Bridged OpenVPN on Mac

Discussion in 'Mac OS X Server, Xserve, and Networking' started by fiftyfour123, Dec 6, 2009.

  1. fiftyfour123 macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #1
    I have an openvpn2 server set up on a leopard server machine. The server is on my home local network. I want to connect to the openvpn2 server from my remote location, which i can do. However, since my openvpn server is not bridged, i can only access the server with openvpn and not the other machines on my home network. What i want to do is create a bridged openvpn server on my home network. the directions on the openvpn site only show how to do it on windows and linux. the linux tutorial asks me to download bridge-utils, which i can't find for mac. So, is there any way to do this on a mac. I've tried IPNetRouterX, but couldn't get that to work, maybe i configured it wrong.

    Thanks.
     
  2. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
  3. dampfdruck macrumors member

    Joined:
    Oct 20, 2008
  4. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #4
    because then i cant interact with other machines on the home network without installing openvpn on them, which i dont want to do.
     
  5. dampfdruck macrumors member

    Joined:
    Oct 20, 2008
    #5
    Of course you can. The whole concept of "routing" is to forward packets.
     
  6. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #6
    well then i must be doing something wrong. When it is in routing mode, i can only interact with the server machine and nothing else on the network. My main goal is to be able to share my itunes library with my family at home, and in routing mode, only the server can see my itunes library.
     
  7. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #7
    ok, i have learned that i can do what i want in routing mode. However i am not sure how to configure it in tap mode. I must use tap and not tun because bonjour only works over tap. thanks
     
  8. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
  9. dampfdruck macrumors member

    Joined:
    Oct 20, 2008
    #9
    The driver is available for download here: http://tuntaposx.sourceforge.net/download.xhtml

    You can make Bonjour work in a routed environment by enabling multicast routing. Bonjour is for auto-discovery of local devices. It is not ideal if you are at a remote site and see your home printers and the local printers all mixed up.
     
  10. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #10
    i've installed those drivers. is multicast routing something i add to my server config file? also, i can see the bonjour services from the server, but not from the machines on my servers lan. it would be preferable to not have to install openvpn on each machine on the lan behind the server
     
  11. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
  12. theloon macrumors member

    theloon

    Joined:
    Dec 19, 2007
    #12
    Do you have IP forwarding enabled on your router? If not then it will not route traffic from one subnet to the other, i.e. you LAN to OpenVPN tunnel

    You can check by using the command

    cat /proc/sys/net/ipv4/ip_forward

    If result is 0 then it is not enabled.

    you can enable it using the command

    sysctl -w net.ipv4.ip_forward=1

    if you want to enabled after a reboot for most unix systems you need to add to /etc/sysctl.conf the following line

    net.ipv4.ip_forward = 1

    I run linux for Servers, but it should be the same principle for OS X Server.

    hope this helps
     
  13. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #13
    i enabled it on the server, but i dont know how to enable it on my router. my router is an airport extreme
     
  14. theloon macrumors member

    theloon

    Joined:
    Dec 19, 2007
    #14
    If your setup is LAN - Server (running OpenVPN) - Router (Airport) - Internet - client VPN.

    then you will not need fw'ing on the router as the tunnels passes through it to your server.

    A common issue is DNS, if your client still has the DNS server of the network you originally connected to it might not be reachable once you connect to the VPN.

    Also the Server needs to have named enabled and allowed for the subnet of your VPN.

    Not sure what diags you have done, so kinda guessing here.

    Try and pinging something like 158.43.128.1 (uunet) once you are on your VPN. If this works you can see the Internet from your VPN. If you can't ping, www.sgi.com for example, then DNS is most likely gonna be your issue.

    hope this helps.
     
  15. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #15
    i dont really understand what you're saying, haha.

    I read that a lot of people running openvpn servers on macs just use linux in a virtual machine then configure it in bridged mode. I think i'm going to try this as it sounds a lot easier.
     
  16. theloon macrumors member

    theloon

    Joined:
    Dec 19, 2007
    #16
    Even in bridged mode you will still need to get DNS working :)

    Good luck
     
  17. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #17
    hmm, so maybe i'll try it without the virtual machine first. What exactly do i need to do to get dns fixed?
     
