Openvpn server bridge TAP using routers DHCP server

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Locked
matej
OpenVpn Newbie
Posts: 15
Joined: Thu Jan 07, 2016 1:24 pm

Openvpn server bridge TAP using routers DHCP server

Post by matej » Tue Jul 25, 2017 1:19 pm

Hello, I need help configuring my new Openvpn Bridge TAP server.

The server is installed on an Intel Nuc computer running Ubuntu 16.04 LTS operating system. The Nuc has a single NIC which is connected to the router Asus RT-AC68u.

What I want to do: connecting two networks on the same subnet in two different locations (homes) using TAP BRIDGE. I am able to do this using the built in openvpn server and client on my two routers and it is working like a charm. However, because of the low CPU power of the routers I need to run the openvpn server on two computers with more powerful CPU in order to achieve more bandwidth. I have 20 megabits of upload from my ISP and I am able to use only 8 megabits with the openvpn system built into the routers.

my network:

House 1

Router1 address (openvpn server): 192.168.2.1
Router1 DHCP server pool addresses 192.168.2.2 - 192.168.2.79

House 2

Router2 address (openvpn client): 192.168.2.80
Router2 DHCP server pool addresses 192.168.2.81 - 192.168.2.159


This openvpn server/client system is working perfectly and is very stable. The network devices are getting their IP addresses from the two DHCP servers and are able to "see" all the devices in the other network. No Ip conflicts at all.

I want to move both openvpn bridge server and client from the routers to two Intel Nucs. The DHCP and the Internet access should remain routers tasks as they are in this moment.I want only to establish and ethernet connection between the two networks (houses)

What I have done yet:

- I give the Intel Nuc running openvpn server the 192.168.2.29 address
- I installed Openvpn
- I generated the servers certificates and keys
- I setup the server in bridge mode
- I generated the clients .ovpn files
- I made the bridge-start.sh and bridge-stop.sh scripts.

Here is the SERVER configuration:
Server
# This is a comment
server-bridge
push "route 0.0.0.0 255.255.255.255 net_gateway"
proto udp
port 1986
dev tap0
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
auth SHA256
keepalive 15 60
verb 3
client-to-client
duplicate-cn
push "dhcp-option DNS 192.168.2.1"
tls-auth ta.key
ca ca.crt
dh dh2048.pem
cert servervpn.crt
key servervpn.key
status-version 2
status status 10
Here is the bridge-start.sh script:

Code: Select all

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.2.29"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.2.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
Here is the bridge-stop.sh script:

Code: Select all

#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done
Here is the "ifconfig-a":

Code: Select all

matej@matej-desktop:/etc/openvpn$ ifconfig -a
eth0      Link encap:Ethernet  HWaddr b8:ae:ed:ec:25:8b  
          inet addr:192.168.2.29  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::e1da:f3ae:c633:30c9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20409 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2923758 (2.9 MB)  TX bytes:1934047 (1.9 MB)
          Interrupt:16 Memory:df100000-df120000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:10246 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10246 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1998901 (1.9 MB)  TX bytes:1998901 (1.9 MB)

tap0      Link encap:Ethernet  HWaddr 9e:e0:fa:f1:ee:3e  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:c2:c6:ca:6a:66  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
Here are the iptables rules:

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

If if type "ifconfig-a" into the terminal I get the following:

Code: Select all

matej@matej-desktop:/etc/openvpn$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
I tried to make the server work, but I am having some problems.

I read thousands of forum posts and I understand that the bridge should be started first, before starting the openvpn server.
These are the commands that I use in this case:
sudo service openvpn stop
cd /etc/openvpn/
sudo ./bridge-start.sh
sudo service openvpn start

By doing this, the Intel Nuc si not able to connect to internet in order to download the updates, nor the clients are able to connect to it from the internet. I need the NUC to be able to access the internet.

Where am I failing?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by TinCanTech » Tue Jul 25, 2017 1:54 pm

matej wrote:

Code: Select all

matej@matej-desktop:/etc/openvpn$ ifconfig -a
eth0      Link encap:Ethernet  HWaddr b8:ae:ed:ec:25:8b 
          inet addr:192.168.2.29  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::e1da:f3ae:c633:30c9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20409 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2923758 (2.9 MB)  TX bytes:1934047 (1.9 MB)
          Interrupt:16 Memory:df100000-df120000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:10246 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10246 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1998901 (1.9 MB)  TX bytes:1998901 (1.9 MB)

tap0      Link encap:Ethernet  HWaddr 9e:e0:fa:f1:ee:3e 
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:c2:c6:ca:6a:66 
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
There is no bridge interface here .. perhaps run your bridge start script and then post ifconfig ..

Also see:
https://openvpn.net/index.php/open-sour ... dging.html

matej
OpenVpn Newbie
Posts: 15
Joined: Thu Jan 07, 2016 1:24 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by matej » Tue Jul 25, 2017 1:56 pm

Sorry, here it is:

Code: Select all

matej@matej-desktop:/etc/openvpn$ ifconfig -a
br0       Link encap:Ethernet  HWaddr 02:3d:ff:a3:32:1e  
          inet addr:192.168.2.29  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::9ce0:faff:fef1:ee3e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:204 errors:0 dropped:1 overruns:0 frame:0
          TX packets:143 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:23426 (23.4 KB)  TX bytes:19800 (19.8 KB)

eth0      Link encap:Ethernet  HWaddr b8:ae:ed:ec:25:8b  
          inet6 addr: fe80::e1da:f3ae:c633:30c9/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:24517 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18658 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4238256 (4.2 MB)  TX bytes:2364963 (2.3 MB)
          Interrupt:16 Memory:df100000-df120000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:16831 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16831 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3277307 (3.2 MB)  TX bytes:3277307 (3.2 MB)

tap0      Link encap:Ethernet  HWaddr 02:3d:ff:a3:32:1e  
          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:c2:c6:ca:6a:66  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

matej
OpenVpn Newbie
Posts: 15
Joined: Thu Jan 07, 2016 1:24 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by matej » Tue Jul 25, 2017 2:01 pm

Oh, and by the way, this is the client .ovpn configuration

Code: Select all

client
dev tap
proto udp
remote ************.dyndns.org 1986
float
user nobody
group nogroup
ca ca.crt
cert client.crt
key client.key
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
auth SHA256
auth-user-pass
remote-cert-tls server
resolv-retry infinite
nobind
<ca>
-----BEGIN CERTIFICATE-----
 ****censored****
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
 ****censored****
-----BEGIN CERTIFICATE-----
 ****censored****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
 ****censored****
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
 ****censored****
-----END OpenVPN Static key V1-----
</tls-auth>

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by TinCanTech » Tue Jul 25, 2017 2:10 pm

(1) Now, with your bridge enabled, post output from # brctl show

(2) Also, post your sanitized server and client logs at --verb 4

matej
OpenVpn Newbie
Posts: 15
Joined: Thu Jan 07, 2016 1:24 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by matej » Tue Jul 25, 2017 2:28 pm

(1) typing "brctl show" I see the following:

bridge name= br0
bridge id= 8000.66fdec694019
STP enabled= no
interfaces = eth0 tap0

(2) the servers log is the following:

Code: Select all

Tue Jul 25 16:23:46 2017 us=470255 Current Parameter Settings:
Tue Jul 25 16:23:46 2017 us=470283   config = '/etc/openvpn/servervpn.conf'
Tue Jul 25 16:23:46 2017 us=470288   mode = 1
Tue Jul 25 16:23:46 2017 us=470292   persist_config = DISABLED
Tue Jul 25 16:23:46 2017 us=470296   persist_mode = 1
Tue Jul 25 16:23:46 2017 us=470299   show_ciphers = DISABLED
Tue Jul 25 16:23:46 2017 us=470303   show_digests = DISABLED
Tue Jul 25 16:23:46 2017 us=470306   show_engines = DISABLED
Tue Jul 25 16:23:46 2017 us=470309   genkey = DISABLED
Tue Jul 25 16:23:46 2017 us=470313   key_pass_file = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470316   show_tls_ciphers = DISABLED
Tue Jul 25 16:23:46 2017 us=470320   connect_retry_max = 0
Tue Jul 25 16:23:46 2017 us=470324 Connection profiles [0]:
Tue Jul 25 16:23:46 2017 us=470327   proto = udp
Tue Jul 25 16:23:46 2017 us=470331   local = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470334   local_port = '1986'
Tue Jul 25 16:23:46 2017 us=470338   remote = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470341   remote_port = '1986'
Tue Jul 25 16:23:46 2017 us=470345   remote_float = DISABLED
Tue Jul 25 16:23:46 2017 us=470348   bind_defined = DISABLED
Tue Jul 25 16:23:46 2017 us=470351   bind_local = ENABLED
Tue Jul 25 16:23:46 2017 us=470355   bind_ipv6_only = DISABLED
Tue Jul 25 16:23:46 2017 us=470358   connect_retry_seconds = 5
Tue Jul 25 16:23:46 2017 us=470361   connect_timeout = 120
Tue Jul 25 16:23:46 2017 us=470365   socks_proxy_server = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470368   socks_proxy_port = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470372   tun_mtu = 1500
Tue Jul 25 16:23:46 2017 us=470375   tun_mtu_defined = ENABLED
Tue Jul 25 16:23:46 2017 us=470379   link_mtu = 1500
Tue Jul 25 16:23:46 2017 us=470382   link_mtu_defined = DISABLED
Tue Jul 25 16:23:46 2017 us=470385   tun_mtu_extra = 32
Tue Jul 25 16:23:46 2017 us=470389   tun_mtu_extra_defined = ENABLED
Tue Jul 25 16:23:46 2017 us=470392   mtu_discover_type = -1
Tue Jul 25 16:23:46 2017 us=470396   fragment = 0
Tue Jul 25 16:23:46 2017 us=470399   mssfix = 1450
Tue Jul 25 16:23:46 2017 us=470403   explicit_exit_notification = 0
Tue Jul 25 16:23:46 2017 us=470407 Connection profiles END
Tue Jul 25 16:23:46 2017 us=470410   remote_random = DISABLED
Tue Jul 25 16:23:46 2017 us=470413   ipchange = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470417   dev = 'tap0'
Tue Jul 25 16:23:46 2017 us=470420   dev_type = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470423   dev_node = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470427   lladdr = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470430   topology = 1
Tue Jul 25 16:23:46 2017 us=470433   ifconfig_local = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470437   ifconfig_remote_netmask = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470440   ifconfig_noexec = DISABLED
Tue Jul 25 16:23:46 2017 us=470444   ifconfig_nowarn = DISABLED
Tue Jul 25 16:23:46 2017 us=470447   ifconfig_ipv6_local = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470450   ifconfig_ipv6_netbits = 0
Tue Jul 25 16:23:46 2017 us=470454   ifconfig_ipv6_remote = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470457   shaper = 0
Tue Jul 25 16:23:46 2017 us=470460   mtu_test = 0
Tue Jul 25 16:23:46 2017 us=470464   mlock = DISABLED
Tue Jul 25 16:23:46 2017 us=470467   keepalive_ping = 15
Tue Jul 25 16:23:46 2017 us=470470   keepalive_timeout = 60
Tue Jul 25 16:23:46 2017 us=470474   inactivity_timeout = 0
Tue Jul 25 16:23:46 2017 us=470477   ping_send_timeout = 15
Tue Jul 25 16:23:46 2017 us=470480   ping_rec_timeout = 120
Tue Jul 25 16:23:46 2017 us=470484   ping_rec_timeout_action = 2
Tue Jul 25 16:23:46 2017 us=470487   ping_timer_remote = DISABLED
Tue Jul 25 16:23:46 2017 us=470490   remap_sigusr1 = 0
Tue Jul 25 16:23:46 2017 us=470494   persist_tun = DISABLED
Tue Jul 25 16:23:46 2017 us=470497   persist_local_ip = DISABLED
Tue Jul 25 16:23:46 2017 us=470500   persist_remote_ip = DISABLED
Tue Jul 25 16:23:46 2017 us=470504   persist_key = DISABLED
Tue Jul 25 16:23:46 2017 us=470507   passtos = DISABLED
Tue Jul 25 16:23:46 2017 us=470510   resolve_retry_seconds = 1000000000
Tue Jul 25 16:23:46 2017 us=470514   resolve_in_advance = DISABLED
Tue Jul 25 16:23:46 2017 us=470523   username = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470527   groupname = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470530   chroot_dir = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470533   cd_dir = '/etc/openvpn'
Tue Jul 25 16:23:46 2017 us=470537   writepid = '/run/openvpn/servervpn.pid'
Tue Jul 25 16:23:46 2017 us=470540   up_script = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470543   down_script = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470547   down_pre = DISABLED
Tue Jul 25 16:23:46 2017 us=470550   up_restart = DISABLED
Tue Jul 25 16:23:46 2017 us=470553   up_delay = DISABLED
