Comments on: Setting up OpenVPN using radius on FreeBSD

By: krzee

krzee — Fri, 21 May 2010 04:43:17 +0000

a) you only need a bridge when you have a layer2 protocol going over the vpn. If using IP traffic use tun so you have less overhead and layer2 attacks will not work over the vpn.

b) 2.1.1 has the windows gui built in, http://www.openvpn.net/download
the .se link is no longer up to date

sorry for the doublepost, i had a typo to fix

By: krzee

krzee — Fri, 21 May 2010 04:42:16 +0000

a) you only need a bridge when you have a layer2 protocol going over the vpn. If using IP traffic use tun so you have less overhead and layer2 attacks will not work over the vpn.

b) 2.1.1 has the windows gui built in, http://www.openvpn.net/download
the .se link is no longer up to date

By: vipera

vipera — Mon, 31 Aug 2009 14:56:23 +0000

I have got a question, i want to use a script (client-connect & client-disconnet) on DebianEtch but i couldn’t find a good script on the Net. Could anyone help me? and show a good script…

thx, vipera

By: T. Bailey

T. Bailey — Tue, 04 Aug 2009 22:20:02 +0000

Absolutely brilliant. Thanks for taking the time to share this!

By: Tom

Tom — Thu, 10 Apr 2008 21:35:44 +0000

I found this document very useful, and combine the information in it with the information in the document http://www.mired.org/home/mwm/papers/FreeBSD-OpenVPN-Bridging.html to eventually achieve a working solution. I’m actually not doing radius (yet), but this document was the best I found for the basic setup on wanted in my general situation.

I am working with FreeBSD 7.0R, and thought I’d mention one thing which tripped me up. In my case ‘tun’ did not come ‘up’ without manual intervention, and I didn’t notice it in ‘ifconfig -a’ for some time. In my case, I made my ‘server-up.sh’ script read:
#!/bin/sh ifconfig bridge0 addm $dev ifconfig $dev up
which addressed the problem. I had no need to specify any addresses for anything besides the standard for fxp0 (in my case.)

Another thing which caused me confusion was the ‘server-bridge’ setting. In my case, for the first parameter, I used the internal IP of my router (a different FreeBSD host in my case) which is the standard gateway for all machines in my internal network. I did not need any ‘push “route …”‘ items in my situation. I found myself wishing for a diagram of Angelo’s topology (but also, very happy for what he provided of course!)

I also found better luck pushing DNS entries to the TAP-Win32 interface on my XP client test host by adding the directive:
push "ip-win32 dynamic"
but the jury is still out on how well it really works in practice. I’m just adding these comments early on while things are still fresh in my mind in case others find them helpful.

By: angelo

angelo — Wed, 06 Feb 2008 15:35:09 +0000

Sebastiaan, Regis, you are right, I did not post the client config. Now I added it to the bottom of the post.

It’s quite default, but the most important line it the ‘auth-user-pass’, which tells the client it should use username and password authentication instead of certificate based authentication.

By: Sebastiaan

Sebastiaan — Tue, 29 Jan 2008 02:17:24 +0000

Any special options in the client.conf file on the client-side? or just the example .conf file?

By: Regis A. Despres

Regis A. Despres — Sun, 23 Dec 2007 11:26:09 +0000

It would be lovely if you explain your openvpn client conf & package =)

By: angelo

angelo — Fri, 30 Nov 2007 14:22:27 +0000

I have assigned my physical nic (in this case nic0) an ip address.

On boot I create a bridge called bridge0, and I add the nic0 interface to it. That works. Then when OpenVPN starts, it adds the tap0 interface to the bridge. I guess this is just one of many ways it can work.

By: Emiel Kollof

Emiel Kollof — Tue, 27 Nov 2007 12:39:59 +0000

Hey,

Nice info! But you don’t assign an adress to the tap-device? I assumed I didn’t need one, but it didn’t work (no routing) when I didn’t assign an address to the tap-device. I now handle that in the client-connect script.