How can I properly boot with OpenVPN in a bridged setup?

mariourk

mariourk

I have been running an OpenVPN-server for some time now, on Linux. I want to move this to a new FreeBSD-server. I have always used a bridged setup for OpenVPN, where the OpenVPN tap-interface and the physical network-interface are joined together in a bridge. The bridge is given all the proper network configuration, like an IP-address.

I have OpenVPN up and running and I have worked out how to put it in a bridged setup. however, when I reboot the server, everything is a mess! I patched together a small script that I have to run after the reboot, to make it all work. This is obviously not how I want to implement this.

Does someone know how I can configure FreeBSD to make this all work properly?

/etc/rc.conf
Code: 
hostname="openvpn.somedomain.com"

openvpn_enable="YES"
openvpn_if="tap"

cloned_interfaces="bridge0"
ifconfig_bridge0="addm msk0 addm tap0 up"
ifconfig_msk0="up"
ifconfig_tap0="up"
ifconfig_bridge0=" inet xxx.xxx.xxx.xxx netmask 255.255.255.0"
defaultrouter="xxx.xxx.xxx.xxx"

sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

Small script, to make it work again
Code: 
ifconfig bridge0 addm msk0 addm tap0 up
ifconfig msk0 up
ifconfig tap0 up
ifconfig bridge0 inet 192.168.1.70 netmask 255.255.255.0
route add default 192.168.1.1
 
Add tap0 to cloned_interfaces, that should create it automatically on boot. I recommend that you move your bridge creation to a an openvpn up-script so it's only created when the openvpn service is started. There should be also a down-script that tears down the bridge when openvpn service is shut down.
 
I think that if you just add your tap0 interface on your cloned_interfaces directive, you'll have no problem.

@kpa: sorry man, your answer arrived when I was already editing mine.
 
Unfortunately, adding tap0 to cloned_interfaces doesn't make any difference.

How exactly should I implement the creation of the bridge to the OpenVPN start script? I looked at /usr/local/etc/rc.d/openvpn and it doesn't make much sense to me. Those scripts are not really my cup of tea... :\
 
In your openvpn.conf:

Code: 
...
up up.sh
down down.sh
...


These scripts go to /usr/local/etc/openvpn

up.sh would be something like:

Code: 
#!/bin/sh
ifconfig bridge0 create
ifconfig bridge0 addm msk0
ifconfig bridge0 addm ${dev}
ifconfig bridge0 up

# Possible firewall rules for pf/ipfw here

Not sure about the exact order and if you first have to bring up the bridge before adding members but you should get the idea. Note the ${dev} variable, openvpn fills in tap0 in that for you.

I personally gave up on this type of bridging, I don't have anything that relies on broadcasts and having different subnet on the VPN isn't that cumbersome after all. Also IPv6 neighbour discovery breaks on this type of bridge.
 
That fixed the problem of booting properly. Unfortunately it doesn't work that well when stopping OpenVPN. But that is not really a problem, I don't intent to shutdown OpenVPN manually. Well... maybe in case of an update. And if that happens, I can restart this server without causing too much trouble. So, for now I'm happy.

Thanks! :beergrin
 
I left out the matching down.sh that should tear down the bridge in reverse order and also undo any other configuration the up.sh did.
 
You must log in or register to reply here.
Back
Top