Server-side or OpenVPN Android app issue? Result: no bridging

[mixpc]

Hello,

My OpenVPN (installed via PiVPN) on a Raspbian (2016-09-23-raspbian-jessie kernel 4.4) works perfect. Now, I tried to use the bridging mode as I need to access files in my home network (the OpenVPN FAQ is clear that my need requires bridging. Plus, I have extensively read threads and websites regarding this issue before posting this message. So I followed the steps in:
https://openvpn.net/index.php/open-sour ... dging.html
Firstly, as I mentioned, I used PiVPN to create my OpenVPN. So I did not have to follow the HOWTO from the link but actually began in the "Bridge Server on Linux" section:

local gateway 192.168.100.1
local server 192.168.100.100
pool from 192.168.100.110 to 192.168.100.120

So I created bridge-start.sh
cat bridge-start.sh

Code: Select all

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.100.100"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.100.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

cat /etc/openvpn/server.conf

Code: Select all

# dev tun
dev tap0
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/pivpnserver.crt
key /etc/openvpn/easy-rsa/keys/pivpnserver.key
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
# server 10.8.0.0 255.255.255.0
server-bridge 192.168.100.100 255.255.255.0 192.168.100.110 192.168.100.120
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.100.100 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

run the commands as instructed:

Code: Select all

sudo iptables -A INPUT -i tap0 -j ACCEPT
sudo iptables -A INPUT -i br0 -j ACCEPT
sudo iptables -A FORWARD -i br0 -j ACCEPT

The instructions in the OpenVPN Ethernet bridging guide are:

run bridge-start, which I did with sudo bash bridge-start.sh
run openvpn, but why? openvpn is running from boot time... so I did nothing here

So after running the script, it created the br0 interface. From my android mobile (already properly set up to access my home OpenVPN network to which I would connect regularly with no problem, success 100%) this time I followed the stame process by opening the official OpenVPN app, tap on Connect and done, the connection is established (green icon). However, a few seconds later an error message is displayed in my mobile reporting that the current WiFi connection (from a different WiFi network, obviously, say Cafe internet) is established but leads to to internet traffic, so there is a connection with my OpenVPN but no traffic flows.

I run the following commands:

ip addr

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:86:81:21 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.100/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::723e:2840:ab2f:22da/64 scope link
       valid_lft forever preferred_lft forever
3: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/ether 92:97:54:61:b5:52 brd ff:ff:ff:ff:ff:ff
    inet 10.8.0.1/4 brd 255.255.255.253 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::9097:54ff:fe61:b552/64 scope link
       valid_lft forever preferred_lft forever

ip route

Code: Select all

default via 192.168.100.1 dev eth0  metric 202
192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.100  metric 202

So I run sudo bash bridge-start.sh and get the error:

Code: Select all

Wed Oct 19 12:04:32 2016 ERROR: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16)
Wed Oct 19 12:04:32 2016 Exiting due to fatal error

Now, I run the two commands again and some differences show:

ip addr - eth0 and tap0 show less output, and br0 shows a duplicate line

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether b8:27:eb:86:81:21 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::723e:2840:ab2f:22da/64 scope link
       valid_lft forever preferred_lft forever
3: tap0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 100
    link/ether 92:97:54:61:b5:52 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9097:54ff:fe61:b552/64 scope link
       valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 92:97:54:61:b5:52 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.100/24 brd 192.168.100.255 scope global br0
    inet 192.168.100.100/24 brd 192.168.100.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::9097:54ff:fe61:b552/64 scope link
       valid_lft forever preferred_lft forever

ip route - first line with default... is gone

Code: Select all

192.168.100.0/24 dev br0  proto kernel  scope link  src 192.168.100.100

I follow the advice from
https://ubuntuforums.org/showthread.php?t=1331580
which seem to have been successful to fix the issue and run:

Code: Select all

sudo ifconfig br0 up
sudo ifconfig tap0 up
sudo route add default gw 192.168.100.1

The three commands show no error messages

Now, in order to compare I run again ip addr - the only difference seems the duplicate line in br0 is gone

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether b8:27:eb:86:81:21 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::723e:2840:ab2f:22da/64 scope link
       valid_lft forever preferred_lft forever
3: tap0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 100
    link/ether 92:97:54:61:b5:52 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9097:54ff:fe61:b552/64 scope link
       valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 92:97:54:61:b5:52 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.100/24 brd 192.168.100.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::9097:54ff:fe61:b552/64 scope link
       valid_lft forever preferred_lft forever

