# OpenVPN und Bridging

## ITFriend

Hallo zusammen,

ich hab ein Problem bei der Einrichtung von OpenVPN.

Ich bekomme keine Verbindung durch den Tunnel (ping etc.)

Mein Netzwerkaufbau sieht so aus

```

+--------+  

|morpheus| 192.168.178.201/24

+--------+ 

     |

     | VPN über 172.20.228.0/22 (unsicheres Netzwerk)

     |

+-----------+  

|datenbunker| 192.168.178.250/24

+-----------+  

     |

     | 

     |

+---------+  

|fritz.box| 192.168.178.254/24

+---------+  

     | 

     |

/~~~~~~~~\

|Internet|

\~~~~~~~~/
```

Hier sind die Configs vom Server:

```
datenbunker ~ # cat /etc/openvpn/openvpn.conf

daemon 

port 1194

proto udp

dev tap0

ca /etc/openvpn/easy-rsa2/keys/ca.crt

cert /etc/openvpn/easy-rsa2/keys/datenbunker.wh36.de.crt

dh /etc/openvpn/easy-rsa2/keys/dh1024.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.178.254 255.255.255.0 192.168.178.200 192.168.178.210

push "redirect-gateway def1"

client-to-client

keepalive 10 120

comp-lzo

max-clients 10

user openvpn

group openvpn

persist-key

persist-tun

status openvpn-status.log

verb 3

datenbunker ~ # brctl show

bridge name   bridge id      STP enabled   interfaces

br0      8000.00148534197c   no      eth1

datenbunker ~ # ifconfig 

br0       Protokoll:Ethernet  Hardware Adresse 00:14:85:34:19:7c  

          inet Adresse:192.168.178.250  Bcast:192.168.178.255  Maske:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:1936 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1706 errors:0 dropped:0 overruns:0 carrier:0

          Kollisionen:0 Sendewarteschlangenlänge:0 

          RX bytes:347414 (339.2 KiB)  TX bytes:305584 (298.4 KiB)

eth0      Protokoll:Ethernet  Hardware Adresse 00:e0:7d:e5:3b:60  

          inet Adresse:172.20.231.169  Bcast:172.20.231.255  Maske:255.255.252.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:599699 errors:0 dropped:0 overruns:0 frame:0

          TX packets:812339 errors:0 dropped:0 overruns:0 carrier:0

          Kollisionen:0 Sendewarteschlangenlänge:1000 

          RX bytes:47783179 (45.5 MiB)  TX bytes:1196274074 (1.1 GiB)

          Interrupt:16 Basisadresse:0xa000 

eth1      Protokoll:Ethernet  Hardware Adresse 00:14:85:34:19:7c  

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:82112 errors:0 dropped:0 overruns:0 frame:0

          TX packets:71976 errors:0 dropped:0 overruns:0 carrier:0

          Kollisionen:0 Sendewarteschlangenlänge:1000 

          RX bytes:15820642 (15.0 MiB)  TX bytes:14282878 (13.6 MiB)

          Interrupt:21 Basisadresse:0x6000 

lo        Protokoll:Lokale Schleife  

          inet Adresse:127.0.0.1  Maske:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:1115 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1115 errors:0 dropped:0 overruns:0 carrier:0

          Kollisionen:0 Sendewarteschlangenlänge:0 

          RX bytes:111269 (108.6 KiB)  TX bytes:111269 (108.6 KiB)

# iptables-save 

# Generated by iptables-save v1.4.6 on Thu Nov 18 19:07:59 2010

*nat

:PREROUTING ACCEPT [16411:1978350]

:OUTPUT ACCEPT [596:71880]

:POSTROUTING ACCEPT [596:71880]

COMMIT

# Completed on Thu Nov 18 19:07:59 2010

# Generated by iptables-save v1.4.6 on Thu Nov 18 19:07:59 2010

*mangle

:PREROUTING ACCEPT [620807:48287740]

:INPUT ACCEPT [612234:47429467]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [547989:1173676771]

:POSTROUTING ACCEPT [547989:1173676771]

COMMIT

# Completed on Thu Nov 18 19:07:59 2010

# Generated by iptables-save v1.4.6 on Thu Nov 18 19:07:59 2010

*filter

:INPUT ACCEPT [4845:328555]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [4202:9864120]

COMMIT

# Completed on Thu Nov 18 19:07:59 2010

datenbunker ~ # netstat -r

Kernel IP Routentabelle

Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface

192.168.178.0   *               255.255.255.0   U         0 0          0 br0

172.20.228.0    *               255.255.252.0   U         0 0          0 eth0

129.13.0.0      172.20.231.254  255.255.0.0     UG        0 0          0 eth0

141.3.0.0       172.20.231.254  255.255.0.0     UG        0 0          0 eth0

172.16.0.0      172.20.231.254  255.240.0.0     UG        0 0          0 eth0

loopback        *               255.0.0.0       U         0 0          0 lo

