up

        eend $?

}

stop() {

        ebegin "Bringing tap0 down"

        /sbin/ifconfig tap0 down

        eend $?

}

"

#/etc/init.d/net.tap0 start

#rc-update add net.tap0 default

nano -w /etc/conf.d/bridge

"

bridge="br0"

bridge_br0_devices="tap0 eth0"

"

add "iface_eth0="0.0.0.0" iface_br0="dhcp" gateway="br0/x.x.x.x"" to /etc/conf.d/net

#/etc/init.d/net.eth0 restart

#/etc/init.d/bridge start

#rc-update add bridge default

#mkdir -p /etc/openvpn/tunnel1

#nano -w /etc/openvpn/tunnel1/local.conf

add

"remote x.x.x.x

dev tap0

secret key.txt

comp-lzo

ping 15

verb 4"

created a static key.txt file and sftp it to the remote site's /etc/openvpn/tunnel1

setup your firewall accordingly (use examples from openvpn's website)

/etc/init.d/openvpn start

rc-update add openvpn default

----------

## ElForesto

Thanks for making the howto. I'm running into a error when trying to start up net.tap0:

```
root@tblconstruction net # /etc/init.d/net.tap0 start

 * Bringing tap0 up...

Mon Jun 21 22:23:09 2004 0: Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)

Mon Jun 21 22:23:09 2004 1: Note: Attempting fallback to kernel 2.2 TUN/TAP interface

Mon Jun 21 22:23:09 2004 2: Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2)

Mon Jun 21 22:23:09 2004 3: Exiting

tap0: unknown interface: No such device                                   [ !! ]

root@tblconstruction net #

```

I had followed all the steps to that point, and /dev/net/tun exists. Any thoughts?

----------

## will_k

Did you add tun to your /etc/modules.autoload.d/kernel-2.x ?

I did leave that out of the howto.

You need TUN/TAP device driver support built into the kernel AND loaded if its built as a module.  

#lsmod should reveal if its loaded as module then do

#mkdir /dev/net

#mknod /dev/net/tun c 10 200

----------

## pjp

 *will_k wrote:*   

> add "iface_eth0="0.0.0.0" iface_br0="dhcp" gateway="br0/x.x.x.x"" to /etc/conf.d/net

 Is that all on one line in the file, as in:

```
iface_eth0="0.0.0.0" iface_br0="dhcp" gateway="br0/x.x.x.x"
```

I'm just verifying, as I already have an iface_eth0 definition.

----------

## will_k

No, separate lines.  Sorry for the confusion. 

iface_eth0="0.0.0.0"

iface_br0="dhcp"

gateway="br0/x.x.x.x"

ofcourse the dhcp could be set to a static configuration and the x.x.x.x needs to be substituted with your gateway.

----------

## ElForesto

It would appear that the TUN module won't load. I added it to the list of modules to load, and I tried loading it manually, but it is not listed when I use lsmod. *is not sure what to do next*

----------

## White Star

 *ElForesto wrote:*   

> It would appear that the TUN module won't load. I added it to the list of modules to load, and I tried loading it manually, but it is not listed when I use lsmod. *is not sure what to do next*

 

Just out of curiosity, have you given it a run having TUN loaded as part of the kernel rather than a module? (I don't necessarily know the answer. I'm just reaching for straws m'self.)

----------

## ElForesto

Actually, yes. A friend recommended compiling TUN into the kernel instead of as a module, and it worked quite nicely to solve that particular problem. Now on to the rest of the how-to...

----------

## drkstorm

I am having a lot of trouble figuring out what device needs what ip address. I had no trouble compiling the kernel with tun and bridge, and tap0 starts just fine on both, my questions are in the br0 and ethX configs... see below for my questions

My current setup:

```

               Server 1

                ETH0 - PPP0 (dhcp assigned ip from ISP)-----------

           ---- ETH1 - 192.168.1.2                                |

          |                                                       |

192.168.1.0/24                                                Internet

                                                                  |

                                                                  |

               Server 2                                           |

                ETH0 - (209.xxx.xxx.xx static from ISP)-----------

           ---- ETH1 - 192.168.1.1

          |

192.168.1.0/24

```

Server #1 /etc/conf.d/net (uncommented lines only) (This server uses rp-pppoe to get it's ip, dns, and gateway info):

```

iface_eth1="192.168.1.2 broadcast 192.168.1.255 netmask 255.255.255.0"

iface_eth0="up"

```

Server #2 /etc/conf.d/net (uncommented lines only):

```

iface_eth0="209.xxx.xxx.xxx broadcast 209.xxx.xxx.255 netmask 255.255.255.0"

iface_eth1="192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0"

gateway="eth0/209.xxx.xxx.1"

```

My questions are:

Server #1 & 2:

/etc/conf.d/bridge

```

bridge_br0_devices="tap0 ???"

```

/etc/conf.d/net

```

iface_eth0="?????"

iface_br0="????"

gateway="br0/?????"

```

/etc/openvpn/tunnel1/local.conf 

```

add  "remote ??????"

