From owner-freebsd-stable@FreeBSD.ORG Thu Mar 15 20:50:48 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C068316A403 for ; Thu, 15 Mar 2007 20:50:48 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [216.148.227.154]) by mx1.freebsd.org (Postfix) with ESMTP id AABE713C48A for ; Thu, 15 Mar 2007 20:50:48 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from icarus.home.lan (c-71-198-0-135.hsd1.ca.comcast.net[71.198.0.135]) by comcast.net (rwcrmhc14) with ESMTP id <20070315205036m1400j10qpe>; Thu, 15 Mar 2007 20:50:48 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id F23591FA03D; Thu, 15 Mar 2007 13:50:35 -0700 (PDT) Date: Thu, 15 Mar 2007 13:50:35 -0700 From: Jeremy Chadwick To: George Hartzell Message-ID: <20070315205035.GA14074@icarus.home.lan> Mail-Followup-To: George Hartzell , Willy@Offermans.Rompen.nl, Vince , freebsd-stable@FreeBSD.ORG, openvpn-users@lists.sourceforge.net References: <20070314104732.GA5794@wiz> <45F7D727.2080301@unsane.co.uk> <20070315133346.GA5645@wiz> <17913.29510.964120.616304@satchel.alerce.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17913.29510.964120.616304@satchel.alerce.com> X-PGP-Key: http://jdc.parodius.com/pubkey.asc User-Agent: Mutt/1.5.13 (2006-08-11) Cc: Willy@Offermans.Rompen.nl, freebsd-stable@FreeBSD.ORG, Vince , openvpn-users@lists.sourceforge.net Subject: Re: tap device at boot time X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2007 20:50:48 -0000 On Thu, Mar 15, 2007 at 09:24:38AM -0700, George Hartzell wrote: > Are you sure that you need to initialize the tap0 device like this? > > I use tun's instead of tap's, but in my openvpn server config I have a > line that says > > dev tun > > and a bit further down I have a line that says > > server 10.8.0.0 255.255.255.0 > > and openvpn takes care of setting up the device itself. Everything > I've read suggests that it should work the same way for a tap device. I can confirm this methodology (as we use it :) ). There was also a caveat to doing it this way, at least in regards to bridging. I've documented it in our openvpn.conf file, because it took me a while to figure out a way to get this to work properly. So here it is: # This may appear silly, but it resolves a major problem: tap0 will # be created and brought online (but not "ifconfig up"'d!) when openvpn # starts. Bringing the tap0 interface up manually allows us to talk # directly to the machine on the other end of the bridge; otherwise, # it never gets ARP for the other end. # # The reason the --up command has "|| true" at the end is because # openvpn appends a bunch of arguments to the command (as it's # intended to be used in a script). This allows us to ignore those # arguments. # # The interface isn't actually brought online until some traffic # flows across it, thus we use --keepalive. # keepalive 2 10 up "ifconfig bridge0 addm tap0 && ifconfig tap0 up || true" down "ifconfig bridge0 deletem tap0 && ifconfig tap0 down || true" -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |