# Damn OpenVpn bridge.... HELP! [solved]

## zimnybudyn

Hi

So here is the "big" picture:

```

      client----Client's_GW---Internet----OpenVPN_Server----LAN

(172.16.1.2)                                                (192.168.0.0/24)

```

The idea is to see client machine as it was in_the_LAN.

From what I understand this should work like this: client sends packets through VPN, on server side packets come out of VPN and get into bridge and directly to LAN, right? And the other way packets from LAN incoming on bridge interface should get routed through VPN or bounced back to LAN depending on IP, decision is made by the bridge.

I've managed to create bridge on the server from eth0 and tap0 interfaces, then established successfull VPN connection (client got ip address from Server).

From Client side:

Client receives IP from LAN pool, i.e. 192.168.0.17, so Client's machine knows where to route packets belonging to this subnet -> through VPN and it does so. When I ping from client machine to server or LAN i can see packets incoming on the server's external interface which means they go through VPN, but then they disappear and aren't forwarded to bridge!

The same story is in the other direction:

I simply don't see any packets forwarding between bridge br0 and external interface. Server has this 192.168.0.0/24 subnet assigned to bridge interface, and obviously doesn't seem to send any packets belonging to this subnet through VPN... 

In my desperation i've allowed every possible traffic in iptables, added forward, input, output rules, even set default policy to ACCEPT, of course NAT for LAN is enabled.

I would say that bridge itself doesn't work at all with openvpn tunnel (tap0 interface), because normal traffic from LAN to internet (through br0 with assigned IP)  works well.

Please tell me how the hell this is supposed to work!? What may be wrong? Has anyone have working configuration similar to what I try to do?

Generally i've followed Howto found on openvpn.net site. I established tunnel with server-bridge directive and using SSL/TLS certificates.

If it helps i can post system configuration fragments.

```

# brctl show

bridge name     bridge id               STP enabled     interfaces

br0             8000.0050da48f84d       yes             eth0

                                                        tap0

```

```

# ifconfig

br0       Link encap:Ethernet  HWaddr 00:50:DA:48:F8:4D

          inet addr:192.168.0.111  Bcast:192.168.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:122209 errors:0 dropped:0 overruns:0 frame:0

          TX packets:163206 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:13437489 (12.8 Mb)  TX bytes:159926757 (152.5 Mb)

```

this bridge-tunnel thing ain't funny any more  :Sad: 

regards

lukeLast edited by zimnybudyn on Mon Nov 21, 2005 2:26 pm; edited 4 times in total

----------

## magic919

I can see this is enough to drive someone mad.  My Openvpn stuff is usually just client to server using TUN and I don't need to get to the LAN beyond server.

What's the IP and interface set-up on the server?

----------

## zimnybudyn

From LAN side server has 192.168.0.111 as you can see on ifconfig br0 output in my first post.

The thing is that I have working OpenVPN in my other network but using routing not bridge just as you do. Routed version forces you to have different subnets and routing between them. Client can access i.e. to samba shares in the LAN connecting directly to selected IP, he can map network share on his machine and this works very well.

But in current case I want to JOIN clients machines to LAN, so they all would be visible in Network Neighbourhood - its more clear and user friendly solution for unexpirienced users. They can browse instead map many shares. The only thing required is that client must have different local network IP than the one that he connects to. Also I suspect that bridge version means greater network overhead because of inefficient samba protocols but I can live with that  :Smile: 

And according to HowTo's that I've read it should work this way, but somehow it doesn't for me...

I'll keep trying but my patience is limited...

----------

## magic919

I understand the Br0 bit.  I'm trying to understand what other interfaces the machines has, and it clearly must have at least one, and how you've configured.

----------

## zimnybudyn

I don't understand it very well either...

It has two NICs.

eth1 - public ip to internet

eth0 - private ip (192.168.0.111) to LAN

and virtual tap0 created by openvpn

eth0 and tap0 are bridged to br0, in this mode eth0 and tap0 can not have ip address assigned. To keep LAN working it has to be managed bridge, so now br0 has ip 192.168.0.111 (the one that eth0 had). Everything exactly as HowTo says.

Connections from LAN are going through this br0, then are SNATed going out eth1. The only thing that is not working is forwarding between interfaces in_the_bridge tap0<->eth0 and I have no idea why...

In HowTo there is one thing I don't understad what is means:

 *Quote:*   

> The addresses used for local and remote should not be part of the bridged subnet -- otherwise you will end up with a routing loop.

 

an example would be nice...

