Modify

Opened 6 years ago

Last modified 6 years ago

#11222 new defect

OpenVPN creates 2 TAP interfaces instead of 1 and creates itself one more config

Reported by: sergey_chizhov@… Owned by: developers
Priority: normal Milestone:
Component: packages Version: 10.03.1
Keywords: openvpn tap Cc:

Description

By editing 'sample_client' configuration, i make this config:

config 'openvpn' 'sample_client'
    option 'nobind' '1'
    option 'persist_key' '1'
    option 'persist_tun' '1'
    option 'comp_lzo' '1'
    option 'verb' '3'
    option 'float' '1'
    option 'dev' 'tap'
    option 'port' '5000'
    option 'route' '192.168.0.0 255.255.255.0'
    option 'route_gateway' '192.168.6.1'
    option 'tls_client' '1'
    option 'ca' '/lib/uci/upload/cbid.openvpn.sample_client.ca'
    option 'dh' '/lib/uci/upload/cbid.openvpn.sample_client.dh'
    option 'cert' '/lib/uci/upload/cbid.openvpn.sample_client.cert'
    option 'ifconfig' '192.168.6.14 255.255.255.0'
    option 'keepalive' '10 30'
    option 'key' '/lib/uci/upload/cbid.openvpn.sample_client.key'
    option 'enable' '1'
    option 'remote' 'my.openvpn.server'

After finishing it, in openVPN configurations appears one more dummy config "client_tap_bridge"

Enabled only my config.

After rebooting device I have this in ifconfig output:

tap0      Link encap:Ethernet  HWaddr 2A:62:bla:bla  
      inet addr:192.168.6.14  Bcast:192.168.6.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:57 errors:0 dropped:0 overruns:0 frame:0
      TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100 
      RX bytes:5795 (5.6 KiB)  TX bytes:5020 (4.9 KiB)

tap1      Link encap:Ethernet  HWaddr FE:0B:bla:bla  
          inet addr:192.168.6.14  Bcast:192.168.6.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:1124 (1.0 KiB)  TX bytes:0 (0.0 B)

In logread i have infinite race between tap0 and tap1

Everything else (routing, firewall, etc... works fine), all settings making only via luci web interface, openvpn and luci-app-openvpn is the only additional packages.

I tried to:
-Reinstalling openvpn,luci-app-openvpn packages;
-Delete /etc/config openvpn config file;
-Delete all another sections from /etc/config/openvpn
-firstboot and tune all again

Nothing doesn't solve problem.

During editing I have to switch between 'basic' and 'advanced' configuration mode, now in advanced mode disappeared 'route_delay'
option.

Same config on another device works fine, but this problem I already had on two devices, on first, after reinstalling packages, problem disappeared.

Attachments (0)

Change History (6)

comment:1 follow-up: Changed 6 years ago by Vasiliy P. Melnik <basil@…>

1) you don't have route

Tis is strange options, if you using bridge

option 'route' '192.168.0.0 255.255.255.0'
option 'route_gateway' '192.168.6.1'

2) don't use pre-configured config - create new with different name.

3) Luci always creating config client_tap_bridge. Simple way - don't use him

Or remove patterns rm -rf /etc/config/openvpn_recipes

comment:2 in reply to: ↑ 1 ; follow-up: Changed 6 years ago by anonymous

Replying to Vasiliy P. Melnik <basil@…>:

1) you don't have route

No, I have. I have point-multy_point VPN network:
192.168.0.0/24 - common office net
192.168.6.0/24 - VPN points subnet, where:
192.168.6.1 - office server (vpn iface)
192.168.6.10+x - shop vpn ifaces (6.11 on first shop and so on)
192.168.100+x.0/24 - shops subnets (x - shop code)
At office server:
route add 192.168.1xx.0 netmask 255.255.255.0 192.168.6.1x (now 10 static routes for ten shops. I know about RIP but for just 10 shops static routes, seems to me, is simplest way)
On each OpenWrt 'route' and 'route_gateway' options.


Tis is strange options, if you using bridge

It's not bridge, it is a whole fully routable WAN.

option 'route' '192.168.0.0 255.255.255.0'
option 'route_gateway' '192.168.6.1'

2) don't use pre-configured config - create new with different name.

Doesn't help. Luci doesn't store my config name, it renames it itself. :)

3) Luci always creating config client_tap_bridge. Simple way - don't use him
Or remove patterns rm -rf /etc/config/openvpn_recipes

Thank you, I'l try this, but:

  1. What are hell openwrt creates two TAP ifaces, when i have only one enabled ?!
  2. Why some options such as 'route_delay' disappear.

I think it's a bugs.

comment:3 in reply to: ↑ 2 ; follow-up: Changed 6 years ago by Vasiliy P. Melnik <basil@…>

No, I have. I have point-multy_point VPN network:
192.168.0.0/24 - common office net
192.168.6.0/24 - VPN points subnet, where:
192.168.6.1 - office server (vpn iface)
192.168.6.10+x - shop vpn ifaces (6.11 on first shop and so on)
192.168.100+x.0/24 - shops subnets (x - shop code)
At office server:
route add 192.168.1xx.0 netmask 255.255.255.0 192.168.6.1x (now 10 static routes for ten shops. I know about RIP but for just 10 shops static routes, seems to me, is simplest way)
On each OpenWrt 'route' and 'route_gateway' options.