  18. theloon macrumors member

    theloon

    Joined:
    Dec 19, 2007
    #18
    I don't have mac server, linux for me) but I assume that it uses named.conf in /etc/ to control the allowed subnets

    acl red-hats {

    10.100.0.0/24; ****being your vpn subnet****

    };


    You also need to turnon/restart the named daemon.

    If there is a Mac Server guru on here they will tell us how to enable named or the equivalent. Its bound to be on Google also.

    your VPN client, I use Viscosity for Mac, has a tick box for enabling DNS in each connection config, and also the default route for all traffic.
     
  19. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #19
    yeah, i'm using Viscosity for the client. I'm also using TunnelBlick for the server, in tunnelblick there's a checkbox for set namesever. would that be the same as what you're saying? if it is, then it didnt work. i tried checking that and the dns box in viscosity.
     
  20. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #20
    maybe an illustration of my setup will help.

    <Client>
    ......|
    ......|
    <Internet>
    ......|
    ......|
    <AirPort Extreme Router (192.168.1.1)>
    ......|
    ......|
    <My Home LAN>
    ....|................|
    <Server> <Other Machines (Mostly Macs)>

    The server is 192.168.1.93 and the other machines on my LAN are 192.168.1.x
     
  21. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
  22. dampfdruck macrumors member

    Joined:
    Oct 20, 2008
    #22
    What is your current status? What is working? Which error messages do you have in the log files?
     
  23. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #23
    i have no error messages. what is working is that i can communicate with the server. i cannot communicate with other computers that are on the same LAN as the server.

    i believe that what i need to do is add a route to my router that points my openvpn subnet to the server. unfortunatly this is not possible with an AirPort Extreme router as far as i know.
     
  24. dampfdruck macrumors member

    Joined:
    Oct 20, 2008
    #24
    Hello,

    I'm not sure if I do understand you correctly. What I think you have is:

    - you are forwarding the OpenVPN port from the external network to a OSX server on your LAN (on your NAT gateway, I assume)
    - you can connect from outside using OpenVPN and access the server

    If that is correct, then you don't need to have any routing. Bridging is layer 2. The remote machine, though, must have an IP address that belongs to your LAN on it's TAP interface. That's what the "server-bridge" command in the config is for. Check this command. It must be correct.

    If you have problems, then you should study the openvpn log files carefully.

    Greetings.
     
  25. fiftyfour123 thread starter macrumors member

    Joined:
    Feb 26, 2008
    Location:
    New York, NY
    #25
    yeah, you got it. i have tried the server-bridge command and the server command in my config file. with both i can connect to the server and interact with the server, but i cannot interact with any other machines on the server's LAN. here are my config files:

    server.conf
    Code:
    # You can use a different port and/or tcp instead of udp if you like
    port 1194
    proto udp
    max-clients 10
    
    dev tap
    
    # Set 10.0.2.0 to something that does not conflict with the subnet your server is on.
    # My home mac is on subnet 10.0.1.xxx so I chose 10.0.2.0
    server 192.168.2.0 255.255.255.0
    #server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
    #ifconfig 192.168.2.1 192.168.2.2
    
    #ifconfig-pool-persist ipp.txt
    #push "route 192.168.1.0 255.255.255.0"
    #route 192.168.1.0 255.255.255.0
    
    
    ca /Users/evan/Library/openvpn/keys/ca.crt
    cert /Users/evan/Library/openvpn/keys/server.crt
    key /Users/evan/Library/openvpn/keys/server.key
    dh /Users/evan/Library/openvpn/keys/dh1024.pem
    
    keepalive 10 120
    client-to-client
    comp-lzo
    
    user nobody
    group nobody
    
    persist-key
    persist-tun
    
    #client-config-dir ccd "route 128.205.223.124 255.255.0.0"

    client.conf
    Code:
    remote evancoleman.net 1194
    persist-key
    tls-client
    proto udp
    ca /Users/evan/Library/openvpn/keys/ca.crt
    dev tap
    persist-tun
    cert /Users/evan/Library/openvpn/keys/evan.crt
    comp-lzo
    key /Users/evan/Library/openvpn/keys/evan.key
    pull
     

Share This Page