```

Finally, how do you generate a key.txt, and also, I run gShield as my firewall on both servers, what device would I tell it to use for local traffic and which device would I tell it to use for internet traffic?

----------

## will_k

drkstorm,

you need to bridge your external interface (eth0 in your case) and tap0

Also try this:

iface_eth0="0.0.0.0" 

iface_br0="dhcp" 

#gateway=""

and

add you will only know the ipaddress or domain name of the remote computer your trying to vpn with... just put the ipaddress or dns in there

openvpn comes with a tool to generate a key you can name it whatever you want so long that it is specified with that name in the configuration file /etc/openvpn/tunnel1/local.conf

----------

## rambo No. 5

I was having trouble inserting the tun module too. 

It turns out that it was because /dev/net/tun already existed. The tun module was trying to create /dev/net/tun using the alias we set up. I deleted /dev/net/tun and the module inserted correctly.

----------

## rcxAsh

 *will_k wrote:*   

> No, separate lines.  Sorry for the confusion. 
> 
> iface_eth0="0.0.0.0"
> 
> iface_br0="dhcp"
> ...

 

Hm.  I'm kind of confused here.  My eth0 currently gets it's IP address from my router via dhpc.  When I change/add iface_eth0 to "0.0.0.0", my network connection dies. 

Also, bringing up the bridge service kills my network conenction as well.

```
ashley@lostech ashley $ ping 192.168.2.1

connect: Network is unreachable
```

I'm getting lost here.  

Also, this howto is for a client setup, right?  But I assume that this initial setup is also needed for a server setup (which is what I'm trying to do)?

Also tried to follow some of the things here:

http://openvpn.sourceforge.net/bridge.html but I'm getting really, really confused now.  Hehe.  

Can you explain a bit how this setup works?  Like, does br0 give me my connection to my network now instead of eth0? (since eth0 is now set to 0.0.0.0).  Please forgive me for my ignorance.  :Embarassed: 

Seems like everytime I do something, it kills my network connection.

----------

## dreas

This article written by Florin Adrei was finally helping me to set up OpenVPN correctly even though the article is based on Fedora Core.

----------

## taskara

I have followed this guide, however I want to setup my second nic with the vpn (I simply editted bride.conf to eth1 instead of eth0).

I have eth0, eth1, tap0, and br0

however I notice that br0 is not getting the ip address specified to it.

do I need to create /etc/init.d/br0 and start it?

if i do this then br0 gets its ip address.

before starting /etc/init.d/br0 :

```
enoch root # ifconfig

eth0      Link encap:Ethernet  HWaddr 00:B0:D0:D3:A7:32

          inet addr:192.168.7.10  Bcast:192.168.7.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:952 errors:0 dropped:0 overruns:0 frame:0

          TX packets:713 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:164849 (160.9 Kb)  TX bytes:274354 (267.9 Kb)

          Interrupt:10 Base address:0xe880

eth1      Link encap:Ethernet  HWaddr 00:10:60:CB:10:16

          UP BROADCAST PROMISC MULTICAST  MTU:1540  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:43 errors:0 dropped:0 overruns:0 frame:0

          TX packets:43 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:10768 (10.5 Kb)  TX bytes:10768 (10.5 Kb)

tap0      Link encap:Ethernet  HWaddr 00:FF:D9:8E:4E:D1

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

```

after starting br.0 :

```
enoch root # ifconfig

br0       Link encap:Ethernet  HWaddr 00:10:60:CB:10:16

          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth0      Link encap:Ethernet  HWaddr 00:B0:D0:D3:A7:32

          inet addr:192.168.7.10  Bcast:192.168.7.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:986 errors:0 dropped:0 overruns:0 frame:0

          TX packets:733 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:167765 (163.8 Kb)  TX bytes:278362 (271.8 Kb)

          Interrupt:10 Base address:0xe880

eth1      Link encap:Ethernet  HWaddr 00:10:60:CB:10:16

          UP BROADCAST PROMISC MULTICAST  MTU:1540  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:43 errors:0 dropped:0 overruns:0 frame:0

          TX packets:43 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:10768 (10.5 Kb)  TX bytes:10768 (10.5 Kb)

tap0      Link encap:Ethernet  HWaddr 00:FF:D9:8E:4E:D1

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
```

basically I want to have my WAP plugged into eth1, and have people join the wireless network, but in order to get onto the "real" network / internet they have to vpn to the server.

I want clients to be able to connect to the wap, vpn to the server through eth1, then get assigned an address on the network range (192.168.7.0/24) and be able to browse the internet etc.

am I on the right track?

cheers!

----------

## yaneurabeya

 *rcxAsh wrote:*   

> iface_eth0="0.0.0.0"

 

0.0.0.0 is referred to as "nothing" in ipv4, correct? 255.255.255.255 is everything.

----------

## -Craig-

Well when using ifconfig 0.0.0.0 is an empty address, normally 0.0.0.0 is everything (e.g. in iptables) !

----------

