| View previous topic :: View next topic |
| Author |
Message |
zimnybudyn
n00b
Joined: 26 Oct 2005
Posts: 7
|
 Posted: Wed Nov 16, 2005 3:32 pm Post subject: Damn OpenVpn bridge.... HELP! [solved] |
 |
|
Hi
So here is the "big" picture:
| Code: |
client----Client's_GW---Internet----OpenVPN_Server----LAN
(172.16.1.2) (192.168.0.0/24)
|
The idea is to see client machine as it was in_the_LAN.
From what I understand this should work like this: client sends packets through VPN, on server side packets come out of VPN and get into bridge and directly to LAN, right? And the other way packets from LAN incoming on bridge interface should get routed through VPN or bounced back to LAN depending on IP, decision is made by the bridge.
I've managed to create bridge on the server from eth0 and tap0 interfaces, then established successfull VPN connection (client got ip address from Server).
From Client side:
Client receives IP from LAN pool, i.e. 192.168.0.17, so Client's machine knows where to route packets belonging to this subnet -> through VPN and it does so. When I ping from client machine to server or LAN i can see packets incoming on the server's external interface which means they go through VPN, but then they disappear and aren't forwarded to bridge!
The same story is in the other direction:
I simply don't see any packets forwarding between bridge br0 and external interface. Server has this 192.168.0.0/24 subnet assigned to bridge interface, and obviously doesn't seem to send any packets belonging to this subnet through VPN...
In my desperation i've allowed every possible traffic in iptables, added forward, input, output rules, even set default policy to ACCEPT, of course NAT for LAN is enabled.
I would say that bridge itself doesn't work at all with openvpn tunnel (tap0 interface), because normal traffic from LAN to internet (through br0 with assigned IP) works well.
Please tell me how the hell this is supposed to work!? What may be wrong? Has anyone have working configuration similar to what I try to do?
Generally i've followed Howto found on openvpn.net site. I established tunnel with server-bridge directive and using SSL/TLS certificates.
If it helps i can post system configuration fragments.
| Code: |
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0050da48f84d yes eth0
tap0
|
| Code: |
# ifconfig
br0 Link encap:Ethernet HWaddr 00:50:DA:48:F8:4D
inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:122209 errors:0 dropped:0 overruns:0 frame:0
TX packets:163206 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13437489 (12.8 Mb) TX bytes:159926757 (152.5 Mb)
|
this bridge-tunnel thing ain't funny any more 
regards
luke
Last edited by zimnybudyn on Mon Nov 21, 2005 2:26 pm; edited 4 times in total |
|
| Back to top |
|
 |
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Wed Nov 16, 2005 8:42 pm Post subject: |
|
|
I can see this is enough to drive someone mad. My Openvpn stuff is usually just client to server using TUN and I don't need to get to the LAN beyond server.
What's the IP and interface set-up on the server? |
|
| Back to top |
|
|
zimnybudyn
n00b
Joined: 26 Oct 2005
Posts: 7
|
| Posted: Thu Nov 17, 2005 8:36 am Post subject: |
|
|
From LAN side server has 192.168.0.111 as you can see on ifconfig br0 output in my first post.
The thing is that I have working OpenVPN in my other network but using routing not bridge just as you do. Routed version forces you to have different subnets and routing between them. Client can access i.e. to samba shares in the LAN connecting directly to selected IP, he can map network share on his machine and this works very well.
But in current case I want to JOIN clients machines to LAN, so they all would be visible in Network Neighbourhood - its more clear and user friendly solution for unexpirienced users. They can browse instead map many shares. The only thing required is that client must have different local network IP than the one that he connects to. Also I suspect that bridge version means greater network overhead because of inefficient samba protocols but I can live with that 
And according to HowTo's that I've read it should work this way, but somehow it doesn't for me...