default         192.168.178.254 0.0.0.0         UG        0 0          0 br0

datenbunker ~ # cat /etc/conf.d/net

bridge_br0="eth1"

config_br0=( "192.168.178.250/24" )

config_eth1=( "null" )

config_eth0=( "172.20.231.169/22" )

routes_br0=( "default via 192.168.178.254" )

routes_eth0=( "172.16.0.0/12 via 172.20.231.254" "129.13.0.0/16 via 172.20.231.254" "141.3.0.0/16 via 172.20.231.254" )

dns_domain="wh36.de"

dns_servers=( "172.20.228.10" )

preup() {

  openvpn --mktun --dev tap0

  brctl addif br0 tap0

  return 0

}

predown() {

  brctl delif br0 tap0

  openvpn --rmtun --dev tap0

  return 0

}

datenbunker openvpn # ping -c3 192.168.178.201

PING 192.168.178.201 (192.168.178.201) 56(84) bytes of data.

From 192.168.178.250 icmp_seq=1 Destination Host Unreachable

From 192.168.178.250 icmp_seq=2 Destination Host Unreachable

From 192.168.178.250 icmp_seq=3 Destination Host Unreachable

--- 192.168.178.201 ping statistics ---

3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1999ms

datenbunker ~ # tail /var/log/messages

Nov 18 19:26:01 datenbunker openvpn[21110]: OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [MH] [PF_INET6] built on Nov 14 2010

Nov 18 19:26:01 datenbunker openvpn[21110]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to

Nov 18 19:26:01 datenbunker openvpn[21110]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Nov 18 19:26:01 datenbunker openvpn[21110]: Diffie-Hellman initialized with 1024 bit key

Nov 18 19:26:01 datenbunker openvpn[21110]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]

Nov 18 19:26:01 datenbunker openvpn[21110]: Socket Buffers: R=[118784->131072] S=[118784->131072]

Nov 18 19:26:01 datenbunker openvpn[21110]: TUN/TAP device tap0 opened

Nov 18 19:26:01 datenbunker openvpn[21110]: TUN/TAP TX queue length set to 100

Nov 18 19:26:01 datenbunker openvpn[21110]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]

Nov 18 19:26:01 datenbunker openvpn[21111]: GID set to openvpn

Nov 18 19:26:01 datenbunker openvpn[21111]: UID set to openvpn

Nov 18 19:26:01 datenbunker openvpn[21111]: UDPv4 link local (bound): [undef]

Nov 18 19:26:01 datenbunker openvpn[21111]: UDPv4 link remote: [undef]

Nov 18 19:26:01 datenbunker openvpn[21111]: MULTI: multi_init called, r=256 v=256

Nov 18 19:26:01 datenbunker openvpn[21111]: IFCONFIG POOL: base=192.168.178.200 size=11

Nov 18 19:26:01 datenbunker openvpn[21111]: IFCONFIG POOL LIST

Nov 18 19:26:01 datenbunker openvpn[21111]: ares.wh36.de,192.168.178.200

Nov 18 19:26:01 datenbunker openvpn[21111]: morpheus.wh36.de,192.168.178.201

Nov 18 19:26:01 datenbunker openvpn[21111]: Initialization Sequence Completed

Nov 18 19:26:04 datenbunker openvpn[21111]: MULTI: multi_create_instance called

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Re-using SSL/TLS context

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 LZO compression initialized

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Local Options hash (VER=V4): 'f7df56b8'

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Expected Remote Options hash (VER=V4): 'd79ca330'

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 TLS: Initial packet from [AF_INET]172.20.230.168:1194, sid=583cec3d e3802f03

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 VERIFY OK: depth=1, /C=DE/ST=BW/L=Karlsruhe/O=VPN-Alice/CN=VPN-Alice_CA/emailAddress=netz@wh36.de

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 VERIFY OK: depth=0, /C=DE/ST=BW/L=Karlsruhe/O=VPN-Alice/CN=morpheus.wh36.de/emailAddress=netz@wh36.de

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 [morpheus.wh36.de] Peer Connection Initiated with [AF_INET]172.20.230.168:1194

Nov 18 19:26:07 datenbunker openvpn[21111]: morpheus.wh36.de/172.20.230.168:1194 PUSH: Received control message: 'PUSH_REQUEST'

Nov 18 19:26:07 datenbunker openvpn[21111]: morpheus.wh36.de/172.20.230.168:1194 SENT CONTROL [morpheus.wh36.de]: 'PUSH_REPLY,redirect-gateway def1,route-gateway 192.168.178.254,ping 10,ping-restart 120,ifconfig 192.168.178.201 255.255.255.0' (status=1)

Nov 18 19:26:07 datenbunker openvpn[21111]: morpheus.wh36.de/172.20.230.168:1194 MULTI: Learn: 5e:f1:6a:c8:c1:be -> morpheus.wh36.de/172.20.230.168:1194
```

