Debian OpenVPN Server mit bridging und dhcp
- From: Markus Knapp <nospam@xxxxxxxxxxxxxxx>
- Date: Sun, 16 Apr 2006 10:30:06 +0200
Hallo!
Folgendes würde ich gerne haben:
Debian-Server, der seine IP per DHCP von einem Router bekommt.
Darauf openvpn mit bridging. Auch das bridge-device soll seine IP mit DHCP vom Router bekommen. Und alle VPN-Clients, die sich einloggen, sollen auch ihre IP mit DHCP vom Router bekommen.
Ich bin dann grob nach der Anleitung http://wiki.voyage.hk/dokuwiki/doku.php?id=transparent_bridge ab 3.3 vorgegangen. Dann habe ich das auf "DHCP für alle" versucht umzubauen. Das sieht dann so aus:
tsg-server:/etc/openvpn# cat bridge-start
#!/bin/bash
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
#eth_ip="192.168.1.200"
#eth_netmask="255.255.255.0"
#eth_broadcast="192.168.1.255"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
#ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
dhclient -e $br
route add default gw 192.168.1.1 br0
tsg-server:/etc/openvpn# cat bridge-stop
#!/bin/bash
####################################
# Tear Down Ethernet bridge on Linux
####################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged together
tap="tap0"
eth="eth0"
#eth_ip="192.168.1.200"
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
#ifconfig $eth $eth_ip up # fallback to ethernet port
dhclient -e eth0
tsg-server:/etc/openvpn# cat server.conf
port 1194
proto udp
dev tap0
persist-key
persist-tun
keepalive 30 120
mode server
tls-server
ca ca.crt
cert tsg-server.crt
key tsg-server.key
dh dh1024.pem
user nobody
group nobody
status openvpn-status.log
verb 3
tsg-server:/etc/openvpn# cat /etc/init.d/openvpn
#!/bin/sh -e
#
# Original version by Robert Leslie
# <rob@xxxxxxxx>, edited by iwj and cs
# Modified for openvpn by Alberto Gonzalez Iniesta <agi@xxxxxxxxxxx>
# Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@xxxxxxxxxx>
test $DEBIAN_SCRIPT_DEBUG && set -v -x
DAEMON=/usr/sbin/openvpn
DESC="virtual private network daemon"
CONFIG_DIR=/etc/openvpn
test -x $DAEMON || exit 0
test -d $CONFIG_DIR || exit 0
# Source defaults file; edit that file to configure this script.
AUTOSTART="all"
STATUSREFRESH=10
if test -e /etc/default/openvpn ; then
. /etc/default/openvpn
fi
start_vpn () {
if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then
# daemon already given in config file
DAEMONARG=
else
# need to daemonize
DAEMONARG="--daemon ovpn-$NAME"
fi
if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.conf ; then
# status file already given in config file
STATUSARG=""
elif test $STATUSREFRESH -eq 0 ; then
# default status file disabled in /etc/default/openvpn
STATUSARG=""
else
# prepare default status file
STATUSARG="--status /var/run/openvpn.$NAME.status $STATUSREFRESH"
fi
/etc/openvpn/bridge-start
$DAEMON --writepid /var/run/openvpn.$NAME.pid \
$DAEMONARG $STATUSARG --cd $CONFIG_DIR \
--config $CONFIG_DIR/$NAME.conf || echo -n " FAILED->"
echo -n " $NAME"
}
stop_vpn () {
kill `cat $PIDFILE` || true
rm $PIDFILE
[ -e /var/run/openvpn.$NAME.status ] \
&& rm /var/run/openvpn.$NAME.status
echo -n "vor bridgestop"
/etc/openvpn/bridge-stop
echo -n "nach bridgestop"
}
case "$1" in
start)
echo -n "Starting $DESC:"
# autostart VPNs
if test -z "$2" ; then
# check if automatic startup is disabled by AUTOSTART=none
if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then
echo " Autostart disabled."
exit 0
fi
if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
# all VPNs shall be started automatically
for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
NAME=${CONFIG%%.conf}
start_vpn
done
else
# start only specified VPNs
for NAME in $AUTOSTART ; do
if test -e $CONFIG_DIR/$NAME.conf ; then
start_vpn
else
echo -n " (failure: No such VPN: $NAME)"
fi
done
fi
#start VPNs from command line
else
while shift ; do
[ -z "$1" ] && break
if test -e $CONFIG_DIR/$1.conf ; then
NAME=$1
start_vpn
else
echo -n " (failure: No such VPN: $1)"
fi
done
fi
echo "."
;;
stop)
echo -n "Stopping $DESC:"
if test -z "$2" ; then
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
echo -n " $NAME"
done
else
while shift ; do
[ -z "$1" ] && break
if test -e /var/run/openvpn.$1.pid ; then
PIDFILE=`ls /var/run/openvpn.$1.pid 2> /dev/null`
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
echo -n " $NAME"
else
echo -n " (failure: No such VPN is running: $1)"
fi
done
fi
echo "."
;;
# We only 'reload' for running VPNs. New ones will only start with 'start' or 'restart'.
reload|force-reload)
echo -n "Reloading $DESC:"
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
# If openvpn if running under a different user than root we'll need to restart
if egrep '^( |\t)*user' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then
stop_vpn
sleep 1
start_vpn
echo -n "(restarted)"
else
kill -HUP `cat $PIDFILE` || true
echo -n " $NAME"
fi
done
echo "."
;;
restart)
shift
$0 stop ${@}
sleep 1
$0 start ${@}
;;
cond-restart)
echo -n "Restarting $DESC:"
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
sleep 1
start_vpn
done
echo "."
;;
*)
echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart}" >&2
exit 1
;;
esac
exit 0
# vim:set ai sts=2 sw=2 tw=0:
Wenn ich jetzt den Server starte bzw. /etc/init.d/openvpn start mache, bekomme ich zwar die richtigen bridge-devices sammt IP, aber openvpn startet nicht. Zurückgebaut auf feste IPs (also ifconfig anstatt dhclient) funktioniert alles, wie gewünscht.
Kann mir da irgendjemand weiterhelfen, woran das liegen kann?
Gruß,
Markus
--
* Markus Knapp * http://www.markus-knapp.de * Videofilmproduktion *
"Wir alle sollten uns um die Zukunft sorgen, denn wir werden den Rest
unseres Lebens dort verbringen." [Charles F. Kettering]
.
- Prev by Date: Re: Debian IPv6
- Next by Date: Wer muss bei Mailzustellungzuerst gefragt werden - MX oder A-Record?
- Previous by thread: Re: Debian IPv6
- Next by thread: Wer muss bei Mailzustellungzuerst gefragt werden - MX oder A-Record?
- Index(es):
Relevant Pages
|