I'll keep trying but my patience is limited... |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Thu Nov 17, 2005 8:45 am Post subject: |
|
|
| I understand the Br0 bit. I'm trying to understand what other interfaces the machines has, and it clearly must have at least one, and how you've configured. |
|
| Back to top |
|
|
zimnybudyn
n00b
Joined: 26 Oct 2005
Posts: 7
|
| Posted: Thu Nov 17, 2005 12:50 pm Post subject: |
|
|
I don't understand it very well either...
It has two NICs.
eth1 - public ip to internet
eth0 - private ip (192.168.0.111) to LAN
and virtual tap0 created by openvpn
eth0 and tap0 are bridged to br0, in this mode eth0 and tap0 can not have ip address assigned. To keep LAN working it has to be managed bridge, so now br0 has ip 192.168.0.111 (the one that eth0 had). Everything exactly as HowTo says.
Connections from LAN are going through this br0, then are SNATed going out eth1. The only thing that is not working is forwarding between interfaces in_the_bridge tap0<->eth0 and I have no idea why...
In HowTo there is one thing I don't understad what is means:
| Quote: | | The addresses used for local and remote should not be part of the bridged subnet -- otherwise you will end up with a routing loop. |
an example would be nice...
The bridge setup seems quite easy, there is almost no place to make error. So I think its OpenVPN configuration error. I've sent copy of this post to their mailing list, but for now nothing exept one guy who claims to have exactly the same problem... I'm not alone, yee.... |
|
| Back to top |
|
|
dignus
n00b
Joined: 07 Jul 2004
Posts: 25
|
| Posted: Thu Nov 17, 2005 12:55 pm Post subject: |
|
|
Same problem here, help would be much appreciated.
_________________
--
Johan |
|
| Back to top |
|
|
Mben
Guru
Joined: 29 Mar 2004
Posts: 465
Location: New York, USA
|
| Posted: Thu Nov 17, 2005 1:38 pm Post subject: |
|
|
Im also having the same problem. There is a forum about openvpn here: http://openvpn.se/bb/index.php
I have a similar post there that hasn't been answered in a couple days, but you could give it a try if you want. |
|
| Back to top |
|
|
zimnybudyn
n00b
Joined: 26 Oct 2005
Posts: 7
|
| Posted: Thu Nov 17, 2005 9:11 pm Post subject: |
|
|
Of course I'll give it a try...
http://openvpn.se/bb/viewtopic.php?p=1443
Everyone: pray to Your Gods, so we can finally find a solution 
---
what doesn't kill you, makes you stronger |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Thu Nov 17, 2005 10:22 pm Post subject: |
|
|
I take it you've got 802.1d bridging compiled into kernel?
What about cut and paste of /etc/conf.d/net
/etc/openvpn/server/local.conf
I might even have to try it on one of my servers tomorrow. |
|
| Back to top |
|
|
SavageMindz
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 87
Location: The bit of hell that has frozen over.
|
| Posted: Thu Nov 17, 2005 10:55 pm Post subject: |
|
|
Ahh I think I can help here, I had this working. Took me ages to get it to work automagically with the gentoo net-scripts
Anyway here is the config I used.
/etc/conf.d/net
| Code: | config_eth0=( "null" )
config_tap0=( "null" )
bridge_br0="eth0 tap0"
config_br0=( "192.168.1.100 broadcast 192.168.1.255 netmask 255.255.255.0" )
depend_tap0() {
need openvpn
}
depend_br0() {
need net.tap0 net.eth0
} |
The bit that got me was that the net service kept coming up in the wrong order. The depends fix that. Or at least they did for me. 
Right for openvpn itself you will need something like the following. (Comments removed )
| Code: | port 1194
proto tcp
dev tap
ca /etc/ssl/certs/cacert.pem
cert /etc/ssl/certs/crt.pem
dh /etc/ssl/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.100 255.255.255.0 192.168.1.192 192.168.1.254
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
|
Only thing I found important here was that you change the lines "dev tun" to "dev tap" and "server" to "server-bridge". The IP is the IP of the bridge (br0). That and make sure all the certs are available.
