Can't bridge vr0 with tap0 for OpenVPN

[raffo]

Hi,

I try too many times to bridge tap0 (virtual NIC) to vr0 (physical NIC card) to share internet connection to the OpenVPN clients. I try to enable all redirects and to disable the pf firewall but isn't help much. The bridge should be working witht this:

ifconfig bridge0 addm vr0 addm tap0 up

And when I run this it's ok, no output. If I re-run the ourput is

ifconfig: BRDGADD vr0: File exists

so it's ok because there is already a bridge with this dev.

My rc.conf:

rox# cat /etc/rc.conf
# This file now contains just the overrides from /etc/defaults/rc.conf.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
sshd_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="xx.x86.x.9x"
fsck_y_enable="YES"
named_enable="YES"
ifconfig_vr0="inet x1.xx.76.x netmask 255.255.255.0 broadcast 91.121.76.255"
ifconfig_vr0_alias0="inet x88.1xx.x1.x netmask 255.255.255.255"
ifconfig_vr0_alias1="inet x88.1xx.x1.x netmask 255.255.255.255"
ifconfig_vr0_alias2="inet x88.1xx.9x.5x netmask 255.255.255.255"
ifconfig_vr0_alias3="inet x88.1xx.0.x0  netmask 255.255.255.255"
ifconfig_vr0_alias4="inet x88.1xx.xx.1x1  netmask 255.255.255.255"
ifconfig_vr0_alias5="inet x88.1xx.1x.x  netmask 255.255.255.255"

ifconfig_vr0_alias6="inet x78.32.x.x27  netmask 255.255.255.255"
ifconfig_vr0_alias7="inet x78.32.1x.x  netmask 255.255.255.255"

defaultrouter="xx.xx.76.254"
hostname="rox.xxxx.net"

ipv6_enable="YES"
ipv6_network_interface="vr0"
ipv6_ifconfig_vr0="200x:xxx:1:8110::1 prefixlen 64"


lighttpd_enable="YES"
nginx_enable="YES"

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
postfix_enable="YES"

munin_node="YES"
munin_node_enable="YES"
mrtg_daemon_enable="YES"

openvpn_if="tap bridge"
cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="addm vr0 addm tap0 up"

gateway_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_if="tap"

cloned_interfaces="bridge0 tap0"
ifconfig_tap0="up"
ifconfig_bridge0="addm vr0 addm tap0 up"
openvpn_enable="YES"

#natd_enable="YES"
#natd_interface="vr0" 
#natd_flags=""

#firewall_enable="YES"
#firewall_type="open"

pf_enable="YES"                 # Enable PF (load module if required)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl startup
pflog_enable="YES"              # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""                  # additional flags for pflogd startup

syslogd_flags="-ss"
dummynet_enable="YES"
tcp_drop_synfin="YES"
tcp_drop_synfin="YES"

tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	ether 00:bd:05:bd:00:00
	inet6 fe80::2bd:5ff:febd:0%tap0 prefixlen 64 scopeid 0x4 
	inet 10.8.0.1 netmask 0xffffff00 broadcast 10.8.0.255
	nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
	Opened by PID 8955
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 2a:bd:fd:37:82:69
	inet 10.8.0.1 netmask 0xffffff00 broadcast 10.8.0.255
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 4 priority 128 path cost 2000000
	member: vr0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 1 priority 128 path cost 200000

OpenVPN configuration file of server is the default with some change like tap, udp, port, certificate.

On the server config I can't set

server-bridge 10.8.0.1 255.255.255.0 10.8.0.50 10.8.0.100

If I set this the server OpenVPN doesn't start.

I can connect to the OpenVPN server and connect to all service of the server/ip of the OpenVPN server but when I try external connections can't connect. I just need to share internet connection.

Anyone can help me?
Thanks

 

[SirDice]

You can't bridge a private and a public network, it doesn't work that way. Bridging works on layer 2, you need layer 3 connectivity. Use NAT.

 

[raffo]

Thanks for the reply. I want to learn more about routing and VPN on FreeBSD, do you know any ebook for me? Why I can't bridge private with public nic? How can I use NAT? After done the internet shared I also want to provide a dedicated IP for certain users.

Thanks.

 

[SirDice]

Learn how TCP/IP works and it'll all become clear. There are numerous books covering this subject.

This will get you started: http://www.tcpipguide.com

 

[raffo]

How can I share internet connection so? Can you tell me step by step or give me a guide?