You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2019/02/04 20:14:18 UTC
[GitHub] JBevillC commented on issue #3257: CIAB: Add OpenVPN
JBevillC commented on issue #3257: CIAB: Add OpenVPN
URL: https://github.com/apache/trafficcontrol/pull/3257#issuecomment-460395782
@Shihta
Other than the issues I outlined in my review of `optional/vpn/vpnca/run.sh` the openvpn optional works for me on both Linux and OSX. Note: It only works with brew installed openvpn client on OSX and not the OpenVPN GUI client (you may want to update the documentation or README with this caveat).
Log from brew install OSX client:
```
$ brew install openvpn
$ sudo openvpn client.ovpn
```
Output of OpenVPN client/connection:
```
Mon Feb 4 12:45:33 2019 OpenVPN 2.4.6 x86_64-apple-darwin17.5.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on May 1 2018
Mon Feb 4 12:45:33 2019 library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10
Mon Feb 4 12:45:33 2019 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Mon Feb 4 12:45:33 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 4 12:45:33 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 4 12:45:33 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.168.168:44443
Mon Feb 4 12:45:33 2019 Socket Buffers: R=[131072->131072] S=[131072->131072]
Mon Feb 4 12:45:33 2019 Attempting to establish TCP connection with [AF_INET]192.168.168.168:44443 [nonblock]
Mon Feb 4 12:45:34 2019 TCP connection established with [AF_INET]192.168.168.168:44443
Mon Feb 4 12:45:34 2019 TCP_CLIENT link local: (not bound)
Mon Feb 4 12:45:34 2019 TCP_CLIENT link remote: [AF_INET]192.168.168.168:44443
Mon Feb 4 12:45:34 2019 TLS: Initial packet from [AF_INET]192.168.168.168:44443, sid=33b34eab 74d87485
Mon Feb 4 12:45:34 2019 VERIFY OK: depth=1, CN=CDN-in-a-Box
Mon Feb 4 12:45:34 2019 VERIFY OK: nsCertType=SERVER
Mon Feb 4 12:45:34 2019 VERIFY OK: depth=0, CN=CDN-in-a-Box
Mon Feb 4 12:45:34 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Mon Feb 4 12:45:34 2019 [CDN-in-a-Box] Peer Connection Initiated with [AF_INET]192.168.168.168:44443
Mon Feb 4 12:45:35 2019 SENT CONTROL [CDN-in-a-Box]: 'PUSH_REQUEST' (status=1)
Mon Feb 4 12:45:35 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN infra.ciab.test,dhcp-option DNS 172.25.0.2,route 172.25.0.0 255.255.0.0,route 10.16.127.0 255.255.255.240,topology net30,ping 10,ping-restart 120,ifconfig 10.16.127.6 10.16.127.5,peer-id 0,cipher AES-256-GCM'
Mon Feb 4 12:45:35 2019 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 4 12:45:35 2019 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 4 12:45:35 2019 OPTIONS IMPORT: route options modified
Mon Feb 4 12:45:35 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb 4 12:45:35 2019 OPTIONS IMPORT: peer-id set
Mon Feb 4 12:45:35 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Mon Feb 4 12:45:35 2019 OPTIONS IMPORT: data channel crypto options modified
Mon Feb 4 12:45:35 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb 4 12:45:35 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 4 12:45:35 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 4 12:45:35 2019 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Mon Feb 4 12:45:35 2019 Opened utun device utun1
Mon Feb 4 12:45:35 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Feb 4 12:45:35 2019 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
Mon Feb 4 12:45:35 2019 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Mon Feb 4 12:45:35 2019 /sbin/ifconfig utun1 10.16.127.6 10.16.127.5 mtu 1500 netmask 255.255.255.255 up
Mon Feb 4 12:45:35 2019 /sbin/route add -net 172.25.0.0 10.16.127.5 255.255.0.0
add net 172.25.0.0: gateway 10.16.127.5
Mon Feb 4 12:45:35 2019 /sbin/route add -net 10.16.127.0 10.16.127.5 255.255.255.240
add net 10.16.127.0: gateway 10.16.127.5
Mon Feb 4 12:45:35 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Feb 4 12:45:35 2019 Initialization Sequence Completed
```
Routing table is updated by OpenVPN to route local packets to CiaB containers. In this case the 172.25.0.0/16 subnet only. All other traffic goes out standard interface bound to the default gateway:
```
$ netstat -nr | grep utun
10.16.127/28 10.16.127.5 UGSc 0 0 utun1
10.16.127.5 10.16.127.6 UH 2 0 utun1
172.25 10.16.127.5 UGSc 0 0 utun1
```
Ping traffic router:
```
$ host trafficrouter.infra.ciab.test 172.25.0.2
Using domain server:
Name: 172.25.0.2
Address: 172.25.0.2#53
Aliases:
trafficrouter.infra.ciab.test has address 172.25.0.10
$ ping 172.25.0.10
PING 172.25.0.10 (172.25.0.10): 56 data bytes
64 bytes from 172.25.0.10: icmp_seq=0 ttl=63 time=3.980 ms
64 bytes from 172.25.0.10: icmp_seq=1 ttl=63 time=4.175 ms
^C
--- 172.25.0.10 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.980/4.077/4.175/0.098 ms
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services