You can of course set all this up and then kick off the /etc/init.d/net.br0 init script and it should all just come up from there. You may need the unstable (~x86) version of baselayout I'm not sure. I should point out that the interface i bridge is the one connected to the network I want to talk to. In the case of the original post that would the the IP on the lan on the right.
Hope this helps.
Savage |
|
| Back to top |
|
|
zimnybudyn
n00b
Joined: 26 Oct 2005
Posts: 7
|
| Posted: Fri Nov 18, 2005 9:25 pm Post subject: |
|
|
and You say this configuration worked for You... heheh irony of this situation almost made me laugh
anyway Thanks for trying to help, but:
To get it working automagically, one just has to make things in order - that is why You used "depend", right?
I am doing things manually in proper order (i hope), this means: create tap0, create bridge, assign ip to bridge, start openvpn server. Just as http://openvpn.net/bridge.html says. I can succesfully connect my client to server, so basically vpn itself is working.
The THING is that openvpn server doesn't seem to work with this tap0 added to bridge... and contrary to my earlier conclusions, now I think this is not the bridge issue. (Yes magic919, I have 802.1d bridging compiled into kernel). I've checked this with ebtables:
| Code: |
ebtables -A INPUT -i tap0 --log-ip --log-prefix TAP_IN
ebtables -A OUTPUT -o tap0 --log-ip --log-prefix TAP_OUT
|
I can see (with tcpdump) packets coming (one way) to server into external interface to port 1194 but nothing is logged by ebtables rules -> this means that nothing gets into tap0 interface -> and this means openvpn server is not forwarding  client is sending arp reqs "who has xxxx ip" and is not geting any response from server, but some packets are sent back to client and these i think are keepalive "pings"..
In my understanging openvpn server listens on 1194 port and should decapsulate incoming packets and put them on tap0 interface which is bridged to br0 and the other way everything thats gets in tap0 should be sent through tunnel by openvpn - it's just not happening
And this is not an issue of iptables either, because i've set default policy to ACCEPT in all chains.
| Code: |
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to-source $IP
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
|
Here is my /etc/openvpn/server/local.conf
| Code: |
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.111 255.255.255.0 192.168.0.17 192.168.0.30
;client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/server/openvpn-status.log
log /etc/openvpn/server/openvpn.log
verb 3
|
as You can see this is pretty the same that SavageMindz's configuration. (i've tried proto tcp too)
Yes, I have latest baselayout, and bridge lan interface on the right of original post
so what the F*** is wrong with this OpenVPN Server  |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Fri Nov 18, 2005 11:30 pm Post subject: |
|
|
Have you considered taking this bit of iptables out for time being?
| Code: | | iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to-source $IP |
I've not done any NATing with iptables but I wonder what it makes of packets from 192.168.0.17, for example. Does it nat the IP and shove it out eth1? Just a thought.
I know your other LAN - server end - guys lose Internet but might be worth a try. |
|
| Back to top |
|
|
SavageMindz
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 87
Location: The bit of hell that has frozen over.
|
| Posted: Sat Nov 19, 2005 9:23 am Post subject: |
|
|
Just a though but I found (and again this might just have been me) that the tap0 interface was not created until openvpn was started (and yes I know this conflicts with the documentation) and that this need to be up before the bridge could be created. Don't created tap0 yourself let the openvpn init script do it for you before making the bridge and see if it works now.
Regards
Savage |
|
| Back to top |
|
|
zimnybudyn
n00b
Joined: 26 Oct 2005
Posts: 7
|
| Posted: Sun Nov 20, 2005 1:29 pm Post subject: |
|
|
oh fuc**** lying howto/docs 
I saw this depend openvpn in your /etc/conf.d/net, and I've tried earlier to start openvpn, and then executed this script bridge_start from HowTo - it didn't work. Now I know why - it's simlpy fuc**** up. There is this openvpn --mktun --dev tap0 which ruines everything...
