OpenVPN: Tap device not joined to br0 after installation

flatspin · November 18, 2016, 2:17pm

After installation of openvpn on ns7 ad/dc with bridged mode the tap0 device is created but not started and not joined to br0.
No error in messages.log, openvpn.log or host-to-net-status.log.
I had to manually join the device to br0. Now enp0s17, vb-nsdc and tap0 are joined to br0.

EDIT: After reboot same again. Manual start tap0 an join again.

ssabbath · November 20, 2016, 12:45pm

I may be wrong, yesterday we had a update do OpenVPN, did you update yours?

For bridged mode you need to have a dedicated NIC, is that right?

flatspin · November 20, 2016, 5:07pm

Hi Walter,

installed package is 2.3.12, 2.3.13 is available, you’re right with the update. But it’s not an openvpn issue I think. The command openvpn --mktun --dev tap1 mode tap seems to be the last working command in the installscript, because the tap divece was created.
The installscript didn’t work correctly. I had to manually get tap1 up (ifconfig tap1 up) and join it to the existing bridge br0 (brctl addif br0 tap1). This is the bridge created for nsdc-container. OpenVPN works fine now. But it’s maybe VM related.

AFAIK you can build bridges with virtual diveces also, but for a vpn tunnel you need a nic connected to the internet on which you can bridge the virtual tap device. I choose bridged mode, because I get an privat IP in the network and so the machine is fully equivalent to any machine in the network. It’s like I were at work. (and it’s easier to set up )

flatspin · November 23, 2016, 5:42pm

I tried it again. Installed a new VM NS7RC2 from iso. Added nsdc and openvpn. nsdc created br0, but again tap0 was not joined to existing br0. Installation is not correct. So openvpn doeosn’t work out of the box.
Can anybody confirm this?

alefattorini · November 24, 2016, 2:14pm

I need to ask @quality_team @davide_marini help /cc also our vpn experts @harry @EddieA @Hunv

flatspin · November 29, 2016, 8:13am

Hi @giacomo thanks for jumping in.
I suppose a bug in the intsall script of openvpn. Please see this thread

But it’s not the only problem Gerald has.
BTW the commands are not permanent. After reboot the device is not joined to br0, but this is because of the templatingsystem I think. Is this right?

celiofk · December 3, 2016, 3:48pm

I can confirm the bug in a real server. Used @flatspin workaround.
Cheers.

giacomo · December 5, 2016, 11:26am

I can reproduce the bug:

Stay tuned for the fix!
/cc @gerald_FS

giacomo · December 5, 2016, 1:42pm

The fix is out, if you have time, please test it and let me know!

flatspin · December 5, 2016, 1:44pm

Will do right now. Please let me some minutes.

flatspin · December 5, 2016, 2:41pm

Tried the new package and tap0 was joind to br0 after enabling roadwarrior server.
After stopping host-to-net service tap0 was unbound. After starting service again tap was bound again.
After reboot service was started correctly and bridge was bound.

Every thing works correct with new package. Thanks a lot for your work.
You are great @giacomo

gerald_FS · December 5, 2016, 5:29pm

Danke!

Thanks!

celiofk · December 11, 2016, 10:17pm

Thanks!