TUN versus TAP mismatches

A common mistake when setting up a VPN based on OpenVPN is the type of adapter that is used. If the server is configured to use a TUN-style network but a client is configured to use a TAP-style interface, then the VPN connection will fail. In this recipe, we will show what is typically seen when this common configuration error is made.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf, from the Server-side routing recipe from Chapter 2Client-server IP-only Networks.

How to do it...

  1. Start the server using the configuration file, basic-udp-server.conf:
            [root@server]# openvpn --config basic-udp-server.conf
    
  2. Next, create the client configuration:
            client 
            proto udp 
            remote openvpnserver.example.com 
            port 1194 
     
            dev tap 
            nobind 
     
            remote-cert-tls server 
            tls-auth /etc/openvpn/cookbook/ta.key 1 
            ca       /etc/openvpn/cookbook/ca.crt 
            cert     /etc/openvpn/cookbook/client1.crt 
            key      /etc/openvpn/cookbook/client1.key  
    

    Save it asexample6-2-client.conf.

  3. Start the client:
            [root@client]# openvpn --config example6-2-client.conf
    

    The client log will show the following:

            ... WARNING: 'dev-type' is used inconsistently, local='dev-type 
            tap'', remote='dev-type tun'' 
            ... WARNING: 'link-mtu' is used inconsistently, local='link-mtu 
            1573'', remote='link-mtu 1541'' 
            ... WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 
            1532'', remote='tun-mtu 1500'' 
            ... [openvpnserver] Peer Connection Initiated with server-
            ip:1194 
            ... TUN/TAP device tap0 opened 
            ... /sbin/ip link set dev tap0 up mtu 1500 
            ... /sbin/ip addr add dev tap0 10.200.0.2/24 broadcast 
            10.200.0.255 
            ... Initialization Sequence Completed 
    

    At this point, you can try pinging the server, but it will respond with an error:

            [client]$ ping 10.200.0.1 
            PING 10.200.0.1 (10.200.0.1) 56(84) bytes of data. 
            From 10.200.0.2 icmp_seq=2 Destination Host Unreachable 
            From 10.200.0.2 icmp_seq=3 Destination Host Unreachable 
            From 10.200.0.2 icmp_seq=4 Destination Host Unreachable 
    

How it works...

A TUN-style interface offers a point-to-point connection over which only TCP/IP traffic can be tunneled. A TAP-style interface offers the equivalent of an Ethernet interface that includes extra headers. This allows a user to tunnel other types of traffic over the interface. When the client and the server are misconfigured, the expected packet size is different:

... WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532'', remote='tun-mtu 1500'' 

This shows that each packet that is sent through a TAP-style interface is 32- bytes larger than the packets sent through a TUN-style interface.

By correcting the client configuration, this problem is resolved.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.193.73