Hier sind die Configs vom Client:

```
morpheus ~ # cat /etc/openvpn/openvpn.conf    

client

dev tap0

proto udp

remote datenbunker.wh36.de 1194

resolv-retry infinite

pull

persist-key

persist-tun

ca ca.crt

cert morpheus.wh36.de.crt

key morpheus.wh36.de.key

ns-cert-type server

comp-lzo

verb 3

morpheus ~ # ifconfig

eth0      Link encap:Ethernet  HWaddr 00:16:17:43:b4:4b  

          inet addr:172.20.230.168  Bcast:172.20.231.255  Mask:255.255.252.0

          inet6 addr: fe80::216:17ff:fe43:b44b/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:11291426 errors:0 dropped:0 overruns:0 frame:0

          TX packets:4681976 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:7294392096 (6.7 GiB)  TX bytes:6186748379 (5.7 GiB)

          Interrupt:23 Base address:0x6000 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:31033 errors:0 dropped:0 overruns:0 frame:0

          TX packets:31033 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:209789297 (200.0 MiB)  TX bytes:209789297 (200.0 MiB)

tap0      Link encap:Ethernet  HWaddr 4a:cb:81:b5:53:10  

          inet addr:192.168.178.201  Bcast:192.168.178.255  Mask:255.255.255.0

          inet6 addr: fe80::48cb:81ff:feb5:5310/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:76 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100 

          RX bytes:0 (0.0 B)  TX bytes:3278 (3.2 KiB)

morpheus ~ # netstat -r

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

wh36-e004-2.wh3 172.20.231.254  255.255.255.255 UGH       0 0          0 eth0

192.168.178.0   *               255.255.255.0   U         0 0          0 tap0

172.20.228.0    *               255.255.252.0   U         0 0          0 eth0

129.13.0.0      172.20.231.254  255.255.0.0     UG        0 0          0 eth0

141.3.0.0       172.20.231.254  255.255.0.0     UG        0 0          0 eth0

172.16.0.0      172.20.231.254  255.240.0.0     UG        0 0          0 eth0

loopback        *               255.0.0.0       U         0 0          0 lo

default         192.168.178.254 128.0.0.0       UG        0 0          0 tap0

128.0.0.0       192.168.178.254 128.0.0.0       UG        0 0          0 tap0

default         172.20.231.254  0.0.0.0         UG        0 0          0 eth0

morpheus ~ # ping -c3 192.168.178.254

PING 192.168.178.254 (192.168.178.254) 56(84) bytes of data.

From 192.168.178.201 icmp_seq=1 Destination Host Unreachable

From 192.168.178.201 icmp_seq=2 Destination Host Unreachable

From 192.168.178.201 icmp_seq=3 Destination Host Unreachable

--- 192.168.178.254 ping statistics ---

3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1999ms

morpheus ~ # tail /var/log/messages

Nov 18 19:26:08 moprheus openvpn[21319]: OpenVPN 2.1.2 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 19 2010

Nov 18 19:26:08 moprheus openvpn[21319]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

Nov 18 19:26:08 moprheus openvpn[21319]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Nov 18 19:26:08 moprheus openvpn[21319]: LZO compression initialized

Nov 18 19:26:08 moprheus openvpn[21319]: Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]

Nov 18 19:26:08 moprheus openvpn[21319]: Socket Buffers: R=[116736->131072] S=[116736->131072]

Nov 18 19:26:08 moprheus openvpn[21319]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]

