Feb 5 20:16:24 [openvpn] TUN/TAP device vpn opened Feb 5 20:16:24 [openvpn] TUN/TAP link layer address set to f0:01:aa:00:00:02 Feb 5 20:16:24 [openvpn] /sbin/ip link set dev vpn up mtu 1500 Feb 5 20:16:24 [openvpn] /sbin/ip addr add dev vpn 10.73.1.30/24 broadcast 10.73.1.255 Feb 5 20:16:24 [openvpn] /etc/openvpn/up.sh vpn 1500 1574 10.73.1.30 255.255.255.0 init Feb 5 20:16:24 [openvpn] Initialization Sequence Completed Feb 5 22:53:34 [openvpn] [marples.name] Inactivity timeout (--ping-restart), restarting Feb 5 22:53:34 [openvpn] /etc/openvpn/down.sh vpn 1500 1574 10.73.1.30 255.255.255.0 init Feb 5 22:53:34 [openvpn] /sbin/ip addr del dev vpn local 10.73.1.30 peer 255.255.255.0 Feb 5 22:53:34 [openvpn] Linux ip addr del failed: shell command exited with error status: 2 Feb 5 22:53:34 [openvpn] Exiting Basically, the ip command is wrong. The correct command is of course /sbin/ip addr del dev vpn local 10.73.1.30/24 as iproute2 does not understand 255.255.255.0 style netmasks. I also fail to see the point of the command, as the next command in the code removes the interface which does the same thing anyway!
Created attachment 142755 [details, diff] Don't bother removing ip addr from the interface
Created attachment 142756 [details, diff] Same as above, but doesn't require existing iproute2 patch
Created attachment 142774 [details, diff] tap-cleanup.patch Hi Roy, This is required in order to delete address from persistent interface and work completely unprivileged. Look for "Unprivileged mode" at the howto: http://openvpn.net/howto.html You are right! the tap interface is not handled correctly. Can you please test this out? Thanks!
(In reply to comment #3) > This is required in order to delete address from persistent interface and work > completely unprivileged. And you've made that work only on Linux using iproute2? Last I checked, iproute2 was optional and ifconfig was the default. What other OS's like FreeBSD?
> And you've made that work only on Linux using iproute2? Yes. It was the simplest to do this for iproute2. Does the patch works? > Last I checked, iproute2 was optional and ifconfig was the default. Still... No change. > What other OS's like FreeBSD? I don't know freebsd at all... But I got the impression that openvpn support only ifconfig configuration, am I wrong? BTW: Do you know how to set the privilege of tun interface in freebsd?
Fails Feb 6 11:33:39 [openvpn] /etc/openvpn/down.sh vpn 1500 1574 10.73.1.30 255.255.255.0 init Feb 6 11:33:39 [openvpn] /sbin/ip addr add dev vpn 10.73.1.30/24 broadcast 10.73.1.255 Feb 6 11:33:39 [openvpn] Linux ip addr del failed: shell command exited with error status: 2 Why did you specify the broadcast? I told you the command to use above and broadcast isn't there. As to your other question - are you implying that you only need to remove the address with iproute2 and not ifconfig? If so, I'd love to know why you think so :)
Created attachment 142812 [details, diff] tap-cleanup.patch Roy, I am not an expert as you in the ifconfig/iproute stuff... Have I got this right this time? The ifconfig commands seems working... But I am not sure it is correct. Also... Why this has an ip6 address? config_tap1="null" # /etc/init.d/net.tap1 start * Bringing up interface tap1 * Running preup ... * Creating Tun/Tap interface tap1 ... [ok] * null ... [ok] * Waiting for IPv6 addresses ... [ok] # ifconfig tap1 tap1 Link encap:Ethernet HWaddr 00:FF:75:74:F6:A3 inet6 addr: fe80::2ff:75ff:fe74:f6a3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:6 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
I don't even need to run the patch to see it's wrong addr add Shouldn't that be del? And yes, ifconfig seems to do the right thing. Well, as best it can on Linux anyway. For the BSD's you can do this ifconfig tap1 inet 10.2.3.4/24 -alias The IPv6 address is a local link address and is automagically calculated by the kernel based on the hardware address. It's supposed to be there.
Created attachment 142862 [details, diff] tap-cleanup.patch True, sorry. I could not test this at that time. Can you please create a patch for BSD? Is it possible to change permission of tap in BSD?
(In reply to comment #9) > Created an attachment (id=142862) [edit] > tap-cleanup.patch Better, but you also break non iproute2 systems by assuming the linux ifconfig style. I'm now testing it anyway with iproute2. > Can you please create a patch for BSD? > Is it possible to change permission of tap in BSD? Will take some time as I'm busy with my new daughter, but will try to. It *is* possible to change the permissions (ie, owner mode) of the tap interface in FreeBSD, but that's using a special config entry for devfs which OpenVPN shouldn't be touching. Plus it's FreeBSD specific. I'll see if I can find something for the other BSDs as I have a NetBSD box as well now.
(In reply to comment #10) > Better, but you also break non iproute2 systems by assuming the linux ifconfig > style. I'm now testing it anyway with iproute2. This code is #ifdef for Linux... So it is OK... > Will take some time as I'm busy with my new daughter, but will try to. > It *is* possible to change the permissions (ie, owner mode) of the tap > interface in FreeBSD, but that's using a special config entry for devfs which > OpenVPN shouldn't be touching. Plus it's FreeBSD specific. I'll see if I can > find something for the other BSDs as I have a NetBSD box as well now. Great!
Fixed, thanks!