Tue Jul 25 16:23:46 2017 us=470557   daemon = ENABLED
Tue Jul 25 16:23:46 2017 us=470560   inetd = 0
Tue Jul 25 16:23:46 2017 us=470563   log = ENABLED
Tue Jul 25 16:23:46 2017 us=470567   suppress_timestamps = DISABLED
Tue Jul 25 16:23:46 2017 us=470570   machine_readable_output = DISABLED
Tue Jul 25 16:23:46 2017 us=470573   nice = 0
Tue Jul 25 16:23:46 2017 us=470576   verbosity = 4
Tue Jul 25 16:23:46 2017 us=470580   mute = 0
Tue Jul 25 16:23:46 2017 us=470583   gremlin = 0
Tue Jul 25 16:23:46 2017 us=470586   status_file = 'status'
Tue Jul 25 16:23:46 2017 us=470590   status_file_version = 2
Tue Jul 25 16:23:46 2017 us=470593   status_file_update_freq = 10
Tue Jul 25 16:23:46 2017 us=470598   occ = ENABLED
Tue Jul 25 16:23:46 2017 us=470602   rcvbuf = 0
Tue Jul 25 16:23:46 2017 us=470607   sndbuf = 0
Tue Jul 25 16:23:46 2017 us=470611   mark = 0
Tue Jul 25 16:23:46 2017 us=470616   sockflags = 0
Tue Jul 25 16:23:46 2017 us=470621   fast_io = DISABLED
Tue Jul 25 16:23:46 2017 us=470624   comp.alg = 0
Tue Jul 25 16:23:46 2017 us=470627   comp.flags = 0
Tue Jul 25 16:23:46 2017 us=470631   route_script = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470634   route_default_gateway = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470638   route_default_metric = 0
Tue Jul 25 16:23:46 2017 us=470641   route_noexec = DISABLED
Tue Jul 25 16:23:46 2017 us=470644   route_delay = 0
Tue Jul 25 16:23:46 2017 us=470648   route_delay_window = 30
Tue Jul 25 16:23:46 2017 us=470651   route_delay_defined = DISABLED
Tue Jul 25 16:23:46 2017 us=470655   route_nopull = DISABLED
Tue Jul 25 16:23:46 2017 us=470658   route_gateway_via_dhcp = DISABLED
Tue Jul 25 16:23:46 2017 us=470662   allow_pull_fqdn = DISABLED
Tue Jul 25 16:23:46 2017 us=470665   management_addr = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470668   management_port = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470672   management_user_pass = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470675   management_log_history_cache = 250
Tue Jul 25 16:23:46 2017 us=470679   management_echo_buffer_size = 100
Tue Jul 25 16:23:46 2017 us=470682   management_write_peer_info_file = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470686   management_client_user = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470689   management_client_group = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470693   management_flags = 0
Tue Jul 25 16:23:46 2017 us=470696   shared_secret_file = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470700   key_direction = 0
Tue Jul 25 16:23:46 2017 us=470703   ciphername = 'BF-CBC'
Tue Jul 25 16:23:46 2017 us=470706   ncp_enabled = ENABLED
Tue Jul 25 16:23:46 2017 us=470710   ncp_ciphers = 'AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC'
Tue Jul 25 16:23:46 2017 us=470714   authname = 'SHA256'
Tue Jul 25 16:23:46 2017 us=470717   prng_hash = 'SHA1'
Tue Jul 25 16:23:46 2017 us=470721   prng_nonce_secret_len = 16
Tue Jul 25 16:23:46 2017 us=470724   keysize = 0
Tue Jul 25 16:23:46 2017 us=470727   engine = DISABLED
Tue Jul 25 16:23:46 2017 us=470731   replay = ENABLED
Tue Jul 25 16:23:46 2017 us=470734   mute_replay_warnings = DISABLED
Tue Jul 25 16:23:46 2017 us=470738   replay_window = 64
Tue Jul 25 16:23:46 2017 us=470741   replay_time = 15
Tue Jul 25 16:23:46 2017 us=470744   packet_id_file = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470748   use_iv = ENABLED
Tue Jul 25 16:23:46 2017 us=470751   test_crypto = DISABLED
Tue Jul 25 16:23:46 2017 us=470754   tls_server = ENABLED
Tue Jul 25 16:23:46 2017 us=470758   tls_client = DISABLED
Tue Jul 25 16:23:46 2017 us=470764   key_method = 2
Tue Jul 25 16:23:46 2017 us=470768   ca_file = 'ca.crt'
Tue Jul 25 16:23:46 2017 us=470771   ca_path = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470775   dh_file = 'dh2048.pem'
Tue Jul 25 16:23:46 2017 us=470778   cert_file = 'servervpn.crt'
Tue Jul 25 16:23:46 2017 us=470782   extra_certs_file = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470785   priv_key_file = 'servervpn.key'
Tue Jul 25 16:23:46 2017 us=470789   pkcs12_file = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470792   cipher_list = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470796   tls_verify = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470799   tls_export_cert = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470802   verify_x509_type = 0
Tue Jul 25 16:23:46 2017 us=470806   verify_x509_name = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470809   crl_file = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470812   ns_cert_type = 0
