Jednym słowem zajebiście

Openvpn’s ethernet bridging howto comes with simple setup scripts that you can use to bridge internal interface (e.g. eth0) with virtual one (e.g. tap0). Since standard system tools in PLD do not let you create tap interfaces, you have to care about creating one on your own. Hopefully you can use openvpn’s –mktun command line switch or handy little tool called tunctl to create one.

This has one drawback — you can’t easily use it with standard PLD interface config files (/etc/sysconfig/interfaces/ifcfg-foo). Of course you could set up the interface from rc.local, but things are getting more complicated if you are using vserver on the same machine that is supposed to act as a openvpn server.

The problem is – after you start your vserver guest systems, they have their virtual networking set up and bound to ethX (or whatever device you set them up to). If you’d try to set bridge at this time, you’d run into trouble. Not only this could cause problems with services on host system, but what’s worse – your vserver guest systems would loose network connectivity.

You could try to write your own init script and run it somewhere between networking and vserver. Slightly better, but still not perfect. Luckily, there’s a better approach.

Obiously the scenario I described above only matters if one of your vservers uses ethernet card that you plan to be a part of bridge interface. In case of ethernet bridging, this means at least one of your vserver (as it was in my case) vservers provides service to LAN.

Ethernet bridging with OpenVPN on vserver-enabled host – PLD way

In my configuration, I needed to connect two networks over Internet. I need to bridge them becase of various proprietary stuff that cannot be reconfigured. For the sake of this howto, we will name the gw machines in both locations hq and branch, each of them having two NICs, eth0 (external – internet), and eth1 (internal — lan).

hq eth0: <irrelevant>
hq eth1: 10.0.0.1/8

branch office eth0: <irrelevant>
branch office eth1: 10.0.10.1/8

There are also a few other ip addresses assigned on both hq’s interfaces — these are used by vserver guest systems.

Before we begin, make sure you have all necessary tools:
# poldek -Qiv  bridge-utils openvpn easy-rsa umlinux-tools

What we need is to prepare /etc/sysconfig/interfaces/ifcfg-br0 with slightly modified content:

# ifcfg-br0
TAP=$(tunctl -b -t tap0)
DEVICE=br0
IPADDR1=10.0.0.1/8
ONBOOT=yes
BRIDGE_DEVS="eth1 $TAP"
SPANNING_TREE=no
# eof

Alternatively you could use openvpn binary to set up tap device: „openvpn –mktun –dev tap0″ – it’s up to you. Note that if you choose to use openvpn binary, you will need to

What’s next

Once it is done, you can follow the official ethernet bridging howto – just skip the bridge-start / bridge-stop scripts. Here’s a sample configuration for hq machine (openvpn server):

# hq's openvpn config
local 1.2.3.4 # hq public ip address
port 1194
proto tcp
dev tap0
ca /etc/easy-rsa/keys/ca.crt
cert /etc/easy-rsa/keys/hq.crt
key /etc/easy-rsa/keys/hq.key  # This file should be kept secret
dh /etc/easy-rsa/keys/dh1024.pem
server-bridge 10.0.0.1 255.0.0.0 10.0.10.3 10.0.10.100
push "route 10.0.0.0 255.0.0.0"
ifconfig-pool-persist /etc/openvpn/ipp-hq.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-hq-status.log
log /var/log/openvpn-hq-log
verb 5
# eof

You will also need to reconfigure vserver to bind to bridge interface (e.g. br0) — just edit /etc/vservers/$vserver/interface/$num/dev file.

Few months ago (before I saw this, honestly!) dad and I agreed that having a family file server was a good idea. What conviced us what the mess we were having with family photos – some of them were on my father’s computer, some on mine. We also wanted to get rid of duplicate data (apps, few isos, etc.) between our computers.  What was surprising to me, my mom was also enthusiastic about the idea. Before we stared, we decided that our server has to:

• be quiet (preferably fanless),
• be economic / ecologic (small power consumption),
• have a lot of space (in RAID-1 setup, if possible),
• cost no more than 1000 PLN (ca 300 €),

After doing some research, I decided to buy one of VIA’s EPIA motherboards – which are small (mini-itx), fanless (!), and consume relatively low power (ca. 15 W) comparing to their full-size competitors. From my rough calculations whole system would consume no more that 30-40W of energy, beside the already mentioned motherboard (with integrated CPU, NIC and VGA), there would be a 1TB SATA disk. With 40W of power conspution, estimated cost of running it 24/7 was:

24 (hours) * 30 (days) * 0.04 kW (power consumption) * 0.3 PLN (estimated price of 1kWh of energy) ~= 10 PLN

As low as 10 PLN (about 3 €) a month. Boy I wish I could pay that „much” on a gas station …

It took about three weeks before I bought all the required parts:

• EPIA SP-8000EG FANLESS motherboard,
• a D-153 chasis (designed for VIA’s EPIA motherboards),
• 1TB Samsung HD103UJ SATA HDD,
• 1GB DDR RAM,

Total cost: 1003 PLN (incl. VAT), which is about 300 €. Once assembled it looks like this:

Maybe it’s not beautiful, but it doesn’t have to be.
Now to the more technical part, it is powered by PLD Th:

[root@epiath ~]# cat /proc/cpuinfo
processor : 0
vendor_id : CentaurHauls
cpu family : 6
model : 9
model name : VIA Nehemiah
stepping : 8
cpu MHz : 800.047
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr cx8 sep mtrr pge cmov pat mmx fxsr sse up rng rng_en ace ace_en
bogomips : 1602.68
clflush size : 32[root@epiath ~]#

And it was so quiet…  image a system where the most nosiest component is its hdd (about 27dB). Unfortunately, it failed as a fanless system, the hdd warmed up to more than 45°C. We decided to insert small, 8x8cm fan inside the chasis. It helped a lot – the hdd temperature dropped almost isntantly to less than 35°C, and as I am writing thist post, hddtemp reports 28°C. At the price of lower temperature, we got a bit louder system and a slightly higher power consumption.

Epiath (I probably suck at naming my systems) is a new project – it went „live” about three weeks ago, and is still not finished, there are few thins I still plan to do:

• remote access (OpenVPN), so that my brother could share his photos as well,
• track new files (with find), and announce them with mail sent on a daily basis,
• develop a search engine – search throuch file names at a minimum, perhaps we could make use of beagle to scan through contents as well (any experience with that anyone?),
• NFS access – or is it more convenient to use SMB, even for a Linux user?

So far, I am quite happy we decided to build our home server – even though it did cost a bit (you don’t spend 300 € everyday, do you?).