Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Dec 6, 2009, 02:05 AM   #1
fiftyfour123
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
Bridged OpenVPN on Mac

I have an openvpn2 server set up on a leopard server machine. The server is on my home local network. I want to connect to the openvpn2 server from my remote location, which i can do. However, since my openvpn server is not bridged, i can only access the server with openvpn and not the other machines on my home network. What i want to do is create a bridged openvpn server on my home network. the directions on the openvpn site only show how to do it on windows and linux. the linux tutorial asks me to download bridge-utils, which i can't find for mac. So, is there any way to do this on a mac. I've tried IPNetRouterX, but couldn't get that to work, maybe i configured it wrong.

Thanks.
fiftyfour123 is offline   0 Reply With Quote
Old Dec 6, 2009, 04:27 PM   #2
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
anyone?
fiftyfour123 is offline   0 Reply With Quote
Old Dec 6, 2009, 10:09 PM   #3
dampfdruck
macrumors member
 
Join Date: Oct 2008
Why don't you use OpenVPN in routing mode?
dampfdruck is offline   0 Reply With Quote
Old Dec 6, 2009, 10:10 PM   #4
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
Quote:
Originally Posted by dampfdruck View Post
Why don't you use OpenVPN in routing mode?
because then i cant interact with other machines on the home network without installing openvpn on them, which i dont want to do.
fiftyfour123 is offline   0 Reply With Quote
Old Dec 6, 2009, 11:35 PM   #5
dampfdruck
macrumors member
 
Join Date: Oct 2008
Quote:
Originally Posted by fiftyfour123 View Post
because then i cant interact with other machines on the home network without installing openvpn on them, which i dont want to do.
Of course you can. The whole concept of "routing" is to forward packets.
dampfdruck is offline   0 Reply With Quote
Old Dec 6, 2009, 11:37 PM   #6
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
Quote:
Originally Posted by dampfdruck View Post
Of course you can. The whole concept of "routing" is to forward packets.
well then i must be doing something wrong. When it is in routing mode, i can only interact with the server machine and nothing else on the network. My main goal is to be able to share my itunes library with my family at home, and in routing mode, only the server can see my itunes library.
fiftyfour123 is offline   0 Reply With Quote
Old Dec 8, 2009, 12:22 PM   #7
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
ok, i have learned that i can do what i want in routing mode. However i am not sure how to configure it in tap mode. I must use tap and not tun because bonjour only works over tap. thanks
fiftyfour123 is offline   0 Reply With Quote
Old Dec 8, 2009, 07:06 PM   #8
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
anyone?
fiftyfour123 is offline   0 Reply With Quote
Old Dec 8, 2009, 08:31 PM   #9
dampfdruck
macrumors member
 
Join Date: Oct 2008
The driver is available for download here: http://tuntaposx.sourceforge.net/download.xhtml

You can make Bonjour work in a routed environment by enabling multicast routing. Bonjour is for auto-discovery of local devices. It is not ideal if you are at a remote site and see your home printers and the local printers all mixed up.
dampfdruck is offline   0 Reply With Quote
Old Dec 8, 2009, 09:04 PM   #10
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
Quote:
Originally Posted by dampfdruck View Post
The driver is available for download here: http://tuntaposx.sourceforge.net/download.xhtml

You can make Bonjour work in a routed environment by enabling multicast routing. Bonjour is for auto-discovery of local devices. It is not ideal if you are at a remote site and see your home printers and the local printers all mixed up.
i've installed those drivers. is multicast routing something i add to my server config file? also, i can see the bonjour services from the server, but not from the machines on my servers lan. it would be preferable to not have to install openvpn on each machine on the lan behind the server
fiftyfour123 is offline   0 Reply With Quote
Old Dec 10, 2009, 12:26 AM   #11
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
anyone?
fiftyfour123 is offline   0 Reply With Quote
Old Dec 10, 2009, 11:38 PM   #12
theloon
macrumors member
 
