Re: [Openvpn-users] OpenVPN, bridge-utils & protoc - VPN

What is protocol 4?

I just tested OpenVPN on Linux 2.4 with an ethernet bridge and it worked
with small pings.

I have three machines A, B, and C.

The goal is to implement a virtual ethernet segment shared by A, B, and C, 
implemented by two tap-based point-to-point OpenVPN links on A <-> B and B 
<-> C, with the bridging happening on B.

On A:

openvpn --mktun --dev tap0
ifconfig tap0 10.7.0.2 netmask 255.255.255.0 mtu 1400
openvpn --tun-mtu 1400 --dev tap0 --secret key --port 4000 \
   --remote B --ping 30 &

On B:

openvpn --mktun --dev tap0
openvpn --mktun --dev tap1
brctl addbr br0
brctl addif br0 tap0
brctl addif br0 tap1
ifconfig tap0 0.0.0.0 mtu 1400
ifconfig tap1 0.0.0.0 mtu 1400
ifconfig br0 10.7.0.1 netmask 255.255.255.0 mtu 1400
openvpn --tun-mtu 1400 --dev tap0 --secret key --port 4000  --remote \
  A --ping 30 &
openvpn --tun-mtu 1400 --dev tap1 --secret key --port 4001  --remote \
  C --ping 30 &

On C:

openvpn --mktun --dev tap0
ifconfig tap0 10.7.0.3 netmask 255.255.255.0 mtu 1400
openvpn --tun-mtu 1400 --dev tap0 --secret key --port 4000 \
   --remote B --ping 30 &

Make sure firewalls will input and forward tap/br devices.

Now 10.7.0.[123] can be pinged from A, B, or C.

One complication I've noticed is there's an MTU problem.  Large packets 
that fragment don't seem to be getting through: tap0 on A fragments the 
packet, the fragments arrive at OpenVPN on B, are passed to tap0 then 
disappear, instead of being forwarded by the bridge to tap1.

James

On Tue, 2 Jul 2002, Goldfinger wrote:

> Hi
> 
> An (easy) way to create a truly transparent VPN between two LANs would be using protocol 4 VPN & bridge utils. Read page http://bridge.sourceforge.net/docs/bridge.html which states
> ...
> 
> Creating a bridge port group is done by starting the brctl utility with the 'addbr' command (you need to have root privileges to be able to do this). Because every bridge port group is associated with a virtual ethernet interface, this command creates an ethernet interface with the same name as the bridge port group as a side-effect. 
> 
>   # brctl addbr br0 
> To add ('enslave') interfaces to the bridge port group, use the 'addif' command. 
> 
>   # brctl addif br0 eth0
>   # brctl addif br0 eth1 
> Put the br0, eth0 and eth1 interfaces in the UP state by issuing the command 
> 
>   # ip link set interfacename up 
> for each interface. Bridging should now become active after a delay of up to 30 seconds. Congratulations!
> ...
> 
> However this requires that the VPN supports protocol 4, which OpenVPN doesn't do at least in it's default mode. So is there a way to get OpenVPN support protocol 4. Cipe should do it n´but I couldn't find ciped-db (only ciped-cb supporting protocol 3) for RH.
> 
> 
> J
>