Hi to all
I have a vpn server configured in bridge more working perfectly for
over a year .
I need to add a new bridge to it now, and I really not shore what I
amd doing wrong !
My /etc/openvpn contains 2 files :
/etc/openvpn/bridge.conf
remote 0.0.0.0
dev tap0
secret /etc/openvpn/bridge.key
/etc/openvpn/cajamar.conf
port 1195
remote 0.0.0.0
dev tap1
secret /etc/openvpn/cajamar.key
and my /etc/network/interfaces contains this :
# The loopback network interface
auto lo
iface lo inet loopback
# The internet network interface
auto eth1
iface eth1 inet static
address 186.231.3.203
netmask 255.255.255.248
broadcast 186.231.3.207
gateway 186.231.3.201
# The bridged vpn interface for Cenno
auto br0
iface br0 inet static
pre-up /usr/sbin/openvpn --mktun --dev tap0
pre-up /usr/sbin/brctl addbr br0
address 172.16.0.4
network 172.16.0.0
broadcast 172.16.255.255
netmask 255.255.0.0
post-up /sbin/ip link set tap0 up
post-up /usr/sbin/brctl addif br0 tap0
post-up /sbin/ip link set eth0 up
post-up /usr/sbin/brctl addif br0 eth0
post-down /usr/sbin/brctl delbr br0
post-down /usr/sbin/openvpn --rmtun tap0
post-down /sbin/ip link set eth0 down
# The bridged vpn interface for Cajamar
auto br1
iface br1 inet manual
pre-up /usr/sbin/openvpn --mktun --dev tap1
pre-up /usr/sbin/brctl addbr br1
post-up /sbin/ip link set tap1 up
post-up /usr/sbin/brctl addif br1 tap1
post-up /sbin/ip link set eth3 up
post-up /usr/sbin/brctl addif br1 eth3
post-down /usr/sbin/brctl delbr br1
post-down /usr/sbin/openvpn --rmtun tap1
post-down /sbin/ip link set eth3 down
There is no error msg in the log in any os 3 servers ...
The old one, ( refered just as "brigde" ) still working fine, the new
one ( refered as "cajamar" are not working ....
Any help will be welcome .... thanks in advance ...
Fábio Rabelo
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
On 12/10/2013 5:41 AM, Fábio Rabelo wrote:> Hi to all > > I have a vpn server configured in bridge more working perfectly for > over a year . > > I need to add a new bridge to it now, and I really not shore what I > amd doing wrong ! > > My /etc/openvpn contains 2 files : > > /etc/openvpn/bridge.conf > > remote 0.0.0.0 > dev tap0 > secret /etc/openvpn/bridge.key > > /etc/openvpn/cajamar.conf > > port 1195 > remote 0.0.0.0 > dev tap1 > secret /etc/openvpn/cajamar.key > > and my /etc/network/interfaces contains this : > > # The loopback network interface > auto lo > iface lo inet loopback > > # The internet network interface > auto eth1 > iface eth1 inet static > address 186.231.3.203 > netmask 255.255.255.248 > broadcast 186.231.3.207 > gateway 186.231.3.201 > > # The bridged vpn interface for Cenno > auto br0 > iface br0 inet static > pre-up /usr/sbin/openvpn --mktun --dev tap0 > pre-up /usr/sbin/brctl addbr br0 > address 172.16.0.4 > network 172.16.0.0 > broadcast 172.16.255.255 > netmask 255.255.0.0 > post-up /sbin/ip link set tap0 up > post-up /usr/sbin/brctl addif br0 tap0 > post-up /sbin/ip link set eth0 up > post-up /usr/sbin/brctl addif br0 eth0 > post-down /usr/sbin/brctl delbr br0 > post-down /usr/sbin/openvpn --rmtun tap0 > post-down /sbin/ip link set eth0 down > > # The bridged vpn interface for Cajamar > auto br1 > iface br1 inet manual > pre-up /usr/sbin/openvpn --mktun --dev tap1 > pre-up /usr/sbin/brctl addbr br1 > post-up /sbin/ip link set tap1 up > post-up /usr/sbin/brctl addif br1 tap1 > post-up /sbin/ip link set eth3 up > post-up /usr/sbin/brctl addif br1 eth3 > post-down /usr/sbin/brctl delbr br1 > post-down /usr/sbin/openvpn --rmtun tap1 > post-down /sbin/ip link set eth3 down > > > There is no error msg in the log in any os 3 servers ... > > The old one, ( refered just as "brigde" ) still working fine, the new > one ( refered as "cajamar" are not working .... > > Any help will be welcome .... thanks in advance ...Fábio, This is a Shorewall list. If you want our help, you are going to have to give us the details of your Shorewall configuration. The output of ''shorewall dump'' collected as described at http://www.shorewall.org/support.htm#guidelines would be best. