View Single Post
  #1   (View Single Post)  
Old 9th February 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,994
Default OpenBSD port of OpenVPN revisited

In Does pf conflict with OpenVPN? Emile posted a problem with OpenVPN on 4.7 stable

With a newly installed OBSD snapshot and a newer version of the OpenVPN package I had the same problem. A tcpdump on tun0 showed arp requests, which were never answered.
After a having a hard time installing FreeBSD (Xorg on FreeBSD is no fun) I could use FreeBSD to connect to a demo VPN account of 'swissvpn.net'.

I noticed that on FreeBSD no arp requests were being done.

It turned out that the OpenBSD port use a 'link0' flag to the configuration of the 'tun0' device, actually turning it into a level 2 device, hence the arp requests. And there is no way to coach OpenVPN to leave out that 'link0' flag.

In the OpenVPN man page I found some clues about running scripts, but that was sparsely documented and deeply buried inside the long, long man page.
The post of Tasmanian Devil on the OpenBSD misc list made me try harder and after some hacking on a script I could create a layer 3 tun0 device and connect to that SwissVPN demo account.

The startup script (to be run with root privileges):
Code:
#!/bin/sh

CONFIG=swissvpn.ovpn

cat <<END
Script to start up OpenVPN with custom 'ifconfig' script.

For some unknown reason the OpenBSD port configures a 'tun' device
as a layer 2 by using the 'link0' flag, making the 'tun' device to
the equivalent of a Linux 'tap' device (bridge mode).

# /sbin/ifconfig tun0 93.94.245.45 netmask 255.255.255.128 \
      mtu 1500 broadcast 93.94.245.127 link0
                                       ^^^^^
# ifconfig tun0
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr fe:e1:ba:d5:a6:69
        priority: 0
        groups: tun
        status: active
        inet 80.254.76.186 netmask 0xffffff80 broadcast 80.254.76.255
        inet6 fe80::fce1:baff:fed5:a669%tun0 prefixlen 64 scopeid 0x6

Notice the Link Level Address or MAC : fe:e1:ba:d5:a6:69

Because many VPN service providers, use layer 3, we circumvent this
by running a custom 'ifconfig' without the 'link0' flag.

# /sbin/ifconfig \${dev} \${ifconfig_local} netmask \${ifconfig_netmask} mtu \${tun_mtu}

# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        priority: 0
        groups: tun
        status: active
        inet 80.254.76.252 --> 0.0.0.0 netmask 0xffffff80
        inet6 fe80::210:4bff:fe65:6b4%tun0 ->  prefixlen 64 scopeid 0x
END

/usr/local/sbin/openvpn \
        --config ${CONFIG} \
        --verb 4 \
        --script-security 2 execve \
        --ifconfig-noexec \
        --up /etc/openvpn/up

# EXPLANTION OF OPTIONS (see 'man openvpn' for the details)
# -----------------------------------------------------------------------------------------------
# --config                      : specifies the configuration file supplied by the VPN service
# --verb                        : the verbosity level
# --script-security 2 execve    : allow scripts to be executed
# --ifconfig-noexec             : do not execute/run/do an 'ifconfig' on the device we are using
# --up                          : specify the name of the script where we do our own 'ifconfig'
The 'up' script where we do the custon ifconfig without the 'link0' flag.

Code:
#!/bin/sh

LOG="/var/log/OpenVPN-up-$(date '+%m%d_%H%M').log"

cat <<END >> ${LOG}
DATE: $(date '+%Y%m%d_%H%M')
-------- Available environment variables -------- 
$(env | sort)
----------------------------------------
END

if [ ${script_context} = "init" ] ; then
    /sbin/ifconfig ${dev} ${ifconfig_local} netmask ${ifconfig_netmask} mtu ${tun_mtu}
fi

cat <<END 
Configuration of ${dev} :
# ifconfig ${dev} 
$(ifconfig $dev)
---------------------------------------------
END
Attached Files
File Type: txt startup.txt (1.9 KB, 118 views)
File Type: txt up.txt (480 Bytes, 98 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 9th February 2011 at 04:03 AM. Reason: Download
Reply With Quote