OpenVPN- nelze vytvorit tap interface

[vyprana_veverka]

Zdravim,
pokousim se rozjet openvpn server na ubuntu 12 v ethernet bridge modu, ale po spusteni se mi nevytvori tap interface, ma to neco spolecneho se script-security. Nejsem v tomto az tak zbehly, takze bych ocenil radu. Ke konfiguraci jsem vyuzil zdroje: [http://openvpn.net/index.php/open-source/documentation/howto.html][/http://openvpn.net/index.php/open-source/documentation/howto.html] , [https://help.ubuntu.com/community/OpenVpn] [/https://help.ubuntu.com/community/OpenVpn]
zde jsou konfiguraky a scripty:

server.conf
mode server
tls-server
local 192.168.55.12
management 127.0.0.1 7505
port 1194
proto udp
dev tap
;up "/etc/openvpn/up.sh br0 tap0 1500"
;down "/etc/openvpn/down.sh br0 tap0"
ca ca.crt
cert server.crt
key server.key 
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.55.12 255.255.255.0  192.168.55.100 192.168.55.110
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

--- zatim tam mam tu co mozna nejzakladnejsi konfiguraci

up.sh

#!/bin/bash

BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/sbin/brct1 addif $BR $DEV

down.sh
#!/bin/bash

BR=$1
DEV=$2
/sbin/brct1 delif $BR $DEV
/sbin/ip link set "$DEV" down

ifconfig:
br0       Link encap:Ethernet  HWaddr 00:24:81:4f:67:ad 
          inet addr:192.168.55.12  Bcast:192.168.55.255  Mask:255.255.255.0
          inet6 addr: fe80::224:81ff:fe4f:67ad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1242 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:63618 (63.6 KB)  TX bytes:5236 (5.2 KB)

eth0      Link encap:Ethernet  HWaddr 00:24:81:4f:67:ad 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1242 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:85974 (85.9 KB)  TX bytes:5336 (5.3 KB)
          Interrupt:22 Memory:e4600000-e4620000

interfaces:
# interfaces(5) file used by ifup( and ifdown(
auto lo br0
iface lo inet loopback

iface br0 inet static
   address 192.168.55.12
   netmask 255.255.255.0
   gateway 192.168.55.12
   bridge_ports eth0
iface eth0 inet manual
   up ip link set $IFACE up promisc on
   down ip link set $IFACE down promisc off

syslog: s pouzitim scriptu up.sh a down.sh
May  9 07:00:47 david-nbubun ovpn-server[4288]: OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct  8 2012
May  9 07:00:47 david-nbubun ovpn-server[4288]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7505
May  9 07:00:47 david-nbubun ovpn-server[4288]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
May  9 07:00:47 david-nbubun ovpn-server[4288]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
May  9 07:00:47 david-nbubun ovpn-server[4288]: Diffie-Hellman initialized with 1024 bit key
May  9 07:00:47 david-nbubun ovpn-server[4288]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
May  9 07:00:47 david-nbubun ovpn-server[4288]: Socket Buffers: R=[163840->131072] S=[163840->131072]
May  9 07:00:47 david-nbubun ovpn-server[4288]: TUN/TAP device tap0 opened
May  9 07:00:47 david-nbubun ovpn-server[4288]: TUN/TAP TX queue length set to 100
May  9 07:00:47 david-nbubun ovpn-server[4288]: /etc/openvpn/up.sh br0 tap0 1500 tap0 1500 1574   init
May  9 07:00:47 david-nbubun ovpn-server[4288]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or man page for detailed info. <<<<<<<
May  9 07:00:47 david-nbubun ovpn-server[4288]: WARNING: Failed running command (--up/--down): external program fork failed
May  9 07:00:47 david-nbubun ovpn-server[4288]: Exiting

syslog: bez pouziti scriptu up.sh a down.sh

May  9 07:27:17 david-nbubun ovpn-server[4866]: OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct  8 2012
May  9 07:27:17 david-nbubun ovpn-server[4866]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7505
May  9 07:27:17 david-nbubun ovpn-server[4866]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
May  9 07:27:17 david-nbubun ovpn-server[4866]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
May  9 07:27:17 david-nbubun ovpn-server[4866]: Diffie-Hellman initialized with 1024 bit key
May  9 07:27:17 david-nbubun ovpn-server[4866]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
May  9 07:27:17 david-nbubun ovpn-server[4866]: Socket Buffers: R=[163840->131072] S=[163840->131072]
May  9 07:27:17 david-nbubun ovpn-server[4866]: TUN/TAP device tap0 opened
May  9 07:27:17 david-nbubun ovpn-server[4866]: TUN/TAP TX queue length set to 100
May  9 07:27:17 david-nbubun ovpn-server[4866]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
May  9 07:27:17 david-nbubun ovpn-server[4868]: UDPv4 link local (bound): [AF_INET]192.168.55.12:1194
May  9 07:27:17 david-nbubun ovpn-server[4868]: UDPv4 link remote: [undef]
May  9 07:27:17 david-nbubun ovpn-server[4868]: MULTI: multi_init called, r=256 v=256
May  9 07:27:17 david-nbubun ovpn-server[4868]: IFCONFIG POOL: base=192.168.55.100 size=11, ipv6=0
May  9 07:27:17 david-nbubun ovpn-server[4868]: IFCONFIG POOL LIST
May  9 07:27:17 david-nbubun ovpn-server[4868]: Initialization Sequence Completed

---- ale nevytvori se tap interface

Kdyz nepouziju up.sh a down.sh scripty v konfiguraci server.conf tak se openvpn server normalne rozbehne a dostanu se do nej pres management konzolu ale nevytvori se tap interface. Zkousel jsem tap i tap0 v konfiguraci.

