Home / server / Questions / 417322
Accepted
Selivanov Pavel
Asked: 2012-08-15 03:12:13 +0800 CST

OpenVPN bridge: remote clients don't see local

  • 772

Rough solution:

iptables -A FORWARD -i br200 -j ACCEPT
iptables -A FORWARD -o br200 -j ACCEPT

I still don't understand what's happening. Bridging is made on L2, iptables shouldn't touch that packets.

Configuration:

Debian 6.0 Squeeze

OpenVPN 2.2.1(from backports)

My task is to connect remote clients with local network on data link layer, so that they stay in one broadcast domain and have the same network/netmask as local clients. I'm using TAP interfaces and bridging. All related interfaces(ethernet(local network), TAP(VPN) and bridge) are set to promiscuous mode. Network/netmask is 172.20.200.0/24. Server address is 172.20.200.2.

Both local and remote clients can ping server, but there is no connection between local and remote clients. Using packet capturing program tshark on server (tshark -i br200 -f "icmp" ) I see icmp echo requests from from remote client to local. On local client I don't see that requests(using Wireshark). Moreover, local client have remote client arp address in arp cache, and remote client have local client arp address in arp cache. So, they see each other on data link network layer. But they just can't ping each other! Firewall and antivirus are disabled on both clients. Where is the problem? I don't understand.

/etc/network/interfaces

auto bond0.200
  iface bond0.200 inet manual
        vlan_raw_device bond0
        up ifconfig bond0.200 0.0.0.0 promisc up

  auto br200
  iface br200 inet static
        bridge_ports bond0.200
        bridge_stp off
        bridge_fd 1
        address 172.20.200.2
        netmask 255.255.255.0
        post-up ifconfig br200 promisc

/etc/openvpn/server.conf

mode server
tls-server
port *****
proto tcp-server
dev tap200

script-security 2

up /etc/openvpn/bridge-start
down /etc/openvpn/bridge-stop

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
#crl-verify crl.pem

auth sha1
cipher AES-256-CBC

; !!!
; comp-lzo

tun-mtu 1500
mssfix 1450

client-config-dir /etc/openvpn/ccd
ccd-exclusive

client-to-client
keepalive 10 120

persist-key
persist-tun

status /var/log/openvpn/server-arm.status
log-append  /var/log/openvpn/server-arm.log

/etc/openvpn/ccd/client-arm23

ifconfig-push 172.20.200.132 255.255.255.0

/etc/openvpn/bridge-start

#!/bin/bash
#set -x
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

br="br200"
tap="tap200"

openvpn --mktun --dev $tap
ifconfig $tap 0.0.0.0 promisc up

brctl addif $br $tap

exit 0

/etc/openvpn/bridge-stop

#!/bin/bash
#set -x
####################################
# Tear Down Ethernet bridge on Linux
####################################

br="br200"
tap="tap200"

brctl delif $br $tap

openvpn --rmtun --dev $tap

exit 0

MTU and MRU on all interfaces coincide.

bond0.200 is vlan device over bond device. Maybe this in some strange way causes errors?

openvpn

1 Answers

  1. Best Answer

    The most likely you forgot to enable forwarding. Add net.ipv4.ip_forward=1 to /etc/sysctl.conf, then sysctl -p or restart. Also try to add following to OpenVPN config:

    server-bridge 172.20.200.2 255.255.255.0 172.20.200.100 172.20.200.200
push "route 172.20.200.0 255.255.255.0"

    Note that adding interface to bridge, sets promisc flag appropriately. Bridge interface need not to be in promisc mode.

    I got the same setup running, but on OpenSUSE, TAP interfaces are created during startup and OpenVPN just opens them - no start/stop script in OpenVPN.

    • 3