Join Date: Dec 2007
Do you have IP forwarding enabled on your router? If not then it will not route traffic from one subnet to the other, i.e. you LAN to OpenVPN tunnel

You can check by using the command

cat /proc/sys/net/ipv4/ip_forward

If result is 0 then it is not enabled.

you can enable it using the command

sysctl -w net.ipv4.ip_forward=1

if you want to enabled after a reboot for most unix systems you need to add to /etc/sysctl.conf the following line

net.ipv4.ip_forward = 1

I run linux for Servers, but it should be the same principle for OS X Server.

hope this helps
theloon is offline   0 Reply With Quote
Old Dec 11, 2009, 09:32 AM   #13
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
i enabled it on the server, but i dont know how to enable it on my router. my router is an airport extreme
fiftyfour123 is offline   0 Reply With Quote
Old Dec 11, 2009, 11:20 PM   #14
theloon
macrumors member
 
Join Date: Dec 2007
If your setup is LAN - Server (running OpenVPN) - Router (Airport) - Internet - client VPN.

then you will not need fw'ing on the router as the tunnels passes through it to your server.

A common issue is DNS, if your client still has the DNS server of the network you originally connected to it might not be reachable once you connect to the VPN.

Also the Server needs to have named enabled and allowed for the subnet of your VPN.

Not sure what diags you have done, so kinda guessing here.

Try and pinging something like 158.43.128.1 (uunet) once you are on your VPN. If this works you can see the Internet from your VPN. If you can't ping, www.sgi.com for example, then DNS is most likely gonna be your issue.

hope this helps.
theloon is offline   0 Reply With Quote
Old Dec 11, 2009, 11:23 PM   #15
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
i dont really understand what you're saying, haha.

I read that a lot of people running openvpn servers on macs just use linux in a virtual machine then configure it in bridged mode. I think i'm going to try this as it sounds a lot easier.
fiftyfour123 is offline   0 Reply With Quote
Old Dec 11, 2009, 11:56 PM   #16
theloon
macrumors member
 
Join Date: Dec 2007
Even in bridged mode you will still need to get DNS working

Good luck
theloon is offline   0 Reply With Quote
Old Dec 11, 2009, 11:58 PM   #17
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
Quote:
Originally Posted by theloon View Post
Even in bridged mode you will still need to get DNS working

Good luck
hmm, so maybe i'll try it without the virtual machine first. What exactly do i need to do to get dns fixed?
fiftyfour123 is offline   0 Reply With Quote
Old Dec 12, 2009, 12:18 AM   #18
theloon
macrumors member
 
Join Date: Dec 2007
I don't have mac server, linux for me) but I assume that it uses named.conf in /etc/ to control the allowed subnets

acl red-hats {

10.100.0.0/24; ****being your vpn subnet****

};


You also need to turnon/restart the named daemon.

If there is a Mac Server guru on here they will tell us how to enable named or the equivalent. Its bound to be on Google also.

your VPN client, I use Viscosity for Mac, has a tick box for enabling DNS in each connection config, and also the default route for all traffic.
theloon is offline   0 Reply With Quote
Old Dec 12, 2009, 12:06 PM   #19
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
yeah, i'm using Viscosity for the client. I'm also using TunnelBlick for the server, in tunnelblick there's a checkbox for set namesever. would that be the same as what you're saying? if it is, then it didnt work. i tried checking that and the dns box in viscosity.
fiftyfour123 is offline   0 Reply With Quote
Old Dec 13, 2009, 05:08 PM   #20
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
maybe an illustration of my setup will help.

