In
Does pf conflict with OpenVPN? Emile posted a problem with OpenVPN on 4.7 stable
With a newly installed OBSD snapshot and a newer version of the OpenVPN package I had the same problem. A tcpdump on tun0 showed arp requests, which were never answered.
After a having a hard time installing FreeBSD (Xorg on FreeBSD is no fun) I could use FreeBSD to connect to a demo VPN account of 'swissvpn.net'.
I noticed that on FreeBSD no arp requests were being done.
It turned out that the OpenBSD port use a 'link0' flag to the configuration of the 'tun0' device, actually turning it into a level 2 device, hence the arp requests. And there is no way to coach OpenVPN to leave out that 'link0' flag.
In the OpenVPN man page I found some clues about running scripts, but that was sparsely documented and deeply buried inside the long, long man page.
The post of Tasmanian Devil on the OpenBSD misc list made me try harder and after some hacking on a script I could create a layer 3 tun0 device and connect to that SwissVPN demo account.
The startup script (to be run with root privileges):
Code:
#!/bin/sh
CONFIG=swissvpn.ovpn
cat <<END
Script to start up OpenVPN with custom 'ifconfig' script.
For some unknown reason the OpenBSD port configures a 'tun' device
as a layer 2 by using the 'link0' flag, making the 'tun' device to
the equivalent of a Linux 'tap' device (bridge mode).
# /sbin/ifconfig tun0 93.94.245.45 netmask 255.255.255.128 \
mtu 1500 broadcast 93.94.245.127 link0
^^^^^
# ifconfig tun0
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
lladdr fe:e1:ba:d5:a6:69
priority: 0
groups: tun
status: active
inet 80.254.76.186 netmask 0xffffff80 broadcast 80.254.76.255
inet6 fe80::fce1:baff:fed5:a669%tun0 prefixlen 64 scopeid 0x6
Notice the Link Level Address or MAC : fe:e1:ba:d5:a6:69
Because many VPN service providers, use layer 3, we circumvent this
by running a custom 'ifconfig' without the 'link0' flag.
# /sbin/ifconfig \${dev} \${ifconfig_local} netmask \${ifconfig_netmask} mtu \${tun_mtu}
# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
priority: 0
groups: tun
status: active
inet 80.254.76.252 --> 0.0.0.0 netmask 0xffffff80
inet6 fe80::210:4bff:fe65:6b4%tun0 -> prefixlen 64 scopeid 0x
END
/usr/local/sbin/openvpn \
--config ${CONFIG} \
--verb 4 \
--script-security 2 execve \
--ifconfig-noexec \
--up /etc/openvpn/up
# EXPLANTION OF OPTIONS (see 'man openvpn' for the details)
# -----------------------------------------------------------------------------------------------
# --config : specifies the configuration file supplied by the VPN service
# --verb : the verbosity level
# --script-security 2 execve : allow scripts to be executed
# --ifconfig-noexec : do not execute/run/do an 'ifconfig' on the device we are using
# --up : specify the name of the script where we do our own 'ifconfig'
The 'up' script where we do the custon ifconfig without the 'link0' flag.
Code:
#!/bin/sh
LOG="/var/log/OpenVPN-up-$(date '+%m%d_%H%M').log"
cat <<END >> ${LOG}
DATE: $(date '+%Y%m%d_%H%M')
-------- Available environment variables --------
$(env | sort)
----------------------------------------
END
if [ ${script_context} = "init" ] ; then
/sbin/ifconfig ${dev} ${ifconfig_local} netmask ${ifconfig_netmask} mtu ${tun_mtu}
fi
cat <<END
Configuration of ${dev} :
# ifconfig ${dev}
$(ifconfig $dev)
---------------------------------------------
END