Hmm, that wasn't very successful. I guess I'm not sure what you mean when you say to have open vpn use the tap interface right away.
My VM has a couple tap (I assume) interfaces vibr0 vibr1 (I can make more), which say "br" in the name, but aren't actually bridged to anything physical, they are just "virtual" networks, local to the machine. I tried to specify the name of one of those in the openvpn config file (in place of tap0), but it didn't seem to work. The other thing I tried was to have openvpn up and running, then to attach the VM to the tap0 device that it created...that ended with this error: libvirtError: internal error Failed to add tap interface to bridge. tap0 is not a bridge device Neither of these surprised me, this was how I thought the tap stuff worked, but it sounded from your message like you knew of something else. Could you please clarify the idea you had on how to get openvpn connected to the hypervisor? On Tue, May 8, 2012 at 3:37 AM, Gert Doering <g...@greenie.muc.de> wrote: > Hi, > > On Mon, May 07, 2012 at 09:03:17PM -0400, Tom Kent wrote: > > The idea I had, and wanted to run by, was if it would be possible to > > integrate an openvpn client into the hypervisor's virtual network card. > > This would make it so that from the moment the VM boots up, it is only > > connected to the private LAN served by the OpenVPN server. The VM would > see > > just another NIC, but instead of routing the data directly to the > > Hypervisor's NIC (tap) or NATing it or whatever, it would go to an > OpenVPN > > client library (that wouldn't need a tun/tap device on the hypervisor) > > which sends the data to the server over the udp connection. > > If your hypervisor uses a tap interface, you can just have openvpn use > that tap interface "right away". So don't bridge tap0 to eth0 on the > Hypervisor, but just have tap0 available for the VMs, and run OpenVPN > with "--dev tap0". > > This might be somewhat more expensive performance-wise - but it will > be much cheaper programmer-time-wise, as all you need is already there > and well-tested :-) > > gert > > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > g...@greenie.muc.de > fax: +49-89-35655025 > g...@net.informatik.tu-muenchen.de >
