# OpenVPN and Bridge problem again [Solved]

## egilbaum

Hello!

I have some strange problem, that I think, with bridge networking and OpenVPN (2.1_rc7).

I have client (laptop outside a LAN - Client), openvpn server (Server) and an other gentoo host on the openvpn server's LAN (Host). I configured bridge interface that includes eth and tap on the Server and the Client gets LAN address. I can ping from the Server to Client and Host and back.

The problem begins when i try to ping from the Client to the Host and back: When I'm pinging from the client to the Host, the tcpdump shows an arp request (who-is) goes from the Client via the Server to the Host and the Host is replying. Here it dies. The Server does not receive arp replies from the Host.

When I pinging from the Host to the Client, the Host issues arp request, the Server replyes with the Client's  tap adapter's MAC address and the Host gets it and goes on with icmp echo send. Then on the Server I see 

```
...rarp who-is 00:0f:29:f7:78:e7 (oui Unknown) tell 00:0f:29:f7:78:e7 (oui Unknown) 
```

 - The MAC address here is the MAC address of the Host.

The bottom line - I have no connections between the Clinet and the LAN. Please, help!

As far as I understand, the problem is on the Server - so the Server configs:

local.conf for openvpn:

```
port 443

dev tap0 

proto tcp-server

mode server

tls-server 

cd /etc/openvpn/mng01 

ca ../keys/ca.crt 

cert ../keys/vpn.gibuim.com.crt 

key ../keys/vpn.gibuim.com.key 

dh ../keys/dh2048.pem 

tls-auth mng01-ta.key 0 

server-bridge 172.16.22.251 255.255.255.0 172.16.22.1 172.16.22.1

client-to-client

status openvpn-status.log

keepalive 10 30

persist-tun

persist-key

duplicate-cn

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

comp-lzo

verb 3

```

/etc/conf.d/net and some additional commands by hand:

```
config_eth4=( "100.100.100.100/28" )

routes_eth4=( "default via 100.100.100.97" )

config_eth5=( "null" )

bridge_br0=( "eth5" )

config_br0=( "172.16.22.251/24" )

```

```

echo 1 > /proc/sys/net/ipv4/ip_forward

openvpn --mktun --dev tap0

/sbin/ip link set tap0 up

brctl addif br0 tap0

```

routing table:

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

100.100.100.96.st *               255.255.255.240 U     0      0        0 eth4

172.16.22.0     *               255.255.255.0   U     0      0        0 br0

loopback        *               255.0.0.0       U     0      0        0 lo

default         100.100.100.97.st 0.0.0.0         UG    0      0        0 eth4

```

brctl show:

```

bridge name     bridge id               STP enabled     interfaces

br0             8000.000c29a6f373       no              eth5

                                                        tap0

```

ip link:

```

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:0f:29:a2:c3:69 brd ff:ff:ff:ff:ff:ff

3: eth5: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:0f:29:a2:c3:73 brd ff:ff:ff:ff:ff:ff

4: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop 

    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

5: eql: <MASTER> mtu 576 qdisc noop qlen 5

    link/slip 

6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue 

    link/ether 00:0c:29:a6:f3:73 brd ff:ff:ff:ff:ff:ff

7: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100

    link/ether 00:ff:d7:87:4f:31 brd ff:ff:ff:ff:ff:ff

```

Last edited by egilbaum on Tue May 06, 2008 1:18 pm; edited 1 time in total

----------

## Telamon

Can the client ping the 172.16.22.251 address of the server?  It might be some sort of firewall problem.  Also, try removing the client-to-client line in the server's config file, restart openvpn on the server, and reconnect the client.  I don't know what it does, but I do know I don't use it on my working bridge vpn setup.  :Smile: 

----------

## egilbaum

Yes, I can ping from client to 172.16.22.251 and back, and also I can see packets from the client on a pc from lan (172.16.22.25). But the server (bridge adapter address 172.16.22.251) ignores replys from the lan to the client. Client-to-client does no matter (same behavior with and without). It's like some routing problem that I cannot catch, I thing. The vpn server just ignores packets addressed to the client from any place (except the server itself) on the LAN, but transfers packets from the client to the LAN (also brodcasts).

----------

## egilbaum

Solved! There was security settings on switch. There was rejecting on promiscuous mode.

----------