<Client>
......|
......|
<Internet>
......|
......|
<AirPort Extreme Router (192.168.1.1)>
......|
......|
<My Home LAN>
....|................|
<Server> <Other Machines (Mostly Macs)>

The server is 192.168.1.93 and the other machines on my LAN are 192.168.1.x
fiftyfour123 is offline   0 Reply With Quote
Old Dec 14, 2009, 06:09 PM   #21
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
anyone?
fiftyfour123 is offline   0 Reply With Quote
Old Dec 14, 2009, 08:18 PM   #22
dampfdruck
macrumors member
 
Join Date: Oct 2008
What is your current status? What is working? Which error messages do you have in the log files?
dampfdruck is offline   0 Reply With Quote
Old Dec 14, 2009, 08:43 PM   #23
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
Quote:
Originally Posted by dampfdruck View Post
What is your current status? What is working? Which error messages do you have in the log files?
i have no error messages. what is working is that i can communicate with the server. i cannot communicate with other computers that are on the same LAN as the server.

i believe that what i need to do is add a route to my router that points my openvpn subnet to the server. unfortunatly this is not possible with an AirPort Extreme router as far as i know.
fiftyfour123 is offline   0 Reply With Quote
Old Dec 15, 2009, 06:39 AM   #24
dampfdruck
macrumors member
 
Join Date: Oct 2008
Hello,

I'm not sure if I do understand you correctly. What I think you have is:

- you are forwarding the OpenVPN port from the external network to a OSX server on your LAN (on your NAT gateway, I assume)
- you can connect from outside using OpenVPN and access the server

If that is correct, then you don't need to have any routing. Bridging is layer 2. The remote machine, though, must have an IP address that belongs to your LAN on it's TAP interface. That's what the "server-bridge" command in the config is for. Check this command. It must be correct.

If you have problems, then you should study the openvpn log files carefully.

Greetings.
dampfdruck is offline   0 Reply With Quote
Old Dec 15, 2009, 12:42 PM   #25
fiftyfour123
Thread Starter
macrumors member
 
Join Date: Feb 2008
Location: New York, NY
yeah, you got it. i have tried the server-bridge command and the server command in my config file. with both i can connect to the server and interact with the server, but i cannot interact with any other machines on the server's LAN. here are my config files:

server.conf
Code:
# You can use a different port and/or tcp instead of udp if you like
port 1194
proto udp
max-clients 10

dev tap

# Set 10.0.2.0 to something that does not conflict with the subnet your server is on.
# My home mac is on subnet 10.0.1.xxx so I chose 10.0.2.0
server 192.168.2.0 255.255.255.0
#server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
#ifconfig 192.168.2.1 192.168.2.2

#ifconfig-pool-persist ipp.txt
#push "route 192.168.1.0 255.255.255.0"
#route 192.168.1.0 255.255.255.0


ca /Users/evan/Library/openvpn/keys/ca.crt
cert /Users/evan/Library/openvpn/keys/server.crt
key /Users/evan/Library/openvpn/keys/server.key
dh /Users/evan/Library/openvpn/keys/dh1024.pem

keepalive 10 120
client-to-client
comp-lzo

user nobody
group nobody

persist-key
persist-tun

#client-config-dir ccd "route 128.205.223.124 255.255.0.0"

client.conf
Code:
remote evancoleman.net 1194
persist-key
tls-client
proto udp
ca /Users/evan/Library/openvpn/keys/ca.crt
dev tap
persist-tun
cert /Users/evan/Library/openvpn/keys/evan.crt
comp-lzo
key /Users/evan/Library/openvpn/keys/evan.key
pull
fiftyfour123 is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Set VPN connection on iOS programmatically or openVPN source code Nikaladze iPhone/iPad Programming 0 Apr 7, 2014 10:21 AM
openVPN to synology NAS mentaluproar iPhone and iPod touch Apps 0 Nov 25, 2013 05:26 PM
How to set Firewall correctly, so that the Internet won’t work without OpenVPN? Primabera MacBook 0 Nov 6, 2013 11:20 AM
iPhone 5S and Checkpoint Mobile VPN / OpenVPN mikeyhd iPhone Tips, Help and Troubleshooting 2 Oct 3, 2013 07:18 AM
Airport Extreme 2013 in bridged mode - 3 or 4 switched ethernet ports? diddl14 Mac Peripherals 2 Jul 29, 2013 02:40 PM

Forum Jump

All times are GMT -5. The time now is 06:05 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps