OpenVPN bridge running at the same time as OpenVPN client (for all internet traffic) doesn't work

[RobMeades]

I am running two instances of OpenVPN (v2.3.11) on a Shibby Tomato router, one as an OpenVPN client (connected to Private Internet Access, down which all of my internet traffic is routed) and one as an OpenVPN bridge server to another LAN. My problem is that the OpenVPN bridge stops working as soon as the OpenVPN client starts. The logical configuration looks like this, where the router we're concerned with is Router A:

Code: Select all

       LAN         Shibby Tomato Router A                  Router B               Bridged LAN
                 ___________________________        _____________________            
                |                           |      |                     |
                |   OpenVPN Bridge Server   |      |    OpenVPN Client   |       10.10.0.0/24
                |         10.8.0.1          |------|       10.8.0.2      |
                |          tun21            |      |_____________________|
                |                           | 
                |                           |
                |                           |                                Private Internet Access       The Internet
                |                           |                             _____________________________                  
                |       OpenVPN Client      |                            |                             |
  10.10.1.0/24  |         10.5.10.6         |--------------------------- | 10.5.10.5 -- 46.166.288.241 |         *
                |           tun11           |                            |_____________________________|
                |                           |
                |                           |
                |                           |                                          ISP                 The Internet
                |                           |                             ______________________________                
                |                           |                            |                              |
                |           vlan2           |--------------------------- |         82.24.196.1          |        *
                |                           |                            |______________________________|
                |                           |
                |___________________________|

The routing table in the non-working case on Router A is this:

Code: Select all

10.50.10.1 via 10.50.10.5 dev tun11
10.50.10.5 dev tun11  proto kernel  scope link  src 10.50.10.6
10.8.0.2 dev tun21  proto kernel  scope link  src 10.8.0.1
82.24.196.1 dev vlan2  scope link
46.166.188.241 via 82.24.196.1 dev vlan2
10.10.0.0/24 via 10.8.0.2 dev tun21
10.10.1.0/24 dev br0  proto kernel  scope link  src 10.10.1.1
82.24.196.0/22 dev vlan2  proto kernel  scope link  src 82.24.197.229
127.0.0.0/8 dev lo  scope link
0.0.0.0/1 via 10.50.10.5 dev tun11
128.0.0.0/1 via 10.50.10.5 dev tun11
default via 82.24.196.1 dev vlan2

The routing table in the working case (i.e. when the OpenVPN client is inactive) on Router A is this:

Code: Select all

10.8.0.2 dev tun21  proto kernel  scope link  src 10.8.0.1
82.24.196.1 dev vlan2  scope link
10.10.0.0/24 via 10.8.0.2 dev tun21
10.10.1.0/24 dev br0  proto kernel  scope link  src 10.10.1.1
82.24.196.0/22 dev vlan2  proto kernel  scope link  src 82.24.197.229
127.0.0.0/8 dev lo  scope link
default via 82.24.196.1 dev vlan2

You can see that in both cases the route to my OpenVPN bridge (10.8.0.1/10.8.0.2) and the route between the two LANs (10.10.1.0/24 and 10.10.0.0/24) are present and the two new routes that are introduced by the OpenVPN client through redirect-gateway (0.0.0.0/1 and 128.0.0.0/1) are less specific and so should have no impact on the routing of my OpenVPN bridge.

I've verified that, in the non-working case, an attempt to ping 10.8.0.2 from 10.8.0.1 on Router A [i.e. ping -I 10.8.0.1 10.8.0.2] does not increment the number of bytes received on the client at Router B, so I'm pretty sure this is a routing issue on Router A.

I have set the OpenVPN bridge server on Router A up to listen only on the vlan2 address so that it is unaffected by the OpenVPN client going up and down, and the OpenVPN client on Router B is connecting to Router A using Router A's vlan2 address.

It is very repeatable: OpenVPN client up on Router A, bridge to Router B doesn't respond, OpenVPN client down on Router A, bridge to Router B works perfectly (i.e. I can ping from 10.10.1.x to 10.10.0.x).

Can anyone suggest why my OpenVPN bridge is not working, or what I might do to debug why it is not working?

[RobMeades]

[This reply deleted, it didn't make any sense, sorry, I don't know how to delete a reply]

[RobMeades]

A thought: Router B sets up the OpenVPN bridge to the vlan2 IP address (82.24.196.1) of Router A. When the OpenVPN client connection to PIA on Router A is active, all internet traffic from Router A will go out via the PIA IP address (46.166.288.241). So when, from Router A, I ping 10.10.0.1, the OpenVPN bridge server will grab it, wrap it up in OpenVPN goodness, and drop it back into the kernel of Router A for routing to the outside world. This will now be sent out through 46.166.288.241. What does the OpenVPN bridge client on Router B do when it receives this packet? Will it handle it or will it throw it away because it knows that it set up the OpenVPN bridge to 82.24.196.1 and not 46.166.288.241?

If it throws it away, is there a way I can make the OpenVPN bridge server on Router A send its stuff out the the vlan2 IP address instead? I don't really want the packet going through two VPNs. If not, is there a way to make the OpenVPN bridge client on Router B process packets from other IP addresses?

[khofm]

I am having the same issue. Were you able to solve it?