Tue Jul 25 16:23:46 2017 us=470816   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470819   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470822   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470825   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470829   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470832   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470835   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470838   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470842   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470845   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470848   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470851   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470854   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470857   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470861   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470864   remote_cert_ku[i] = 0
Tue Jul 25 16:23:46 2017 us=470867   remote_cert_eku = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470871   ssl_flags = 0
Tue Jul 25 16:23:46 2017 us=470874   tls_timeout = 2
Tue Jul 25 16:23:46 2017 us=470877   renegotiate_bytes = -1
Tue Jul 25 16:23:46 2017 us=470881   renegotiate_packets = 0
Tue Jul 25 16:23:46 2017 us=470884   renegotiate_seconds = 3600
Tue Jul 25 16:23:46 2017 us=470888   handshake_window = 60
Tue Jul 25 16:23:46 2017 us=470891   transition_window = 3600
Tue Jul 25 16:23:46 2017 us=470895   single_session = DISABLED
Tue Jul 25 16:23:46 2017 us=470898   push_peer_info = DISABLED
Tue Jul 25 16:23:46 2017 us=470901   tls_exit = DISABLED
Tue Jul 25 16:23:46 2017 us=470905   tls_auth_file = 'ta.key'
Tue Jul 25 16:23:46 2017 us=470908   tls_crypt_file = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=470912   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470915   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470919   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470922   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470925   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470929   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470932   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470935   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470939   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470942   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470945   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470949   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470952   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470955   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470958   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470962   pkcs11_protected_authentication = DISABLED
Tue Jul 25 16:23:46 2017 us=470965   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=470969   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=470974   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=470978   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=470981   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=470984   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=470988   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=470991   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=470994   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=470997   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=471001   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=471004   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=471007   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=471010   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=471014   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=471017   pkcs11_private_mode = 00000000
Tue Jul 25 16:23:46 2017 us=471020   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471023   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471027   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471030   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471033   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471037   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471040   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471043   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471046   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471050   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471053   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471056   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471060   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471063   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471066   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471070   pkcs11_cert_private = DISABLED
Tue Jul 25 16:23:46 2017 us=471073   pkcs11_pin_cache_period = -1
Tue Jul 25 16:23:46 2017 us=471076   pkcs11_id = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471080   pkcs11_id_management = DISABLED
Tue Jul 25 16:23:46 2017 us=471084   server_network = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471088   server_netmask = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471097   server_network_ipv6 = ::
Tue Jul 25 16:23:46 2017 us=471102   server_netbits_ipv6 = 0
Tue Jul 25 16:23:46 2017 us=471106   server_bridge_ip = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471110   server_bridge_netmask = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471114   server_bridge_pool_start = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471118   server_bridge_pool_end = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471121   push_entry = 'route 0.0.0.0 255.255.255.255 net_gateway'
Tue Jul 25 16:23:46 2017 us=471125   push_entry = 'dhcp-option DNS 192.168.2.1'
Tue Jul 25 16:23:46 2017 us=471129   push_entry = 'route-gateway dhcp'
Tue Jul 25 16:23:46 2017 us=471132   push_entry = 'ping 15'
Tue Jul 25 16:23:46 2017 us=471135   push_entry = 'ping-restart 60'
Tue Jul 25 16:23:46 2017 us=471139   ifconfig_pool_defined = DISABLED
Tue Jul 25 16:23:46 2017 us=471143   ifconfig_pool_start = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471147   ifconfig_pool_end = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471150   ifconfig_pool_netmask = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471154   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471158   ifconfig_pool_persist_refresh_freq = 600
Tue Jul 25 16:23:46 2017 us=471161   ifconfig_ipv6_pool_defined = DISABLED
Tue Jul 25 16:23:46 2017 us=471167   ifconfig_ipv6_pool_base = ::
Tue Jul 25 16:23:46 2017 us=471171   ifconfig_ipv6_pool_netbits = 0
Tue Jul 25 16:23:46 2017 us=471174   n_bcast_buf = 256
Tue Jul 25 16:23:46 2017 us=471179   tcp_queue_limit = 64
Tue Jul 25 16:23:46 2017 us=471184   real_hash_size = 256
Tue Jul 25 16:23:46 2017 us=471189   virtual_hash_size = 256
Tue Jul 25 16:23:46 2017 us=471194   client_connect_script = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471198   learn_address_script = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471207   client_disconnect_script = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471212   client_config_dir = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471217   ccd_exclusive = DISABLED
Tue Jul 25 16:23:46 2017 us=471222   tmp_dir = '/tmp'
Tue Jul 25 16:23:46 2017 us=471226   push_ifconfig_defined = DISABLED
Tue Jul 25 16:23:46 2017 us=471232   push_ifconfig_local = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471239   push_ifconfig_remote_netmask = 0.0.0.0
Tue Jul 25 16:23:46 2017 us=471244   push_ifconfig_ipv6_defined = DISABLED
Tue Jul 25 16:23:46 2017 us=471248   push_ifconfig_ipv6_local = ::/0
Tue Jul 25 16:23:46 2017 us=471252   push_ifconfig_ipv6_remote = ::
Tue Jul 25 16:23:46 2017 us=471255   enable_c2c = ENABLED
Tue Jul 25 16:23:46 2017 us=471259   duplicate_cn = ENABLED
Tue Jul 25 16:23:46 2017 us=471263   cf_max = 0
Tue Jul 25 16:23:46 2017 us=471266   cf_per = 0
Tue Jul 25 16:23:46 2017 us=471270   max_clients = 1024
Tue Jul 25 16:23:46 2017 us=471273   max_routes_per_client = 256
Tue Jul 25 16:23:46 2017 us=471276   auth_user_pass_verify_script = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471280   auth_user_pass_verify_script_via_file = DISABLED
Tue Jul 25 16:23:46 2017 us=471283   auth_token_generate = DISABLED
Tue Jul 25 16:23:46 2017 us=471287   auth_token_lifetime = 0
Tue Jul 25 16:23:46 2017 us=471290   port_share_host = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471294   port_share_port = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471297   client = DISABLED
Tue Jul 25 16:23:46 2017 us=471301   pull = DISABLED
Tue Jul 25 16:23:46 2017 us=471304   auth_user_pass_file = '[UNDEF]'
Tue Jul 25 16:23:46 2017 us=471309 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 20 2017
Tue Jul 25 16:23:46 2017 us=471317 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Tue Jul 25 16:23:46 2017 us=471670 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Tue Jul 25 16:23:46 2017 us=471951 Diffie-Hellman initialized with 2048 bit key
Tue Jul 25 16:23:46 2017 us=472265 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 25 16:23:46 2017 us=472278 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 25 16:23:46 2017 us=472288 TLS-Auth MTU parms [ L:1653 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Tue Jul 25 16:23:46 2017 us=472406 TUN/TAP device tap0 opened
Tue Jul 25 16:23:46 2017 us=472421 TUN/TAP TX queue length set to 100
Tue Jul 25 16:23:46 2017 us=472445 Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Tue Jul 25 16:23:46 2017 us=472453 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Jul 25 16:23:46 2017 us=472463 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jul 25 16:23:46 2017 us=472475 UDPv4 link local (bound): [AF_INET][undef]:1986
Tue Jul 25 16:23:46 2017 us=472482 UDPv4 link remote: [AF_UNSPEC]
Tue Jul 25 16:23:46 2017 us=472491 MULTI: multi_init called, r=256 v=256
Tue Jul 25 16:23:46 2017 us=472521 Initialization Sequence Completed
About the clients one, at the moment I have no internet connectivity from the Intel Nuc so the client (android phone with openvpn client TAP) is not "seeing" it over the internet. I don't want to use my router-client in this moment.