Pokud pouziji scripty up.sh a down.sh tak vidim problem v script-security, v cemz zrejme bude zakopany pes.
Diky za jakoukoli radu

[vyprana_veverka]

Tak jsem trochu upravil up.sh a down.sh scripty, sice openvpn server se spusti ale stale se nevytvori tap0 interface

May  9 10:30:46 david-nbubun ovpn-server[5870]: OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct  8 2012
May  9 10:30:46 david-nbubun ovpn-server[5870]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7505
May  9 10:30:46 david-nbubun ovpn-server[5870]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
May  9 10:30:46 david-nbubun ovpn-server[5870]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
May  9 10:30:46 david-nbubun ovpn-server[5870]: Diffie-Hellman initialized with 1024 bit key
May  9 10:30:46 david-nbubun ovpn-server[5870]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
May  9 10:30:46 david-nbubun ovpn-server[5870]: Socket Buffers: R=[163840->131072] S=[163840->131072]
May  9 10:30:46 david-nbubun ovpn-server[5870]: TUN/TAP device tap0 opened
May  9 10:30:46 david-nbubun ovpn-server[5870]: TUN/TAP TX queue length set to 100
May  9 10:30:46 david-nbubun ovpn-server[5870]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
May  9 10:30:46 david-nbubun ovpn-server[5872]: UDPv4 link local (bound): [AF_INET]192.168.55.12:1194
May  9 10:30:46 david-nbubun ovpn-server[5872]: UDPv4 link remote: [undef]
May  9 10:30:46 david-nbubun ovpn-server[5872]: MULTI: multi_init called, r=256 v=256
May  9 10:30:46 david-nbubun ovpn-server[5872]: IFCONFIG POOL: base=192.168.55.100 size=11, ipv6=0
May  9 10:30:46 david-nbubun ovpn-server[5872]: IFCONFIG POOL LIST
May  9 10:30:46 david-nbubun ovpn-server[5872]: Initialization Sequence Completed

down.sh
#!/bin/bash

BR=\$1
DEV=\$2
/sbin/brctl delif \$BR \$DEV
/sbin/ip link set "\$DEV" down

EOF

up.sh
#!/bin/bash

BR=\$1
DEV=\$2
MTU=\$3
/sbin/ip link set "\$DEV" up promisc on mtu "\$MTU"
/sbin/brctl addif \$BR \$DEV

EOF

[vyprana_veverka]

Zatim jsem vyresil problem se script-security. Od verze 2.1 je treba do server.conf zadat script-security 2 pokud chceme spoustet externi komandy. Ja tam zadal radeji hodnotu 3. Nasel jsem to v dokumentu NEWS.Debian, ktery je v /usr/share/doc/openvpn , ale nyni mam jiny problem s up.sh scriptem:

 root@david-nbubun:/etc/openvpn# service openvpn start
 * Starting virtual private network daemon(s)...                                 *   Autostarting VPN 'server'                                                  Error: argument "$MTU" is wrong: Invalid "mtu" value

interface $DEV does not exist!
root@david-nbubun:/etc/openvpn#

root@david-nbubun:/etc/openvpn# cat up.sh
#!/bin/bash

BR=\$1
DEV=\$2
MTU=\$3
/sbin/ip link set "\$DEV" up promisc on mtu "\$MTU"
/sbin/brctl addif \$BR \$DEV

Moc tomuhle scriptu nerozumim, priznavam ze jsem ho zkopiroval. Ale podle mne BR DEV a MTU jsou vstupni parametry, ktere musim zadat kdyz spoustim script UP.sh. V server conf mam : up "/etc/openvpn/up.sh br0 tap0 1500". Leda ze bz se MTU zadavalo v jinych jednotkach nez v Bytech. A "interface $DEV does not exist!" zrejme znamena ze mi stale nechce vytvorit interface tap0

[vyprana_veverka]

Takze problem s Tap interfacem vyresen. Castecne byl v syntaxi. Bylo treba zadat do server.conf parametr script-security 3 a poopravit up.sh script do teto podoby:

#!/bin/bash

BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/sbin/brctl addif $BR $DEV


root@david-nbubun:/etc/openvpn# ifconfig
br0       Link encap:Ethernet  HWaddr 00:24:81:4f:67:ad 
          inet addr:192.168.55.12  Bcast:192.168.55.255  Mask:255.255.255.0
          inet6 addr: fe80::224:81ff:fe4f:67ad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5971 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:305512 (305.5 KB)  TX bytes:5349 (5.3 KB)

eth0      Link encap:Ethernet  HWaddr 00:24:81:4f:67:ad 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5971 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:412996 (412.9 KB)  TX bytes:5475 (5.4 KB)
          Interrupt:22 Memory:e4600000-e4620000


tap0      Link encap:Ethernet  HWaddr 36:c1:df:64:88:d3 
          inet6 addr: fe80::34c1:dfff:fe64:88d3/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:5177 (5.1 KB)

[ntz_reloaded]

videl jsem to az ted, sak to to pise:

Kód: [Vybrat]

May  9 07:00:47 david-nbubun ovpn-server[4288]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or man page for detailed info. <<<<<<<
^^

Kód: [Vybrat]

# ps -ef | grep openvpn
root      8248     1  0 May06 ?        00:00:14 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn --script-security 2

[IPv6compatible]

Ahoj,
Chtel jsem se zeptat co si myslite o OpenVPN 2.3.2 I003.
Jsou vsechny bugy vychytane? Chtel bych to pouzivat multi-platformne.

Source code a executables jsou tady: https://sourceforge.net/projects/openvpn232i003nvp/.

Dik za odpovedi