The bridge setup seems quite easy, there is almost no place to make error. So I think its OpenVPN configuration error. I've sent copy of this post to their mailing list, but for now nothing exept one guy who claims to have exactly the same problem... I'm not alone, yee....

----------

## dignus

Same problem here, help would be much appreciated.

----------

## Mben

Im also having the same problem. There is a forum about openvpn here: http://openvpn.se/bb/index.php

I have a similar post there that hasn't been answered in a couple days, but you could give it a try if you want.

----------

## zimnybudyn

Of course I'll give it a try...

http://openvpn.se/bb/viewtopic.php?p=1443

Everyone: pray to Your Gods, so we can finally find a solution  :Twisted Evil: 

---

what doesn't kill you, makes you stronger

----------

## magic919

I take it you've got 802.1d bridging compiled into kernel?

What about cut and paste of /etc/conf.d/net

/etc/openvpn/server/local.conf

I might even have to try it on one of my servers tomorrow.

----------

## SavageMindz

Ahh I think I can help here, I had this working. Took me ages to get it to work automagically with the gentoo net-scripts

Anyway here is the config I used.

/etc/conf.d/net

```
config_eth0=( "null" )         

config_tap0=( "null" )         

bridge_br0="eth0 tap0"         

config_br0=( "192.168.1.100 broadcast 192.168.1.255 netmask 255.255.255.0" )

depend_tap0() {                

       need openvpn            

}

depend_br0() {                 

        need net.tap0 net.eth0 

}
```

The bit that got me was that the net service kept coming up in the wrong order. The depends fix that. Or at least they did for me.   :Wink: 

Right for openvpn itself you will need something like the following. (Comments removed   :Wink:   )

```
port 1194

proto tcp

dev tap

ca /etc/ssl/certs/cacert.pem

cert /etc/ssl/certs/crt.pem

dh /etc/ssl/dh1024.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.1.100 255.255.255.0 192.168.1.192 192.168.1.254 

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

```

Only thing I found important here was that you change the lines "dev tun" to "dev tap" and "server" to "server-bridge". The IP is the IP of the bridge (br0). That and make sure all the certs are available.

You can of course set all this up and then kick off the /etc/init.d/net.br0 init script and it should all just come up from there. You may need the unstable (~x86) version of baselayout I'm not sure. I should point out that the interface i bridge is the one connected to the network I want to talk to. In the case of the original post that would the the IP on the lan on the right.

Hope this helps.

Savage

----------

## zimnybudyn

and You say this configuration worked for You... heheh irony of this situation almost made me laugh  :Twisted Evil: 

anyway Thanks for trying to help, but:

To get it working automagically, one just has to make things in order - that is why You used "depend", right?

I am doing things manually in proper order (i hope), this means: create tap0, create bridge, assign ip to bridge, start openvpn server. Just as http://openvpn.net/bridge.html says. I can succesfully connect my client to server, so basically vpn itself is working. 

The THING is that openvpn server doesn't seem to work with this tap0 added to bridge... and contrary to my earlier conclusions, now I think this is not the bridge issue. (Yes magic919, I have 802.1d bridging compiled into kernel). I've checked this with ebtables:

```

ebtables -A INPUT -i tap0 --log-ip --log-prefix TAP_IN

ebtables -A OUTPUT -o tap0 --log-ip --log-prefix TAP_OUT

```

I can see (with tcpdump) packets coming (one way) to server into external interface to port 1194 but nothing is logged by ebtables rules -> this means that nothing gets into tap0 interface -> and this means openvpn server is not forwarding   :Exclamation:  client is sending arp reqs "who has xxxx ip" and is not geting any response from server,  but some packets are sent back to client and these i think are keepalive "pings"..

In my understanging openvpn server listens on 1194 port and should decapsulate incoming packets and put them on tap0 interface which is bridged to br0 and the other way everything thats gets in tap0 should be sent through tunnel by openvpn - it's just not happening

And this is not an issue of iptables either, because i've set default policy to ACCEPT in all chains.

```

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to-source $IP

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

```

Here is my /etc/openvpn/server/local.conf

```

port 1194

proto udp

dev tap

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.0.111 255.255.255.0 192.168.0.17 192.168.0.30

;client-to-client

duplicate-cn

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status /etc/openvpn/server/openvpn-status.log

log /etc/openvpn/server/openvpn.log

verb 3

```

as You can see this is pretty the same that SavageMindz's configuration. (i've tried proto tcp too)

Yes, I have latest baselayout, and bridge lan interface on the right of original post  :Smile: 

so what the F*** is wrong with this OpenVPN Server  :Exclamation:   :Question: 

----------

## magic919

Have you considered taking this bit of iptables out for time being?

```
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to-source $IP
```

I've not done any NATing with iptables but I wonder what it makes of packets from 192.168.0.17, for example.  Does it nat the IP and shove it out eth1?  Just a thought.

