Hi All,
I've partially covered a large site in routers running batman-adv. The mesh is used for mobile access to equipment on a static site copper and fibre network around the site. A few of the routers have WAN connections to the site network. The routers with WAN connections are configured as gateways in batman-adv. There are gaps in the mesh; typically there is no route between WAN-connected routers via the mesh.
I would like to join up the separate mesh segments, via the site network, such that a client to one segment can ping a client of another network, having the traffic transparently tunnel via the WAN. Has anyone looked at doing this in the past?
Thanks, Travis.
On Wed, Nov 26, 2014 at 3:05 PM, tjhowse tjhowse@gmail.com wrote:
I would like to join up the separate mesh segments, via the site network, such that a client to one segment can ping a client of another network, having the traffic transparently tunnel via the WAN. Has anyone looked at doing this in the past?
I've successfully added tap interfaces into bat0, with openvpn connecting the sites in a ring, with no problems. It took a little while to get the MTU's right as each layer has its own overhead, but it worked great and clients in one state acted as if they were on the same switched network as clients in the other.
I can dig up some example configs if it's useful to you or the group.
Thanks,
Ray
Hi Ray,
That sounds like it would save me a lot of legwork. If you could post something up that would be brilliant. Feel free to email me directly if the list doesn't accept attachments.
Thanks, Travis.
On 27 November 2014 at 09:21, Ray Gibson booray@gmail.com wrote:
On Wed, Nov 26, 2014 at 3:05 PM, tjhowse tjhowse@gmail.com wrote:
I would like to join up the separate mesh segments, via the site network, such that a client to one segment can ping a client of another network, having the traffic transparently tunnel via the WAN. Has anyone looked at doing this in the past?
I've successfully added tap interfaces into bat0, with openvpn connecting the sites in a ring, with no problems. It took a little while to get the MTU's right as each layer has its own overhead, but it worked great and clients in one state acted as if they were on the same switched network as clients in the other.
I can dig up some example configs if it's useful to you or the group.
Thanks,
Ray
Travis,
Here are my configurations. This was done on two dual interface ubuntu computers acting as routers, with eth0 being plugged into the local lan and eth1 being the "wan" connection". lan0 is a bridge of eth0 and bat0 on each, and bat0 contains tap0 (and tap1.. tap2... etc for ring/star topologies)
Site "A" interfaces file: # vpn server interface auto tap0 iface tap0 inet static address 0.0.0.0 pre-up /usr/sbin/tunctl -u root -t tap0 pre-up /sbin/ifconfig tap0 mtu 1500 post-down /usr/sbin/tunctl -d tap0
# local network auto lan0 iface lan0 inet static address 192.168.100.1 netmask 255.255.255.0 bridge_ports bat0 eth0 pre-up /sbin/ifconfig eth0 mtu 1468 pre-up /sbin/modprobe batman-adv pre-up /usr/local/sbin/batctl if add tap0 pre-up /sbin/ifconfig/bat0 mtu 1468 post-down /usr/local/sbin/batctl if del tap0 post-down /sbin/rmmod batman-adv
The only difference about Site "B"'s interfaces file would be a different address line (192.168.100.2)
Site "A" openvpn conf: mode server local 10.10.10.1 # (this would be your wan interface IP that it's listening on) port 1194 dev tap0 proto udp server-bridge ca ca.crt cert server.crt key server.key dh dh1024.pem keepalive 10 60 persist-tun persist-key status /var/log/openvpn1194.status log-append /var/log/openvpn1194.log verb 3
On the client, Site "B", replace the first three lines of the above file with: client daemon remote 10.10.10.1 1194
Of course, set appropriate encryption values for openvpn if you need extra security. I was doing the above in a lab setup with virtual machines, and at one point succeeded in doing it over a wan link, but those VM's are long gone, this is the closest thing I have. Same idea though. The key part is that openvpn is set up in a server-bridge configuration without ever setting any IP addresses on the tap interfaces. When everything is up successfully, you should be able to ping back and forth between 192.168.100.1 and 192.168.100.2 and because of the lan0 bridge, anything in the same subnet on either side of the equation.
Good luck.
Ray
On Tue, Dec 2, 2014 at 2:37 PM, tjhowse tjhowse@gmail.com wrote:
Hi Ray,
That sounds like it would save me a lot of legwork. If you could post something up that would be brilliant. Feel free to email me directly if the list doesn't accept attachments.
Thanks, Travis.
On 27 November 2014 at 09:21, Ray Gibson booray@gmail.com wrote:
On Wed, Nov 26, 2014 at 3:05 PM, tjhowse tjhowse@gmail.com wrote:
I would like to join up the separate mesh segments, via the site network, such that a client to one segment can ping a client of another network, having the traffic transparently tunnel via the WAN. Has anyone looked at doing this in the past?
I've successfully added tap interfaces into bat0, with openvpn connecting the sites in a ring, with no problems. It took a little while to get the MTU's right as each layer has its own overhead, but it worked great and clients in one state acted as if they were on the same switched network as clients in the other.
I can dig up some example configs if it's useful to you or the group.
Thanks,
Ray
b.a.t.m.a.n@lists.open-mesh.org
-
Ray Gibson -
tjhowse