When using openvpn to create a layer 2 connection , the new tap0 is created, but is not added to bridge. I seek to bridge this tap0 to my bridge br0 along with my lan ethernet card (eth1). After I start openvpn in the client , I must issue: # brctl addif br0 tap0 Here is my /etc/conf.d/net file: config_eth0=( "dhcp" ) config_eth1=( "null" ) config_ra0=( "null" ) channel_ra0="5" essid_ra0=( "test" ) mode_ra0="master" modules=( "openvpn" ) config_tap0=( "null" ) config_br0="192.168.14.2/24" brctl_br0="stp on" bridge_add_eth1="br0" bridge_add_tap0="br0" depend_br0() { use net.eth1 hostapd } predown() { local brif=$(ls -l /sys/class/*net*/${IFACE}/brport/bridge |sed 's|.*/||') if [ ${brif} != "" ]; then einfo "removing ${IFACE} from bridge" /sbin/brctl delif ${brif} ${IFACE} || return 1 fi return 0 } NOTE: predown() : hack to fix openrc nic bridge removal. # uname -a Linux zahi 2.6.32-wl #3 SMP Sat Mar 6 19:18:38 IST 2010 i686 Intel(R) Pentium(R) 4 CPU 1.80GHz GenuineIntel GNU/Linux # emerge --info Portage 2.1.7.17 (default/linux/x86/10.0, gcc-4.3.4, glibc-2.10.1-r1, 2.6.32-wl i686) ================================================================= System uname: Linux-2.6.32-wl-i686-Intel-R-_Pentium-R-_4_CPU_1.80GHz-with-gentoo-2.0.1 Timestamp of tree: Fri, 12 Mar 2010 00:45:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] app-shells/bash: 4.0_p35 dev-java/java-config: 1.3.7-r1, 2.1.10 dev-lang/python: 2.4.6, 2.5.4-r3, 2.6.4-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.0-r1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.3, 1.11.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 4.1.2, 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-O2 -march=i686 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.mirror.pw.edu.pl/ http://mirrors.ludost.net/gentoo/ http://gentoo.supp.name/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage_overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X aac acl acpi alsa amrnb amrwb apache2 avahi berkdb bidi bonjour bzip2 cairo cdparanoia cli cracklib crypt cups cxx dbus dri dts exif flac fortran gdbm gif gpm gtk hal iconv jack jpeg json laptop ldap mmx modules mp3 mp4 mudflap mysql ncurses nls nptl nptlonly opengl openmp oss pam pcre perl png posix pppd python readline reflection samba scanner session speex spell spl sse sse2 ssl sysfs tcpd tiff truetype unicode usb v4l v4l2 vorbis win32codecs x264 x86 xcomposite xinerama xorg xvid zeroconf zlib" ALSA_CARDS="snd-ens1371" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" DVB_CARDS="tda1004x" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="hauppauge hauppauge_dvb" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="radeon vesa nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS # brctl --version bridge-utils, 1.2 I first tried to add the command to add tap0 to br0 in postup() like this, but it didnt work: postup() { local brif=$(ls -l /sys/class/*net*/${IFACE}/brport/bridge |sed 's|.*/||') if [ "${brif}" != "" && "${IFACE}" = "tap0" ] ; then sleep 10 /sbin/brctl addif ${brif} ${IFACE} && einfo " ${IFACE} added to ${brif} bridge" fi return 0 } Reproducible: Always Steps to Reproduce: 1. start /etc/init.d/net.eth1 -> * Bringing up interface eth1 * Adding ports to br0 * eth1 ... [ ok ] * null ... [ ok ] * Waiting for IPv6 addresses ... [ ok ] * Running postup ... 2. issue # brctl show bridge name bridge id STP enabled interfaces br0 8000.0002b3175a97 yes eth1 3. # /etc/init.d/openvpn start * Starting openvpn ... [ ok ] * WARNING: openvpn has started, but is inactive openvpn log snippet: ... Fri Mar 12 22:57:29 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Fri Mar 12 22:57:29 2010 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120' Fri Mar 12 22:57:29 2010 OPTIONS IMPORT: timers and/or timeouts modified Fri Mar 12 22:57:29 2010 TUN/TAP device tap0 opened Fri Mar 12 22:57:29 2010 TUN/TAP TX queue length set to 100 Fri Mar 12 22:57:29 2010 /etc/openvpn/up.sh tap0 1500 1574 init Fri Mar 12 22:57:29 2010 Initialization Sequence Completed Actual Results: 4. brctl show bridge name bridge id STP enabled interfaces br0 8000.0002b3175a97 yes eth1 Expected Results: # brctl show bridge name bridge id STP enabled interfaces br0 8000.0002b3175a97 yes eth1 tap0 I expected the tap0 to be added to br0 as in /etc/conf.d/net: bridge_add_tap0="br0" I tried to fix this using /etc/openvpn/openvpn-up.sh : #!