I know your other LAN - server end - guys lose Internet but might be worth a try.

----------

## SavageMindz

Just a though but I found (and again this might just have been me) that the tap0 interface was not created until openvpn was started (and yes I know this conflicts with the documentation) and that this need to be up before the bridge could be created. Don't created tap0 yourself let the openvpn init script do it for you before making the bridge and see if it works now.

Regards

Savage

----------

## zimnybudyn

oh fuc**** lying howto/docs    :Evil or Very Mad:   :Evil or Very Mad:   :Evil or Very Mad: 

I saw this depend openvpn in your /etc/conf.d/net, and I've tried earlier to start openvpn, and then executed this script bridge_start from HowTo - it didn't work. Now I know why - it's simlpy fuc**** up. There is this  openvpn --mktun --dev tap0 which ruines everything...

You're right Savage, first one has to start openvpn (it creates device tap0), then rise tap0 interface up, and create bridge but without this stupid command mktun. It's completly backwards to what HowTo says...but as it turns out it's the right way.

my Big Thanks guys for help  :Very Happy: 

regards

Luke

----------

## UberLord

You can always get Gentoo to manage the tun/tap interfaces instead of openvpn.

This is more reliable in my experience

----------

## Merlin-TC

Could you give me a hand Uberlord?

You said that you can use the Gentoo scripts to setup br0 and tap0 which I have done.

Now I have never set up an openvpn network and I am a bit confused.

First of all does tap0 net to get an IP or can I use "null"?

Then in the openvpn manpage they say I have to "server-bridge 192.168.0.10 255.255.255.0 192.168.0.12 192.168.0.20"

But does this conflict with the bridge that was started via the gentoo scripts?

Sorry for the confusion but I hope someone can help me.

Thanks

----------

## cryos

 *UberLord wrote:*   

> You can always get Gentoo to manage the tun/tap interfaces instead of openvpn.
> 
> This is more reliable in my experience

 

I have been struggling to get this working over the last few days and came across this post. I am on amd64 which may complicate things and this is my first venture into setting up openvpn, although I have used Cisco VPN concentrators in the past.

When I tried to get the tap0 interface it failed when trying to add it to the bridge. I also looked with ifconfig which confirmed that the interface did not exist. When I changed to letting openvpn manage tap0 and the Gentoo scripts managing the rest it works perfectly here (after days of troubleshooting it). I will post my configs below in case they are of any help to anyone. This is managed as much as possible by the Gentoo scripts, and I would be interested if I could improve this any further.

```
/etc/conf.d/net:

config_eth0=( "null" )

config_tap0=( "null" )

config_br0=(

        "192.168.10.2/24"

        "192.168.2.2/24"

        "192.168.1.2/24"

        "2*.155.144.221/29"

)

bridge_br0="eth0 tap0"

depend_br0() {

        need net.eth0 net.tap0

}

depend_tap0() {

        need openvpn

}

routes_br0=(

        "default via 2*.155.144.222"

)
```

```
/etc/openvpn/openvpn.conf on the server:

port 1194

proto udp

dev tap0

ca ca.crt

cert cryos.crt

key cryos.key

dh dh2048.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.2.2 255.255.255.0 192.168.2.50 192.168.2.100

push "route 192.168.2.0 255.255.255.0"

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

log-append /var/log/openvpn.log

verb 4
```

```
/etc/openvpn/openvpn.conf on the client:

client

dev tap

proto udp

remote 2*.155.144.221 1194

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

cert cryos-lap.crt

key cryos-lap.key

comp-lzo

log-append /var/log/openvpn.log

verb 4
```

The 2* is my slightly masked public IP  :Wink:  - it is a real address in the files. This works, but if I remove the depend on openvpn of tap0 then it fails on the bridging set up. I would like to do this the right way, and would be interested in getting to the bottom of this if possible although I am quite happy with the current set up.Last edited by cryos on Wed Jan 11, 2006 4:51 pm; edited 1 time in total

----------

## mariourk

I tried all of this but I still have no connection.

I used the script provided here and they seem to work fine.

When I start openvpn, eth0, tap0, and br0 will come up. OpenVPN

creates tap0. The clients gets an IP from the server an d after that, nothing!

I have a thread running about it here

Maybe you guys know whats wrong?   :Confused: 

----------

## mariourk

I fixed my problem. If you want the solution, I posted that

on my other thread

Hope this will help someone   :Wink: 

----------