Tis is strange options, if you using bridge

It's not bridge, it is a whole fully routable WAN.

use tun for routing

option dev tun

Doesn't help. Luci doesn't store my config name, it renames it itself. :)

openvpn module for luci have errors
Use scp-client for editing configs

3) Luci always creating config client_tap_bridge. Simple way - don't use him
Or remove patterns rm -rf /etc/config/openvpn_recipes

Thank you, I'l try this, but:

  1. What are hell openwrt creates two TAP ifaces, when i have only one enabled ?!

Why ? on server need 1 iface

  1. Why some options such as 'route_delay' disappear.

I think it's a bugs.

/etc/config/openvpn
config 'openvpn' 'magazin'
option 'enable' '1'
option 'comp_lzo' '1'
option 'keepalive' '10 60'
option 'verb' '3'
option 'mssfix' '1420'
option 'server' '10.10.10.0 255.255.255.0'
option 'ca' '/etc/openvpn/ca.crt'
option 'dh' '/etc/openvpn/dh1024.pem'
option 'key' '/etc/openvpn/server.key'
option 'cert' '/etc/openvpn/server.crt'
option 'tls_auth' '/etc/openvpn/ta.key 0'
option 'port' '1194'
option 'proto' 'udp'
option 'push' 'route 192.168.21.0 255.255.255.0'
list 'route' '192.168.22.0 255.255.255.0'
list 'route' '192.168.23.0 255.255.255.0'
option 'user' 'nobody'
option 'group' 'nogroup'
option 'persist_tun' '1'
option 'persist_key' '1'
option 'dev' 'tun'
option 'client_config_dir' '/etc/openvpn/ccd'

/etc/openvpn/ccd/192-168-22-0
# 192-168-22-0
# remote network
iroute 192.168.22.0 255.255.255.0
# ip for tun iface on remote client
ifconfig-push 10.10.10.22 10.10.10.1

/etc/firewall.user
# openvpn_routing
iptables -A input_rule -p udp --dport 1194 -i eth0.2 -j ACCEPT
iptables -A forwarding_rule -i tun0 -o br-lan -j ACCEPT
iptables -A forwarding_rule -i br-lan -o tun0 -j ACCEPT

comment:4 in reply to: ↑ 3 Changed 6 years ago by sergey_chizhov@…

Excuse me for my previous post formatting (*I will use preview before posting...)

use tun for routing

  1. Windows. OpenWRT is not end devices, it routes traffic between shop hosts (Windows cache machines, 10 shops in different cities) and office Windows file server - ebanniy shtrih-m/1C file exchange). Windows doesn't likes TUN.
  1. "Depending on the device type we select, ifconfig must set the IP/netmask combination

differently. TUN devices are virtual point-to-point devices, and therefore ifconfig must be
provided with the virtual IP of the other point-to-point partner. TAP devices, however, are virtual
network devices and thus ifconfig needs a netmask for this virtual network segment.
In our example above, openvpn is called in tun mode and the parameter ifconfig is used with the
options 10.3.0.2 10.3.0.1. This means that a virtual point-to-point network is created between
the two OpenVPN servers, with 10.3.0.1 and 10.3.0.2 as virtual endpoints.
The example below shows the correct ifconfig syntax for a tap device: --ifconfig 10.3.0.2
255.255.255.0. Since TAP devices provide virtual Ethernet segments, a netmask is needed."
(c) Markus Feilener in Packt.OpenVPN.Building.and.Integrating.Virtual.Private.Networks.Feb.2006.

I have 10 different shop networks and office network, as far as i understand, i just have to use TAP to have access to all hosts in all shops (from any office host), and all shop hosts have access to office server.


Doesn't help. Luci doesn't store my config name, it renames it itself. :)

openvpn module for luci have errors

Yes, my ticket is about it.

Use scp-client for editing configs

It's not a problem, i'm using vi on openwrt through ssh.

  1. What are hell openwrt creates two TAP ifaces, when i have only one enabled ?!

Why ? on server need 1 iface

I don't know, i don't use openwrt on server, on clients i have this problem. I think it's a bug.

On my server is everything ok (PC, one TAP interface, practically same config).

Thank You for sample configs, i'l study it, and my network is working fine now, but i started this ticket because i think it is a BUG:

with ONE enabled config, openwrt_release of openvpn creates TWO buggy TAP interfaces (with same IP and different MACs) instead of one. Same config on PC_release of openvpn creates ONE fully functional.

Now i found only one workaround - disable openvpn in services and add to /etc/rc.local "sleep 15 && /etc/init.d/openvpn restart", in this way i have one fully functional tap0 interface.

comment:5 Changed 6 years ago by Vasiliy P. Melnik <basil@…>

  1. Windows ... windows is application server - not server for network :) On windows interface is universal - for routing or bridging. Try use == dev tun ==
  1. your config is for routing and bridging at the same time. I don't understand your network configrution.

comment:6 Changed 6 years ago by Vasiliy P. Melnik <basil@…>

russian?

davay na milo basil(at)vpm.net.ua - budem razbiratsya

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.