Hi, trying to get openvpn working with bridging on ubuntu (which I am new to). I have an active vpn connection between server and client, client successfully gets ip assigned from server. but can't ping server or anything on server-side lan from the client side.
i followed all basic openvpn directions. was able to get this to work with windows server and client but now cant get it to work on ubuntu. my goal is to have client-side lan devices talk to server-side lan devices, including broadcast traffic (so devices think it is all a single lan).
The one thing extra I did apart from the basic config stuff is I tried to bridge eth0 and tap0 on the client side. it doesnt really discuss this anywhere but it seemed logical to achieve my objective above. regardless, the connection was active but i couldnt ping even before i set up this client-side bridge.
My config files and client log file below - any thoughts on what i am doing wrong? Please let me know if I can provide any other useful info. Thanks!
client1.ovpn:
dev tap0
proto udp
remote [server ip] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
verb 3
server.ovpn:
port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server-bridge 192.168.3.118 255.255.255.0 192.168.3.170 192.168.3.254
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
client log file:
Sun Nov 7 22:48:33 2010 OpenVPN 2.2-beta3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Nov 7 2010
Sun Nov 7 22:48:33 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Nov 7 22:48:33 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Nov 7 22:48:33 2010 WARNING: file 'client1.key' is group or others accessible
Sun Nov 7 22:48:33 2010 Control Channel MTU parms [ L:1573 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Nov 7 22:48:33 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Nov 7 22:48:33 2010 Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:4 ET:32 EL:0 ]
Sun Nov 7 22:48:33 2010 Local Options hash (VER=V4): '2c50bd2c'
Sun Nov 7 22:48:33 2010 Expected Remote Options hash (VER=V4): '0ddbb6e3'
Sun Nov 7 22:48:33 2010 UDPv4 link local: [undef]
Sun Nov 7 22:48:33 2010 UDPv4 link remote: [server ip]:1194
Sun Nov 7 22:48:33 2010 TLS: Initial packet from [server ip]:1194, sid=9abbd86b a43f3b2c
Sun Nov 7 22:48:33 2010 VERIFY OK: depth=1, /C=US/ST=NY/L=XXXXX/O=XXXXX/CN=XXXXX/emailAddress=XXXXX
Sun Nov 7 22:48:33 2010 VERIFY OK: depth=0, /C=US/ST=NY/O=XXXXX/CN=server/emailAddress=XXXXX
Sun Nov 7 22:48:33 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Nov 7 22:48:33 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 7 22:48:33 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Nov 7 22:48:33 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 7 22:48:33 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Nov 7 22:48:33 2010 [server] Peer Connection Initiated with [server ip]:1194
Sun Nov 7 22:48:35 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Nov 7 22:48:35 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.3.118,ping 10,ping-restart 120,ifconfig 192.168.3.170 255.255.255.0'
Sun Nov 7 22:48:35 2010 OPTIONS IMPORT: timers and/or timeouts modified
Sun Nov 7 22:48:35 2010 OPTIONS IMPORT: --ifconfig/up options modified
Sun Nov 7 22:48:35 2010 OPTIONS IMPORT: route-related options modified
Sun Nov 7 22:48:35 2010 WARNING: potential TUN/TAP adapter subnet conflict between local LAN [192.168.3.0/255.255.255.0] and remote VPN [192.168.3.0/255.255.255.0]
Sun Nov 7 22:48:35 2010 TUN/TAP device tap0 opened
Sun Nov 7 22:48:35 2010 TUN/TAP TX queue length set to 100
Sun Nov 7 22:48:35 2010 /sbin/ifconfig tap0 192.168.3.170 netmask 255.255.255.0 mtu 1500 broadcast 192.168.3.255
Sun Nov 7 22:48:35 2010 Initialization Sequence Completed
bridging help
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
bmj1474
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Nov 24, 2010 1:29 am
Re: bridging help
Not sure if you have gotten this resolved yet, but it sounds like you need to add a static route to your gateway in your interfaces file. I have OpenVPN server setup on Ubuntu 10.04 and was having the same problem you are describing. I was able to connect to the server, but couldn't ping anything on my server's LAN until I added a static route to my gateway.
Open the terminal and use the following command to add a temporary rote:
sudo route add -net default gw x.x.x.x dev br0 (replace the x's with your default gateway IP Address).
You can then check to make sure the route has been added by typing route in the terminal and it should display the Gateway IP Address for br0. Then try your connection again and see if you can ping anything on your server's LAN.
If that solves your problem you can add a permanent route by editing the interfaces file like I did with mine. In the terminal, execute the following command:
sudo vi /etc/network/interfaces
And edit it like I did to mine
iface br0 inet static
address 10.5.1.199
network 10.5.1.0
netmask 255.255.255.0
broadcast 10.5.1.255
gateway 10.5.1.254
bridge_ports eth0
#Add a static route to the default gw#
up route add default gw 10.5.1.254
down route del default gw 10.5.1.254
Save it and restart you interfaces by issuing the following command for the changes to take effect: sudo /etc/init.d/networking restart.
If you just use the temporary route, you will lose your static route every time your reboot the server.
Hope that helps!
Open the terminal and use the following command to add a temporary rote:
sudo route add -net default gw x.x.x.x dev br0 (replace the x's with your default gateway IP Address).
You can then check to make sure the route has been added by typing route in the terminal and it should display the Gateway IP Address for br0. Then try your connection again and see if you can ping anything on your server's LAN.
If that solves your problem you can add a permanent route by editing the interfaces file like I did with mine. In the terminal, execute the following command:
sudo vi /etc/network/interfaces
And edit it like I did to mine
iface br0 inet static
address 10.5.1.199
network 10.5.1.0
netmask 255.255.255.0
broadcast 10.5.1.255
gateway 10.5.1.254
bridge_ports eth0
#Add a static route to the default gw#
up route add default gw 10.5.1.254
down route del default gw 10.5.1.254
Save it and restart you interfaces by issuing the following command for the changes to take effect: sudo /etc/init.d/networking restart.
If you just use the temporary route, you will lose your static route every time your reboot the server.
Hope that helps!