Nov 18 19:26:08 moprheus openvpn[21319]: Local Options hash (VER=V4): 'd79ca330'

Nov 18 19:26:08 moprheus openvpn[21319]: Expected Remote Options hash (VER=V4): 'f7df56b8'

Nov 18 19:26:08 moprheus openvpn[21320]: UDPv4 link local (bound): [undef]:1194

Nov 18 19:26:08 moprheus openvpn[21320]: UDPv4 link remote: 172.20.231.169:1194

Nov 18 19:26:08 moprheus openvpn[21320]: TLS: Initial packet from 172.20.231.169:1194, sid=5e6d83c4 e7b74c95

Nov 18 19:26:08 moprheus openvpn[21320]: VERIFY OK: depth=1, /C=DE/ST=BW/L=Karlsruhe/O=VPN-Alice/CN=VPN-Alice_CA/emailAddress=netz@wh36.de

Nov 18 19:26:08 moprheus openvpn[21320]: VERIFY OK: nsCertType=SERVER

Nov 18 19:26:08 moprheus openvpn[21320]: VERIFY OK: depth=0, /C=DE/ST=BW/L=Karlsruhe/O=VPN-Alice/CN=datenbunker.wh36.de/emailAddress=netz@wh36.de

Nov 18 19:26:08 moprheus openvpn[21320]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Nov 18 19:26:08 moprheus openvpn[21320]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Nov 18 19:26:08 moprheus openvpn[21320]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Nov 18 19:26:08 moprheus openvpn[21320]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Nov 18 19:26:08 moprheus openvpn[21320]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Nov 18 19:26:08 moprheus openvpn[21320]: [datenbunker.wh36.de] Peer Connection Initiated with 172.20.231.169:1194

Nov 18 19:26:11 moprheus openvpn[21320]: SENT CONTROL [datenbunker.wh36.de]: 'PUSH_REQUEST' (status=1)

Nov 18 19:26:11 moprheus openvpn[21320]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 192.168.178.254,ping 10,ping-restart 120,ifconfig 192.168.178.201 255.255.255.0'

Nov 18 19:26:11 moprheus openvpn[21320]: OPTIONS IMPORT: timers and/or timeouts modified

Nov 18 19:26:11 moprheus openvpn[21320]: OPTIONS IMPORT: --ifconfig/up options modified

Nov 18 19:26:11 moprheus openvpn[21320]: OPTIONS IMPORT: route options modified

Nov 18 19:26:11 moprheus openvpn[21320]: OPTIONS IMPORT: route-related options modified

Nov 18 19:26:11 moprheus openvpn[21320]: ROUTE default_gateway=172.20.231.254

Nov 18 19:26:11 moprheus openvpn[21320]: TUN/TAP device tap0 opened

Nov 18 19:26:11 moprheus openvpn[21320]: TUN/TAP TX queue length set to 100

Nov 18 19:26:11 moprheus openvpn[21320]: /sbin/ifconfig tap0 192.168.178.201 netmask 255.255.255.0 mtu 1500 broadcast 192.168.178.255

Nov 18 19:26:11 moprheus openvpn[21320]: /etc/openvpn/up.sh tap0 1500 1574 192.168.178.201 255.255.255.0 init

Nov 18 19:26:11 moprheus openvpn[21320]: /sbin/route add -net 172.20.231.169 netmask 255.255.255.255 gw 172.20.231.254

Nov 18 19:26:11 moprheus openvpn[21320]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.178.254

Nov 18 19:26:11 moprheus openvpn[21320]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.178.254

Nov 18 19:26:11 moprheus openvpn[21320]: Initialization Sequence Completed

Nov 18 19:26:27 moprheus chronyd[17809]: Selected source 85.214.230.247

```

/etc/openvpn/up.sh auf dem Client ist das Standard-Skript von Gentoo.

Mir kommen die Routen auf dem Client komisch vor.

Leider weiß ich nicht, warum OpenVPN die so setzt.

Hat jemand eine Idee, wo mein Fehler liegen könnte?

Vielen Dank für eure Hilfe!

ITFriendLast edited by ITFriend on Fri Nov 19, 2010 6:15 pm; edited 1 time in total

----------

## ITFriend

ein ifconfig tap0 up hat geholfen...

----------