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Thanks The shorewall dump are attached to the first email. as a. rar file Fábio Rabelo Em 10/12/2013 13:49, "Tom Eastep" <teastep@shorewall.net> escreveu:> On 12/10/2013 5:41 AM, Fábio Rabelo wrote: > > Hi to all > > > > I have a vpn server configured in bridge more working perfectly for > > over a year . > > > > I need to add a new bridge to it now, and I really not shore what I > > amd doing wrong ! > > > > My /etc/openvpn contains 2 files : > > > > /etc/openvpn/bridge.conf > > > > remote 0.0.0.0 > > dev tap0 > > secret /etc/openvpn/bridge.key > > > > /etc/openvpn/cajamar.conf > > > > port 1195 > > remote 0.0.0.0 > > dev tap1 > > secret /etc/openvpn/cajamar.key > > > > and my /etc/network/interfaces contains this : > > > > # The loopback network interface > > auto lo > > iface lo inet loopback > > > > # The internet network interface > > auto eth1 > > iface eth1 inet static > > address 186.231.3.203 > > netmask 255.255.255.248 > > broadcast 186.231.3.207 > > gateway 186.231.3.201 > > > > # The bridged vpn interface for Cenno > > auto br0 > > iface br0 inet static > > pre-up /usr/sbin/openvpn --mktun --dev tap0 > > pre-up /usr/sbin/brctl addbr br0 > > address 172.16.0.4 > > network 172.16.0.0 > > broadcast 172.16.255.255 > > netmask 255.255.0.0 > > post-up /sbin/ip link set tap0 up > > post-up /usr/sbin/brctl addif br0 tap0 > > post-up /sbin/ip link set eth0 up > > post-up /usr/sbin/brctl addif br0 eth0 > > post-down /usr/sbin/brctl delbr br0 > > post-down /usr/sbin/openvpn --rmtun tap0 > > post-down /sbin/ip link set eth0 down > > > > # The bridged vpn interface for Cajamar > > auto br1 > > iface br1 inet manual > > pre-up /usr/sbin/openvpn --mktun --dev tap1 > > pre-up /usr/sbin/brctl addbr br1 > > post-up /sbin/ip link set tap1 up > > post-up /usr/sbin/brctl addif br1 tap1 > > post-up /sbin/ip link set eth3 up > > post-up /usr/sbin/brctl addif br1 eth3 > > post-down /usr/sbin/brctl delbr br1 > > post-down /usr/sbin/openvpn --rmtun tap1 > > post-down /sbin/ip link set eth3 down > > > > > > There is no error msg in the log in any os 3 servers ... > > > > The old one, ( refered just as "brigde" ) still working fine, the new > > one ( refered as "cajamar" are not working .... > > > > Any help will be welcome .... thanks in advance ... > > Fábio, > > This is a Shorewall list. If you want our help, you are going to have to > give us the details of your Shorewall configuration. The output of > ''shorewall dump'' collected as described at > http://www.shorewall.org/support.htm#guidelines would be best. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don''t have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
On 12/10/2013 10:34 AM, Fábio Rabelo wrote:> Thanks > > The shorewall dump are attached to the first email. as a. rar file >teastep@gateway:~/shorewall/support/Fabeo$ unrar vpn.rar unrar 0.0.1 Copyright (C) 2004 Ben Asselstine, Jeroen Dekkers Extracting from /home/teastep/shorewall/support/Fabeo/vpn.rar Extracting vpn.txt Failed 1 Failed teastep@gateway:~/shorewall/support/Fabeo$ file vpn.rar vpn.rar: RAR archive data, v1d, os: Win32 teastep@gateway:~/shorewall/support/Fabeo$ It also fails when I try to open it using WinZip. Please supply a different archive format. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
I can unrar the file without a glitch ... Zipped now . Fábio Rabelo 2013/12/10 Tom Eastep <teastep@shorewall.net>:> On 12/10/2013 10:34 AM, Fábio Rabelo wrote: >> Thanks >> >> The shorewall dump are attached to the first email. as a. rar file >> > > teastep@gateway:~/shorewall/support/Fabeo$ unrar vpn.rar > > unrar 0.0.1 Copyright (C) 2004 Ben Asselstine, Jeroen Dekkers > > > Extracting from /home/teastep/shorewall/support/Fabeo/vpn.rar > > Extracting vpn.txt Failed > 1 Failed > teastep@gateway:~/shorewall/support/Fabeo$ file vpn.rar > vpn.rar: RAR archive data, v1d, os: Win32 > teastep@gateway:~/shorewall/support/Fabeo$ > > It also fails when I try to open it using WinZip. > > Please supply a different archive format. > > Thanks, > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don''t have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