You're right Savage, first one has to start openvpn (it creates device tap0), then rise tap0 interface up, and create bridge but without this stupid command mktun. It's completly backwards to what HowTo says...but as it turns out it's the right way.
my Big Thanks guys for help 
regards
Luke |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
|
| Back to top |
|
|
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
| Posted: Tue Dec 13, 2005 11:16 pm Post subject: |
|
|
Could you give me a hand Uberlord?
You said that you can use the Gentoo scripts to setup br0 and tap0 which I have done.
Now I have never set up an openvpn network and I am a bit confused.
First of all does tap0 net to get an IP or can I use "null"?
Then in the openvpn manpage they say I have to "server-bridge 192.168.0.10 255.255.255.0 192.168.0.12 192.168.0.20"
But does this conflict with the bridge that was started via the gentoo scripts?
Sorry for the confusion but I hope someone can help me.
Thanks |
|
| Back to top |
|
|
cryos
Retired Dev
Joined: 08 Mar 2003
Posts: 242
Location: US
|
| Posted: Sun Jan 08, 2006 5:32 pm Post subject: |
|
|
| UberLord wrote: | You can always get Gentoo to manage the tun/tap interfaces instead of openvpn.
This is more reliable in my experience |
I have been struggling to get this working over the last few days and came across this post. I am on amd64 which may complicate things and this is my first venture into setting up openvpn, although I have used Cisco VPN concentrators in the past.
When I tried to get the tap0 interface it failed when trying to add it to the bridge. I also looked with ifconfig which confirmed that the interface did not exist. When I changed to letting openvpn manage tap0 and the Gentoo scripts managing the rest it works perfectly here (after days of troubleshooting it). I will post my configs below in case they are of any help to anyone. This is managed as much as possible by the Gentoo scripts, and I would be interested if I could improve this any further.
| Code: | /etc/conf.d/net:
config_eth0=( "null" )
config_tap0=( "null" )
config_br0=(
"192.168.10.2/24"
"192.168.2.2/24"
"192.168.1.2/24"
"2*.155.144.221/29"
)
bridge_br0="eth0 tap0"
depend_br0() {
need net.eth0 net.tap0
}
depend_tap0() {
need openvpn
}
routes_br0=(
"default via 2*.155.144.222"
) |
| Code: | /etc/openvpn/openvpn.conf on the server:
port 1194
proto udp
dev tap0
ca ca.crt
cert cryos.crt
key cryos.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.2.2 255.255.255.0 192.168.2.50 192.168.2.100
push "route 192.168.2.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4 |
| Code: | /etc/openvpn/openvpn.conf on the client:
client
dev tap
proto udp
remote 2*.155.144.221 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert cryos-lap.crt
key cryos-lap.key
comp-lzo
log-append /var/log/openvpn.log
verb 4 |
The 2* is my slightly masked public IP - it is a real address in the files. This works, but if I remove the depend on openvpn of tap0 then it fails on the bridging set up. I would like to do this the right way, and would be interested in getting to the bottom of this if possible although I am quite happy with the current set up.
Last edited by cryos on Wed Jan 11, 2006 4:51 pm; edited 1 time in total |
|
| Back to top |
|
|
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
| Posted: Wed Jan 11, 2006 11:35 am Post subject: |
|
|
I tried all of this but I still have no connection.
I used the script provided here and they seem to work fine.
When I start openvpn, eth0, tap0, and br0 will come up. OpenVPN
creates tap0. The clients gets an IP from the server an d after that, nothing!
I have a thread running about it here
Maybe you guys know whats wrong? 
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all. |
|
| Back to top |
|
|
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
| Posted: Wed Jan 11, 2006 3:29 pm Post subject: |
|
|
I fixed my problem. If you want the solution, I posted that
on my other thread
Hope this will help someone
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all. |
|
| Back to top |
|
|
|
Networking & Security
