OpenVPN Bridge Routing-Problem

[DaS07]

Hello everybody, I have a Problem with the ping. I think it is a Routing problem,

PC (intern)-----------------------------Firewall 1-------------------------Firewall 2----------------------Internet
192.168.30.11----------192.168.30.240|192.168.40.240-------192.168.40.250|10.1.0.131-------Internet

Laptop (extern)----------Internet
10.1.0.21-----------------Internet

Firewall 1:

Code: Select all

-A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT

-A INPUT -i eth1 -p udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p udp --dport 1195 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT
*nat
-F
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

Firewall 2:

Code: Select all

...
-A FORWARD -p udp -m multiport --dport 53,1194,1195 -m state --state NEW -j ACCEPT
...
COMMIT
*nat
-F
-A PREROUTING -i eth1 -p udp --dport 1194 -j DNAT --to-destination 192.168.40.240
-A PREROUTING -i eth1 -p udp --dport 1195 -j DNAT --to-destination 192.168.40.240
-A POSTROUTING -o eth1 -j MASQUERADE
...

Server.conf - Firewall 1:

Code: Select all

# Server Config

;script-security 3

# Server
mode server
;tls-server
;tls-auth /etc/openvpn/certs/ta.key 0

# VPN Port
port 1194

# UDP Server
proto udp

# TAP/TUN Device
dev tap

# Certificate, Key and Pem paths
ca /etc/openvpn/certs/f223CA.chain.crt
cert /etc/openvpn/certs/firma-a.f223.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/dh2048.pem

# Ipp file
ifconfig-pool-persist ipp.txt

# Server Bridge
server-bridge 192.168.30.240 255.255.255.0 192.168.30.100 192.168.30.130

# Connection Client to Client
client-to-client

# Other settings
keepalive 10 120  # Kontrollsignal
comp-lzo yes          # Kompression aktivieren
user nobody       # OpenVPN als Benutzer openvpn
group nogroup     # Gruppe OpenVPN
persist-key
persist-tun
status openvpn-status.log # Log-Datei
;log-append openvpn.log
verb 5                    # Logdateien

;cipher AES-256-CBC
;auth SHA1

#push "ping 10"
#push "ping-restart 60"

push "DOMAIN firma-a.f223"
push "dhcp-option DNS 192.168.40.1"
push "route-gateway 192.168.30.240"
push "route 192.168.30.0 255.255.255.0"
push "redirect-gateway bypass-dhcp"

#push "route-gateway 192.168.30.240"
#push "redirect-gateway def1 bypss-dhcp"
#push "route-gateway 192.168.40.250"

Client.conf Laptop:

Code: Select all

dev tap
proto udp

remote 10.1.0.131 1194
client
;tls-client
;tls-auth ta.key 1

keepalive 15 120
verb 3
;script-security 3
resolv-retry infinite

nobind
persist-key
persist-tun
ns-cert-type server

ca f223CA.chain.crt
cert itsec@firma-a.f223.crt
key itsec.key

;cipher AES-256-CBC
;auth SHA1
route-delay 10
comp-lzo yes
key-direction 1
pull

PC:

Code: Select all

Ping from PC to 192.168.30.100 (to Client-IP)
Destination Host Unreachable

route
Ziel | Router | Genmask | Flag | Metric | Ref | Use | Iface
192.168.30.0  *  255.255.255.0 U 0 0 0 eth0

Laptop:

Code: Select all

Ping from Lap to 192.168.30.11 and .240
Destination Host Unreachable

route
Ziel | Router | Genmask | Flag | Metric | Ref | Use | Iface
192.168.30.0 192.168.30.240 255.255.255.0 UG 0 0 0 tap0
192.168.30.0 * 255.255.255.0 U 0 0 0 tap0

Maybe someone can give a advice. Thanks for help.

Best regrads, Dave

[TinCanTech]

Please see:
HOWTO: Request Help ! {2}

[DaS07]

Correct example I'm working with VMs, that is the reason for the images.

