Freetz and openVPN

[JPAdie]

Hi

thanks to help from this forum and the writers of Freetz, i have now successfully uploaded a new image to my FB7270 based on the new firmware (54.05.55).

my issue now is with openvpn.

the binary is properly installed and i have uploaded the certs and keys through the web interface.

all my VPN's are bridges and i'd like for this one to be the same. i select the relevant options in the configurator and start the service but i do not see the bridge being created (brctl show does not reveal that tap0 has been added to the bridge).

i am also not convinced by some of the configuration settings that the configurator writes to the config file - some of them i would expect to see in a tunnel'd interface rather than a bridged one. is the configurator 'work in progress'? if so i will just upload my own config. similarly does the configurator call an 'up' script so that i can manually script the addition to the bridge? if not, can i add the bridge command to debug.cfg (i.e. does debug.cfg get called AFTER the openvpn service gets started?)

next step is to translate the interface....

thanks, as always, for the help.
Justin

 

[MaxMuster]

Hi Justin,

though it is often used to bridge the tap to the lan, it is no must. I agree it might be a nice feature to do by the GUI, but at the moment you will need to do the bridging by hand, eg adding "tap0" to the list of interfaces in brinterfaces (e.g.as described here in german, but hopefully you will see the points).

Which of the settings do you mean in detail to be "wrong"? Sure the configurator is not perfect, but it should be a step behind "work in progress".

You are of course free to use your own settings, you will need your own script to write the configuration to /mod/etc/openvpn.conf. I might give some more details, if you can't get the "regular" way working for you.

Jörg

 

[JPAdie]

as always, thanks for replying. i will create the bridge manually. but i do not understand how a bridged vpn can work to allow access to the internal network without the bridge being created? hence my thinking that the configurator should do so itself.

'wrong' may be too strong: no offence intended. for a bridged connection i typically set my openVPN configs as follows:

#create the interface for the internal face of the bridge
ifconfig 10.8.0.2 255.255.255.0
#tell openVPN about the bridge <internal face> <subnet> <start dhcp range> <end DHCP range>
server-bridge 10.8.0.2 255.255.255.0 10.8.0.170 10.8.0.180

by contrast this is what the configurator produces

ifconfig-pool 10.8.2.170 10.8.2.180
ifconfig 10.8.0.2 255.255.255.0
push "route-gateway 10.8.0.2"
push "route 10.8.0.0 255.255.255.0"

i.e. i don't see the need to create routes for a bridged interface. whereas i would expect to see routes being pushed for a routed interface.

 

[MaxMuster]

Hi Justin,

The TAP device just does bridging between the server and client tap-device. So it could be used just "like" a tun from the view of the server if you don't bridge it to a LAN interface, you can use it via "routing" like any other interface.
As I said, quite sure that most users only use it to bridge the LAN, so it might be an idea to integrate an option to bind it to a local interface, but at the moment there are no actual plans (any help or implementation are welcomed ;-)).


Hmm, just tried to insert your settings, I think the resulting config is just as it should be:

...
mode server
ifconfig-pool 10.8.0.170 10.8.0.180
ifconfig 10.8.0.2 255.255.255.0
push "route-gateway 10.8.0.2"
....

This is equal to "your" settings (it's the "expansion" of the "server-bridge" command) and a result of the lazyness not to use to many differences in TUN and TAP configuration ;-)

I see your point, setting a route to the "local" net of the tap is not needed, but it's not in my sample-config.
Might it be a result of your configuration in the GUI (maybe you added the "10.8.0.0 255.255.255.0" under "Local network" with the explanation "Client will receive a network route via push")??.

Jörg

 

[JPAdie]

thanks for coming back Jorg.

one follow up question: should the configurator open the port automatically? if so, then for some reason I am not seeing it do so.

 

[MaxMuster]

Hi Justin,

sorry, I'm not sure I understud your question correctly.
If you want to know, wether you will be able to reach the Server from the internet without further configuration, I have to admit "no" again, same "nice to have" but not implemented as the bridging :-(. You will also have to add a "Portforwarding" in the ar7.cfg (or with a virtual IP in the regular AVM-GUI).

I know it's boaring having to do this tasks by hand and not by the package, but because you usually only need this once, there was not too much investigation in integrating this.

You will also find a (german, again) explanation about this in the wiki mentioned above.

Feel free to ask again if I got you wrong or you cant get it working...


Jörg

 

[JPAdie]

thanks Jorg - that was my question!
i'll set the port forwarding up manually.