By the way...is this the reason of my problem?

from the log:
NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to

matej
OpenVpn Newbie
Posts: 15
Joined: Thu Jan 07, 2016 1:24 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by matej » Wed Jul 26, 2017 8:30 am

bah... I give up

I tried to install manually a bridge, since there must be the problem and then the bridge always had a different mac address and IP so I wasn't able to make a port forewarding on the router making the server unreachable. Sometimes I wasn't able to access internet, sometimes I was...Then, when I successfully connected to the server, I was not able to access local network and so on and so on....

...guy...make the things simple!!! It is not possible to make things such complex!!! come on! its 2017

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by TinCanTech » Wed Jul 26, 2017 10:50 am

I suspect your problem is with the underlying network infra-structure.

You can contact me: tincanteksup <at> gmail

brepo
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2018 2:34 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by brepo » Mon Feb 05, 2018 4:47 pm

some solution ? I have the same problem

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by TinCanTech » Mon Feb 05, 2018 6:01 pm

If you can find a solution then let us know .. otherwise, you have achieved nothing.

brepo
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2018 2:34 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by brepo » Mon Feb 05, 2018 9:55 pm

I tested it all day.

asus router rt-xxx has an error in the client

asus rt-ac68 (tap server) - debian (client) works
asus rt-ac68 (tap server) - windows (client) works

asus rt-ac68 (tap server) - Asus rt-ac68 or Asus 4g-ac68 - error

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by TinCanTech » Mon Feb 05, 2018 10:22 pm

Please start a new thread.

Please see:
HOWTO: Request Help !

brepo
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2018 2:34 pm

Re: Openvpn server bridge TAP using routers DHCP server

Post by brepo » Wed Feb 07, 2018 10:30 am

ok, solved
example:
server lan: 192.168.6.0
client lan: 192.168.41.0

1. for tests, use the default server file - set only tap (generates client.ovpn).
2. on server add to Static Route 192.168.41.0 255.255.255.0 0.0.0.0 24 LAN and add, save
3. on client add to Static Route 192.168.6.0 255.255.255.0 0.0.0.0 24 LAN and add, save

it works :)

Locked