And ip route - default line is now shown again

Code: Select all

default via 192.168.100.1 dev br0
192.168.100.0/24 dev br0  proto kernel  scope link  src 192.168.100.100

I try connecting again from my Android mobile since now the bridging should work correctly and the OpenVPN app in Android reports:

Code: Select all

Tun interface setup failed: tun_prop_error: ifconfig addresses are not in the same /30 subnet (topology net30)

At this point I kindly ask for your support and advice as I don't really know how to move on. Is it because the mobiledevice.ovpn file reads in the first lines:

Code: Select all

client
dev tun
proto udp

And dev tun has been previously replaced by dev tap0 in /etc/openvpn/server.conf ? If that were the case and in order to test I have made a copy of mobiledevice.ovpn named as mobiledevicetap0.ovpn and edited the 2nd line to:

Code: Select all

client
dev tap0
proto udp

Imported the new cmobiledevicetap0.ovpn into the OpenVPN Android app and just after importing it the following message is displayed:

Code: Select all

TAP-based tunnels are not supported: OSI layer 2 tunnels are not currently supported
Problem creating TAP tunnel
Sorry, but the Android VPN API doesn't currently support TAP-based tunnels

So I don't know if my dev tap0 edit in mobiledevicetap0.ovpn and import is a wrong thing to do? Whether the problem is only with the Android OpenVPN app and a different app might work? Whether there is a problem with my config files in Raspbian?

I appreciate your reading time. Any tip of advice will be welcome!

[TinCanTech]

TAP-based tunnels are not supported: OSI layer 2 tunnels are not currently supported
Problem creating TAP tunnel
Sorry, but the Android VPN API doesn't currently support TAP-based tunnels

Looks like you cannot do this ..

Go back to a normal Layer-3 Tunnel (--dev tun) server and client and then connect to your SMB share via its' IP address. Network browser is not supported in this mode.

[mixpc]

@TinCanTech Thank you for your feedback. Could you please be a bit more specific? I'm a Linux newbie after all...
How do I

Go back to a normal Layer-3 Tunnel (--dev tun) server

?
Is it just editing /etc/openvpn/server.conf and
chaning

Code: Select all

# dev tun
dev tap0

into

Code: Select all

dev tun
# dev tap0

and client

Is it just by editing mobiledevice.ovpn

Code: Select all

client
dev tap0
proto udp

into

Code: Select all

client
dev tun
proto udp

?

One last question. I assume that means bringing back OpenVPN back to routing mode. Then, connect to your SMB share via its' IP address implies from an Android app such as Network Browser when Adding a new server 192.168.100.100 the app would search in the Internet Cafe WiFi for such device and not in my home network?

Thank you for your time. I appreciate the support!

[TinCanTech]

Either mode will suffer the same if there is a network conflict. Choose an uncommon RFC1918 subnet.

Please see:
https://openvpn.net/index.php/open-sour ... howto.html

[mixpc]

Ok, so I am back in OpenVPN routing mode, just the way I used to have it and it works perfect. Now, I try again to get access to samba shares.

Before posting this message I have read RFC1918, HOWTO and as well about subnetworks in
https://www.iplocation.net/subnet-mask
https://en.wikipedia.org/wiki/Subnetwork
and RFC1519 regarding CIDR

The reason why I chose my private gateway address 192.168.100.100 (netmask 255.255.255.0) is because I think it is uncommon versus typical eg. 192.168.0.1 or 192.168.1.1 and so to avoid, as you comment, network conflict.
192.168.100.100 is set within the address ranges for private networks.

Now, when I connect with my Windows 10 laptop (apart from Android mobile) to my home OpenVPN in routing it works perfect.
The Internet Cafe WiFi assigns me 10.162.7.18 (netmask 255.255.254.0) and the OpenVPN icon displays a popup showing me it has assigned my laptop 10.8.0.10
/etc/openvpn/server.conf includes a line...

Code: Select all

server 10.8.0.0 255.255.255.0

so the address I have been assigned 10.8.0.10 makes perfect sense. And there should be no network conflict.

So if 10.162.7.18 (Internet cafe address) and 10.8.0.10 (adddress assigned by OpenVPN) are in different networks, shouldn't my home router do network translation and my laptop display my home samba shares? I just wish I am not missing the point but I kindly appreciate your support. It's all about learning, after all.

Thank you in advance!

[TinCanTech]

Network browser is not supported in this mode.

Connect to your server by: \\IP.address\share_name