PC (intern)-----------------------------Firewall 1-------------------------Firewall 2----------------------Internet
192.168.30.11----------192.168.30.240|192.168.40.240-------192.168.40.250|10.1.0.131-------Internet

Laptop (extern)----------Internet
10.1.0.21-----------------Internet
192.168.30.100----------VPN

* Codepart of Firewall 1 *

Code: Select all

-A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT

-A INPUT -i eth1 -p udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p udp --dport 1195 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT
*nat
-F
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

* Codepart of Firewall 2*

Code: Select all

...
-A FORWARD -p udp -m multiport --dport 53,1194,1195 -m state --state NEW -j ACCEPT
...
COMMIT
*nat
-F
-A PREROUTING -i eth1 -p udp --dport 1194 -j DNAT --to-destination 192.168.40.240
-A PREROUTING -i eth1 -p udp --dport 1195 -j DNAT --to-destination 192.168.40.240
-A POSTROUTING -o eth1 -j MASQUERADE
...

* Server *

Operating system:

Code: Select all

Linux fw2 3.2.0-4-486 #1 Debian 3.2.78-1 i686 GNU/Linux

Network setup:


server.conf

Code: Select all

# Server Config

;script-security 3

# Server
mode server
;tls-server
;tls-auth /etc/openvpn/certs/ta.key 0

# VPN Port
port 1194

# UDP Server
proto udp

# TAP/TUN Device
dev tap

# Certificate, Key and Pem paths
ca /etc/openvpn/certs/f223CA.chain.crt
cert /etc/openvpn/certs/firma-a.f223.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/dh2048.pem

# Ipp file
ifconfig-pool-persist ipp.txt

# Server Bridge
server-bridge 192.168.30.240 255.255.255.0 192.168.30.100 192.168.30.130

# Connection Client to Client
client-to-client

# Other settings
keepalive 10 120  # Kontrollsignal
comp-lzo yes          # Kompression aktivieren
user nobody       # OpenVPN als Benutzer openvpn
group nogroup     # Gruppe OpenVPN
persist-key
persist-tun
status openvpn-status.log # Log-Datei
;log-append openvpn.log
verb 5                    # Logdateien

;cipher AES-256-CBC
;auth SHA1

push "DOMAIN firma-a.f223"
push "dhcp-option DNS 192.168.40.1"
push "route 192.168.30.0 255.255.255.0"
route 192.168.30.100 # IP-Address of my Lap 

Server log:



* Server Error *

Code: Select all

Ping to 192.168.30.100
From 192.168.30.11 icmp_seq=1 Destination Host Unreachable 

Ping to 10.1.0.21
> Works

*Client*

Operating System:

Code: Select all

Linux lap01 3.2.0-4-686-pae #1 Debian 3.2.78-1 i686 GNU/Linux

Network Setup:


client.conf:

Code: Select all

dev tap
proto udp

remote 10.1.0.131 1194
client
;tls-client
;tls-auth ta.key 1

keepalive 15 120
verb 3
;script-security 3
resolv-retry infinite

nobind
persist-key
persist-tun
ns-cert-type server

ca f223CA.chain.crt
cert itsec@firma-a.f223.crt
key itsec.key

;cipher AES-256-CBC
;auth SHA1
route-delay 10
comp-lzo yes
key-direction 1
pull

Client.log:


Route -n:


Client-Error:


I hope it is better, thank you for your help.

Best Regrads, Dave

[TinCanTech]

Your server log shows:

Code: Select all

reading client specific options from: /etc/openvpn/ccd/ ...

but your server config does not have --client-config-dir ..

It is a pain in the neck trying to use screen shots instead of text ..

--server-bridge and --dev-type tap is a tricky beast to get right ..

I suggest you read the docs and start with a simpler setup .. once you get a simple server working move up to your desired bridge setup.

[DaS07]

I put that in the config to test something. You have to ignore this log info.
Do you see somerhing else?
Thanks again

[DaS07]

@TinCanTech: Have you some other advice? Thx