On 12/10/2013 12:31 PM, Fábio Rabelo wrote:> I can unrar the file without a glitch ... > > Zipped now .There is an existing connection from 187.75.209.97 to UDP port 1195, so the remote host is able to communicate with your firewall: udp 17 177 src=187.75.209.97 dst=186.231.3.203 sport=1195 dport=1195 packets=3121 bytes=431352 src=186.231.3.203 dst=187.75.209.97 sport=1195 dport=1195 packets=8 bytes=1088 [ASSURED] mark=0 secmark=0 use=2 I don''t see anything wrong with your configuration either. So what does ''not working'' mean? Can''t establish a VPN? Can''t communicate through the VPN ??? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Thanks a lot ... I just do not know where to go from here ... Packages do not pass thru the connection ... The first bridge ( called just "bridge" ) I can do anything on any host in any place, like do a ping from a workstation in one end with 172.16.0.27 ip to the file server located in the other end of the vpn with an 172.16.3.232 ip , or open a file in this fileserver ... But in this new bridge ( called cajamar ) anything I try to do within both ends just get a "no route to host" or a "time out" msg . All network masks in all and any machine involved are 255.255.0.0 All IPs of all machines involved has an ip in the range between 172.16.0.0 and 172.16.20.0 . In the future, I wiil need more brigded vpns like this .... so the masks are so wide ... Fábio Rabelo 2013/12/10 Tom Eastep <teastep@shorewall.net>:> On 12/10/2013 12:31 PM, Fábio Rabelo wrote: >> I can unrar the file without a glitch ... >> >> Zipped now . > > There is an existing connection from 187.75.209.97 to UDP port 1195, so > the remote host is able to communicate with your firewall: > > udp 17 177 src=187.75.209.97 dst=186.231.3.203 sport=1195 > dport=1195 packets=3121 bytes=431352 src=186.231.3.203 dst=187.75.209.97 > sport=1195 dport=1195 packets=8 bytes=1088 [ASSURED] mark=0 secmark=0 use=2 > > I don't see anything wrong with your configuration either. > > So what does 'not working' mean? Can't establish a VPN? Can't > communicate through the VPN ??? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 12/10/2013 1:17 PM, Fábio Rabelo wrote:> Thanks a lot ... I just do not know where to go from here ... > > Packages do not pass thru the connection ... > > The first bridge ( called just "bridge" ) I can do anything on any > host in any place, like do a ping from a workstation in one end with > 172.16.0.27 ip to the file server located in the other end of the vpn > with an 172.16.3.232 ip , or open a file in this fileserver ... > > But in this new bridge ( called cajamar ) anything I try to do within > both ends just get a "no route to host" or a "time out" msg . > > All network masks in all and any machine involved are 255.255.0.0 > > All IPs of all machines involved has an ip in the range between > 172.16.0.0 and 172.16.20.0 . > > In the future, I wiil need more brigded vpns like this .... so the > masks are so wide ...I just noticed that you have not assigned an IP address to br1! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
On 12/11/2013 10:28 AM, Tom Eastep wrote:> On 12/10/2013 1:17 PM, Fábio Rabelo wrote: >> Thanks a lot ... I just do not know where to go from here ... >> >> Packages do not pass thru the connection ... >> >> The first bridge ( called just "bridge" ) I can do anything on any >> host in any place, like do a ping from a workstation in one end with >> 172.16.0.27 ip to the file server located in the other end of the vpn >> with an 172.16.3.232 ip , or open a file in this fileserver ... >> >> But in this new bridge ( called cajamar ) anything I try to do within >> both ends just get a "no route to host" or a "time out" msg . >> >> All network masks in all and any machine involved are 255.255.0.0 >> >> All IPs of all machines involved has an ip in the range between >> 172.16.0.0 and 172.16.20.0 . >> >> In the future, I wiil need more brigded vpns like this .... so the >> masks are so wide ... > > I just noticed that you have not assigned an IP address to br1!I also notice that neither vpn0 nor vpn1 have addresses. So listing them in your Shorewall configuration does nothing. And what is eth3? Other than being bridged to vpn1, it seems to have no other purpose. Any hosts connected to it cannot communicate with or through the Shorewall box. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk