Bridged OpenVPN on Mac

[fiftyfour123]

I have an openvpn2 server set up on a leopard server machine. The server is on my home local network. I want to connect to the openvpn2 server from my remote location, which i can do. However, since my openvpn server is not bridged, i can only access the server with openvpn and not the other machines on my home network. What i want to do is create a bridged openvpn server on my home network. the directions on the openvpn site only show how to do it on windows and linux. the linux tutorial asks me to download bridge-utils, which i can't find for mac. So, is there any way to do this on a mac. I've tried IPNetRouterX, but couldn't get that to work, maybe i configured it wrong.

Thanks.

 

[fiftyfour123]

anyone?

 

[dampfdruck]

Why don't you use OpenVPN in routing mode?

 

[fiftyfour123]

Why don't you use OpenVPN in routing mode?

because then i cant interact with other machines on the home network without installing openvpn on them, which i dont want to do.

 

[dampfdruck]

because then i cant interact with other machines on the home network without installing openvpn on them, which i dont want to do.

Of course you can. The whole concept of "routing" is to forward packets.

 

[fiftyfour123]

Of course you can. The whole concept of "routing" is to forward packets.

well then i must be doing something wrong. When it is in routing mode, i can only interact with the server machine and nothing else on the network. My main goal is to be able to share my itunes library with my family at home, and in routing mode, only the server can see my itunes library.

 

[fiftyfour123]

ok, i have learned that i can do what i want in routing mode. However i am not sure how to configure it in tap mode. I must use tap and not tun because bonjour only works over tap. thanks

 

[fiftyfour123]

anyone?

 

[dampfdruck]

The driver is available for download here: http://tuntaposx.sourceforge.net/download.xhtml

You can make Bonjour work in a routed environment by enabling multicast routing. Bonjour is for auto-discovery of local devices. It is not ideal if you are at a remote site and see your home printers and the local printers all mixed up.

 

[fiftyfour123]

The driver is available for download here: http://tuntaposx.sourceforge.net/download.xhtml

You can make Bonjour work in a routed environment by enabling multicast routing. Bonjour is for auto-discovery of local devices. It is not ideal if you are at a remote site and see your home printers and the local printers all mixed up.

i've installed those drivers. is multicast routing something i add to my server config file? also, i can see the bonjour services from the server, but not from the machines on my servers lan. it would be preferable to not have to install openvpn on each machine on the lan behind the server

 

[fiftyfour123]

anyone?

 

[theloon]

Do you have IP forwarding enabled on your router? If not then it will not route traffic from one subnet to the other, i.e. you LAN to OpenVPN tunnel

You can check by using the command

cat /proc/sys/net/ipv4/ip_forward

If result is 0 then it is not enabled.

you can enable it using the command

sysctl -w net.ipv4.ip_forward=1

if you want to enabled after a reboot for most unix systems you need to add to /etc/sysctl.conf the following line

net.ipv4.ip_forward = 1

I run linux for Servers, but it should be the same principle for OS X Server.

hope this helps

 

[fiftyfour123]

i enabled it on the server, but i dont know how to enable it on my router. my router is an airport extreme

 

[theloon]

If your setup is LAN - Server (running OpenVPN) - Router (Airport) - Internet - client VPN.

then you will not need fw'ing on the router as the tunnels passes through it to your server.

A common issue is DNS, if your client still has the DNS server of the network you originally connected to it might not be reachable once you connect to the VPN.

Also the Server needs to have named enabled and allowed for the subnet of your VPN.

Not sure what diags you have done, so kinda guessing here.

Try and pinging something like 158.43.128.1 (uunet) once you are on your VPN. If this works you can see the Internet from your VPN. If you can't ping, http://www.sgi.com for example, then DNS is most likely gonna be your issue.

hope this helps.

 

[fiftyfour123]

i dont really understand what you're saying, haha.

I read that a lot of people running openvpn servers on macs just use linux in a virtual machine then configure it in bridged mode. I think i'm going to try this as it sounds a lot easier.

 

[theloon]

Even in bridged mode you will still need to get DNS working

Good luck

 

[fiftyfour123]

Even in bridged mode you will still need to get DNS working

Good luck

hmm, so maybe i'll try it without the virtual machine first. What exactly do i need to do to get dns fixed?

 

[theloon]

I don't have mac server, linux for me) but I assume that it uses named.conf in /etc/ to control the allowed subnets

acl red-hats {

10.100.0.0/24; ****being your vpn subnet****

};


You also need to turnon/restart the named daemon.

If there is a Mac Server guru on here they will tell us how to enable named or the equivalent. Its bound to be on Google also.

your VPN client, I use Viscosity for Mac, has a tick box for enabling DNS in each connection config, and also the default route for all traffic.

 

[fiftyfour123]

yeah, i'm using Viscosity for the client. I'm also using TunnelBlick for the server, in tunnelblick there's a checkbox for set namesever. would that be the same as what you're saying? if it is, then it didnt work. i tried checking that and the dns box in viscosity.

 

[fiftyfour123]

maybe an illustration of my setup will help.

<Client>
......|
......|
<Internet>
......|
......|
<AirPort Extreme Router (192.168.1.1)>
......|
......|
<My Home LAN>
....|................|
<Server> <Other Machines (Mostly Macs)>

The server is 192.168.1.93 and the other machines on my LAN are 192.168.1.x

 

[fiftyfour123]

anyone?

 

[dampfdruck]

What is your current status? What is working? Which error messages do you have in the log files?

 

[fiftyfour123]

What is your current status? What is working? Which error messages do you have in the log files?

i have no error messages. what is working is that i can communicate with the server. i cannot communicate with other computers that are on the same LAN as the server.

i believe that what i need to do is add a route to my router that points my openvpn subnet to the server. unfortunatly this is not possible with an AirPort Extreme router as far as i know.

 

[dampfdruck]

Hello,

I'm not sure if I do understand you correctly. What I think you have is:

- you are forwarding the OpenVPN port from the external network to a OSX server on your LAN (on your NAT gateway, I assume)
- you can connect from outside using OpenVPN and access the server

If that is correct, then you don't need to have any routing. Bridging is layer 2. The remote machine, though, must have an IP address that belongs to your LAN on it's TAP interface. That's what the "server-bridge" command in the config is for. Check this command. It must be correct.

If you have problems, then you should study the openvpn log files carefully.

Greetings.

 

[fiftyfour123]

yeah, you got it. i have tried the server-bridge command and the server command in my config file. with both i can connect to the server and interact with the server, but i cannot interact with any other machines on the server's LAN. here are my config files:

server.conf

# You can use a different port and/or tcp instead of udp if you like
port 1194
proto udp
max-clients 10

dev tap

# Set 10.0.2.0 to something that does not conflict with the subnet your server is on.
# My home mac is on subnet 10.0.1.xxx so I chose 10.0.2.0
server 192.168.2.0 255.255.255.0
#server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
#ifconfig 192.168.2.1 192.168.2.2

#ifconfig-pool-persist ipp.txt
#push "route 192.168.1.0 255.255.255.0"
#route 192.168.1.0 255.255.255.0


ca /Users/evan/Library/openvpn/keys/ca.crt
cert /Users/evan/Library/openvpn/keys/server.crt
key /Users/evan/Library/openvpn/keys/server.key
dh /Users/evan/Library/openvpn/keys/dh1024.pem

keepalive 10 120
client-to-client
comp-lzo

user nobody
group nobody

persist-key
persist-tun

#client-config-dir ccd "route 128.205.223.124 255.255.0.0"

client.conf

remote evancoleman.net 1194
persist-key
tls-client
proto udp
ca /Users/evan/Library/openvpn/keys/ca.crt
dev tap
persist-tun
cert /Users/evan/Library/openvpn/keys/evan.crt
comp-lzo
key /Users/evan/Library/openvpn/keys/evan.key
pull