/bin/bash local IFACE = tap0 local brif=$(ls -l /sys/class/*net*/${IFACE}/brport/bridge |sed 's|.*/||') /sbin/brctl addif ${brif} ${IFACE} && einfo " ${IFACE} added to ${brif} bridge" openvpn log reads: Fri Mar 12 23:07:49 2010 OPTIONS IMPORT: timers and/or timeouts modified Fri Mar 12 23:07:49 2010 TUN/TAP device tap0 opened Fri Mar 12 23:07:49 2010 TUN/TAP TX queue length set to 100 Fri Mar 12 23:07:49 2010 /etc/openvpn/up.sh tap0 1500 1574 init /etc/openvpn/openvpn-up.sh: line 2: local: can only be used in a function ls: cannot access /sys/class/*net*//brport/bridge: No such file or directory /etc/openvpn/openvpn-up.sh: line 3: local: can only be used in a function Incorrect number of arguments for command Usage: brctl addif <bridge> <device> add interface to bridge so the IFACE is not kept and I can't use local ?
another solution , add to /etc/conf.d/net : depend_tap0() { before openvpn }
(In reply to comment #1) > another solution , add to /etc/conf.d/net : > depend_tap0() { > before openvpn > } Yeah, that's what you should have done in the first place. :) There's no need to do anything with the scripts, you need to define the order correctly in your configuration. Sticking rc_openvpn_after="net.tap0" into /etc/rc.conf should do the same thing, read the comments in that file as well.
then I suggest to note this in openvpn , as this info doesnt appear in any formal wiki.
-bridge_add_eth1="br0" -bridge_add_tap0="br0" +bridge_br0="tap0 eth1" For a start... I'm not sure why you're trying to add the interface manually, what's wrong with the correct syntax per above, then starting the br0 interface.
hi, I am seeking a dynamic setup that will allow me to add/remove ports to the bridge. your sugesstion also didnt work with the setup above, as the bridge sensed tap0 before openvpn established a connection with a remote client, thus leaving the port disabled. (In reply to comment #4) > -bridge_add_eth1="br0" > -bridge_add_tap0="br0" > +bridge_br0="tap0 eth1" > > For a start... > > I'm not sure why you're trying to add the interface manually, what's wrong with > the correct syntax per above, then starting the br0 interface. >
Ok, i'm working on refactoring a bunch of the bridge code that should help you.
Please update to the latest 9999 git of openrc (at least rev 400b45d), where I have revamped the bridging code, and test. Here is what should be a correct configuration for you, if I've followed your bug posting correctly (there was some whitespace damage and contradictory information). modules="openvpn bridge !netplug" config_eth1="null" config_tap0="null" config_br0="192.168.14.2/24" brctl_br0='stp on' bridge_add_eth1='br0' bridge_add_tap0='br0' rc_use_br0='net.eth1 hostapd' rc_need_tap0='openvpn' You need to start both net.eth1 and net.br0 explicitly. Starting net.tap0 should bring up openvpn, and then add tap0 to the bridge.
Please test the version I specified, and comment back on the bug.
seems to work fine after a reboot and removing all my postup() postdown() the code you wrote looks fine. Niv Vaizer
Thanks for testing :-)
hostapd is not started on boot
is it in the default runlevel? if it's NOT in the runlevel, the use line will not cause it to be started. if it is in the runlevel, the use line acts like 'after'.
more work is needed as noted in bug 309385 , as even with this alone I can't ping the client after boot. this is while I see the client has established connection in the openvpn status file.
what I did to make openvpn work with openrc in layer 2 - bridging mode was to add the tap0 device only after openvpn was initiated , so the bridge will learn about the port and forward to it. In case I add the device prior to establishing connection, I can't ping the remote client. -# in case openvpn is in bridge mode bridge it to the apropriate bridge -if grep -q "^[ ]*dev[ ].*tap0" "${VPNCONF}"; then - echo "found tap0 ${VPNCONF} bridge: ${BRIDGE} device: ${IFACE}">>/tmp/openvpn.niv.log - [ -e /sys/class/*net*/${IFACE}/brport/port_id ] || /sbin/brctl addif ${BRIDGE} ${IFACE} -f
