OpenVPN network bridging fails.

ernied · Post by **ernied** » Fri Apr 21, 2017 8:28 pm

Hi everyone.

Our first attempt at making an OpenVPN connection between our satellite office and our main office worked after a fashion - The satellite office could connect and use anything in the main office except our VoIP would only work one way - and it seems like the answer to this problem is to bridge the two networks, so that the client network is visible to the server network and vice versa. So I carefully read and followed the documentation at https://openvpn.net/index.php/open-sour ... dging.html. We also rearranged our network so that the main office used the network 192.168.0.1/25 and the satellite office used 192.168.0.128/25

However, after the VPN connection is completed, the OpenVPN server stops responding completely over the network, and this is what we see in our syslog:

Code: Select all

Apr 21 12:11:42 test-PBX ovpn-server[4399]: X.X.X.X:33261 TLS: Initial packet from [AF_INET]X.X.X.X:33261, sid=8a4ed57b f5a77a1a
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 VERIFY OK: depth=1, C=CA, ST=BC, L=Burnaby, O=ourcompany Inc., CN=office.ourdomain.com, name=ldinfo, emailAddress=ernied@ourdomain.com
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 VERIFY OK: depth=0, C=CA, ST=BC, L=Burnaby, O=ourcompany Inc., CN=office2, name=ldinfo, emailAddress=ernied@ourdomain.com
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Apr 21 12:11:44 test-PBX ovpn-server[4399]: X.X.X.X:33261 [office2] Peer Connection Initiated with [AF_INET]X.X.X.X:33261
Apr 21 12:11:44 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 MULTI_sva: pool returned IPv4=192.168.0.128, IPv6=(Not enabled)
Apr 21 12:11:44 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 MULTI: Learn: 00:ff:d5:8a:89:58 -> office2/X.X.X.X:33261
Apr 21 12:11:46 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 PUSH: Received control message: 'PUSH_REQUEST'
Apr 21 12:11:46 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 send_push_reply(): safe_cap=940
Apr 21 12:11:46 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 SENT CONTROL [office2]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 206.12.82.130,dhcp-option DNS 8.8.8.8,route-gateway 192.168.0.2,ping 10,ping-restart 120,ifconfig 192.168.0.128 255.255.255.0' (status=1)
Apr 21 12:12:06 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 MULTI: Learn: 10:bd:18:12:dc:34 -> office2/X.X.X.X:33261
Apr 21 12:16:06 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 [office2] Inactivity timeout (--ping-restart), restarting
Apr 21 12:16:06 test-PBX ovpn-server[4399]: office2/X.X.X.X:33261 SIGUSR1[soft,ping-restart] received, client-instance restarting

What follows is our OpenVPN configuration:

Server config

local 192.168.0.32
port 1194
proto udp
dev tap0
ca ca.crt
cert ldinfo.crt
key ldinfo.key # This file should be kept secret
dh dh2048.pem
server-bridge 192.168.0.32 255.255.255.0 192.168.0.128 192.168.0.254

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

keepalive 10 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log

verb 3

tun-mtu 1500

And the client configuration:

client config

client
dev tap
proto udp
remote office.ourdomain.com 1194
resolv-retry infinite
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

ns-cert-type server
comp-lzo adaptive

Here we have the bridge-start script:

Code: Select all

#!/bin/sh

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.32"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw 192.168.0.1

If I'm missing anything, let me know and I'll fill in the details.

ernied · Post by **ernied** » Fri Apr 21, 2017 8:30 pm

Oh, one last thing!

If anyone knows how to set this up easily in Tomato or even better the ASUS RT-AC87R, I would *love* to hear about it.

TinCanTech · Post by **TinCanTech** » Sat Apr 22, 2017 1:19 am

ernied wrote:Oh, one last thing!

ernied wrote:route add default gw 192.168.0.1

No doubt your logs will explain (--verb 4)

OpenVPN Support Forum

OpenVPN network bridging fails.

OpenVPN network bridging fails.

Re: OpenVPN network bridging fails.

Re: OpenVPN network bridging fails.