# VirtualBox OpenVPN ARP

## lwisniewski

Can you help me with ARP?

My network is as follows:

Dctionary:

host1 - PC with openvpn client

host2 - PC in LAN

server - a server which is running several virtual machines virtualbox. It has two ethernet ports (eth0, eth1). Is installed Gentoo on it, of course.

vserver - virtual machine (virtualbox.) It has two inrefaces eth (eth0, eth1). Everyone is properly assigned (bridge) to the interfaces on server (<server - vserver>, eth0 - eth1, eth1 - eth0).

Eth0 port on the server is connected to the WAN.

Eth1 port on the server is connected to the LAN.

Openvpn Description:

OpenVPN is installed on the vserver.

Created tap0 OpenVPN port.

The bridge is made between tap0 and eth0.

Created a virtual bridge interface br0 which is address 100.1.1.4/16

LAN - 100.1.0.0/16

openvpn hosts - 100.1.1.10 - 100.1.1.19

host1 - 100.1.1.10/16

host2 - 100.1.1.1/16

Iptables and ebtables are everywhere excluded.

(host1: tap0[100.1.1.10])--VPN/WAN--->(server(vserver: br0<tap0, eth0>[100.1.1.4]) eth1[100.1.1.3])---LAN--->(host2: eth0[100.1.1.1])

Problem Description:

I send a ping from host1 to address 100.1.1.4, everything works fine.

I send a ping from vserver to address host1 or host2, everything works fine.

I send a ping from host1 to the host2 or some other host on the LAN:

On the server interface eth1 I see arp who-has and arp replay (Listing 1)

For interface eth0 vserver knowledge only arp who-has a arp replay is gone. (Listing 2)

Listing 3 - Setting up openvpn server

Listing 4 - Setting up openvpn client

Listing 5 - ARP table from server

Listing 6 - ARP table from vserver

If you need some more information, we are happy to share them.

Listing 1

```
oro all # tcpdump -nni eth1 arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 68 bytes

13:46:02.660908 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:02.660912 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:02.662484 arp reply 100.1.1.1 is-at 00:15:77:67:7e:80

13:46:03.660574 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:03.660579 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:03.662179 arp reply 100.1.1.1 is-at 00:15:77:67:7e:80

13:46:04.660509 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:04.660513 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:04.662105 arp reply 100.1.1.1 is-at 00:15:77:67:7e:80

13:46:06.662102 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:06.662106 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:06.663740 arp reply 100.1.1.1 is-at 00:15:77:67:7e:80

13:46:07.661793 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:07.661797 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:07.663430 arp reply 100.1.1.1 is-at 00:15:77:67:7e:80

13:46:08.661967 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:08.661971 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:08.663615 arp reply 100.1.1.1 is-at 00:15:77:67:7e:80

13:46:10.662572 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:10.662576 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:10.664243 arp reply 100.1.1.1 is-at 00:15:77:67:7e:80

13:46:11.662692 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:11.662696 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:11.664432 arp reply 100.1.1.1 is-at 00:15:77:67:7e:80

13:46:12.662895 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:12.662899 arp who-has 100.1.1.1 tell 100.1.1.10

13:46:12.664617 arp reply 100.1.1.1 is-at 00:15:77:67:7e:80

```

Listing2

```
vpn ~ # tcpdump -nni eth0 arp

tcpdump: WARNING: eth0: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

13:48:17.442106 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:18.442073 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:19.441734 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:21.442401 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:22.443111 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:23.442508 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:25.442112 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:26.442120 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:27.442151 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:29.443029 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:30.443014 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:31.443006 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:33.443309 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:34.442971 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:35.442716 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:37.443201 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:38.443210 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:39.443071 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:41.445156 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:42.443920 arp who-has 100.1.1.1 tell 100.1.1.10

13:48:43.443166 arp who-has 100.1.1.1 tell 100.1.1.10

```

Listing 3

```
port 11194

proto udp

dev tap0

ca cert/mng/ca.crt

cert cert/mng/mng_server.crt

key cert/mng/mng_server.key

dh cert/mng/dh1024.pem

tls-auth cert/mng/ta.key 0

server-bridge 100.1.1.4 255.255.0.0 100.1.1.10 100.1.1.19

max-clients 2

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

verb 1

```

Listing4

```
client

dev tap

proto udp

remote 83.68.67.214 11194

resolv-retry infinite

nobind

persist-key

persist-tun

comp-lzo

ns-cert-type server

ca biuro_mng/ca.crt

cert biuro_mng/mng_lukas.crt

key biuro_mng/mng_lukas.key

tls-auth biuro_mng/ta.key 1

verb 1

```

Listing 5

```
oro all # arp -en

Address                  HWtype  HWaddress           Flags Mask            Iface

192.168.1.1              ether   00:11:f5:28:77:7b   C                     eth0

100.1.1.3                ether   08:00:27:7d:0b:0a   C                     eth1
```

Listing 6

```
vpn ~ # arp -en

Address                  HWtype  HWaddress           Flags Mask            Iface

100.1.1.1                ether   00:15:77:67:7e:80   C                     br0

192.168.1.1              ether   00:11:f5:28:77:7b   C                     eth1

100.1.1.10               ether   1e:9a:92:76:18:a1   C                     br0
```

----------

