Load drivers on boot
echo "if_lagg_load=\"YES\"" >> /boot/loader.conf
Add to rc.conf
ifconfig_em0="UP" ifconfig_em1="UP" cloned_interfaces="lagg0" ifconfig_lagg0="laggproto failover laggport em0 laggport em1 ip.ad.dr.ess netmask net.ma.sk"
probably good idea to turn on spanning tree on your port .
Well, all systems must go down at some point …
[moti@srv:~]->uptime
4:53AM up 465 days, 23:56, 1 user, load averages: 0.22, 0.10, 0.09
a year and 100 days , not bad .
1. Add Bridge support ( Rebuild kernel with the following options )
device if_bridge
options BRIDGE
2. add sysctl values
#enable ip forwarding
net.inet.ip.forwarding=1
#enable bridging
net.link.ether.bridge.enable=1
#configure bridged interfaces ( change lnc to your nic , tap0 is the virtual nic used by openvpn )
sysctl net.link.ether.bridge.config=lnc0,tap0
3.install from ports
cd /usr/ports/security/openvpn && make all install
4. copy ssl certs scripts
mkdir /usr/local/etc/openvpn
cp -r /usr/local/share/doc/openvpn/easy-rsa /usr/local/etc/openvpn
5. create ssl certs
cd /usr/local/etc/openvpn/easy-rsa
vi vars ( add configs )
. ./vars
./build-ca
./build-key-server server_name ( this will create certs with the prefix server_name )
./build-dh
6.create server config file
cd /usr/local/etc/openvpn/
vi openvpn.conf
— snip ——
#what port to listen on
port 443
#what protocol to use
proto tcp
#allow vpn clients to see each other
client-to-client
#certicates location
ca /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/keys/server_name.crt
key /usr/local/etc/openvpn/easy-rsa/keys/server_name.key # This file should be kept secret
dh /usr/local/etc/openvpn/easy-rsa/keys/dh1024.pem
#bridge mode
dev tap
#allow clients to use range of 192.168.1.50 to .100 with .3 as default gateway
server-bridge 192.168.1.3 255.255.255.0 192.168.1.50 192.168.1.100
# Push routes to the clients ( what ever subnets they should reach )
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.0.0 255.255.254.0"
#other options
push "dhcp-option DOMAIN vpn.domain.com"
push "dhcp-option DNS 192.168.1.254"
keepalive 10 120
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 6
mute 5
7.enable openssl on startup
echo "openvpn_enable=\"YES\"" >> /etc/rc.conf
/usr/local/etc/rc.d/openvpn start
8.tail the log for errors …
cat /var/run/dmesg.boot
pciconf -lv
sudo usbdevs -v
sudo atacontrol list
dmidecode ( from ports )
megarc ( on dell servers with perc4/i from ports )
Notes on masquerading your domain name , I needed that since one SMS gateway will not accept my nagios@server.domain.com emails , this setting allowed nagios to send the email as nagios@domain.com
