I am doing bridging, on the client side everything is working fine (I can ping the remote default gateway). Once I do a brctl addif br0 tap0 then I get this message and basically the VPN tunnel stops working:
us=924829 Recursive routing detected, drop tun packet to
us=924829 Recursive routing detected, drop tun packet to
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Thu Aug 10, 2017 5:13 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 4
- Joined: Thu Aug 10, 2017 5:13 pm
Re: us=924829 Recursive routing detected, drop tun packet to
Thanks have done this and will make a new thread with full details.
Cheers
Cheers
-
- OpenVpn Newbie
- Posts: 4
- Joined: Thu Aug 10, 2017 5:13 pm
OpenVPN Public IP Unique Bridging Issue - How To Route Both on the LAN and through the bridge as needed?
I am trying to accomplish the following. I want clients to use the "Client Side" VPN bridge as sort of router on the LAN to use public IPs from the server side via the bridge. I am able to sort of make it work on the client end by assigning a public IP to tap0 and it is reachable from the outside world.
However the true goal of having other systems on the LAN assign public IPs and use the .254 address assigned to br0:0 on the Client side LAN to route back to the remote gateway only works with some routing hacking. And only for 30 seconds by adding tap0 to br0 (the problem is that by doing this it breaks the public IP connectivity from tap0 but does allow traffic to flow temporarily maybe until the port comes up).
Basically the problem is that how do I allow the VPN client side to pass traffic to the tap0 when necessary but also communicate with other clients on the LAN who have assigned the same range? I have tried different routes and used iptables with no solid solution.
Would be very grateful for any help.
Cheers
Server
Operating System:
Centos 6.9
Linux openvpntest 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Network Setup:
server.conf
Client
Operating system:
Centos 6.9
Linux localhost.localdomain 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Network setup:
client.ovpn
tap0-up.sh
routing:
However the true goal of having other systems on the LAN assign public IPs and use the .254 address assigned to br0:0 on the Client side LAN to route back to the remote gateway only works with some routing hacking. And only for 30 seconds by adding tap0 to br0 (the problem is that by doing this it breaks the public IP connectivity from tap0 but does allow traffic to flow temporarily maybe until the port comes up).
Basically the problem is that how do I allow the VPN client side to pass traffic to the tap0 when necessary but also communicate with other clients on the LAN who have assigned the same range? I have tried different routes and used iptables with no solid solution.
Would be very grateful for any help.
Cheers
Server
Operating System:
Centos 6.9
Linux openvpntest 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Network Setup:
Code: Select all
br0 Link encap:Ethernet HWaddr 0A:E5:A9:37:9E:43
inet addr:94.22.41.81 Bcast:94.22.41.255 Mask:255.255.255.0
inet6 addr: fe80::dcad:beff:feef:f215/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7201 errors:0 dropped:0 overruns:0 frame:0
TX packets:6698 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:564241 (551.0 KiB) TX bytes:1023323 (999.3 KiB)
eth0 Link encap:Ethernet HWaddr DE:AD:BE:EF:F2:15
inet6 addr: fe80::dcad:beff:feef:f215/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9401 errors:0 dropped:0 overruns:0 frame:0
TX packets:8209 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:794954 (776.3 KiB) TX bytes:1128533 (1.0 MiB)
Interrupt:10 Base address:0x4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tap0 Link encap:Ethernet HWaddr 0A:E5:A9:37:9E:43
inet6 addr: fe80::8e5:a9ff:fe37:9e43/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1580 errors:0 dropped:0 overruns:0 frame:0
TX packets:6373 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:108108 (105.5 KiB) TX bytes:573560 (560.1 KiB)
Code: Select all
tls-server
port 11194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
client-to-client
#client-config-dir /etc/openvpn/clients
#server 10.10.10.0 255.255.255.0
route 94.22.41.0 255.255.255.0
mode server
#tun-mtu 1400
keepalive 10 30
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 4
Operating system:
Centos 6.9
Linux localhost.localdomain 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Network setup:
Code: Select all
br0 Link encap:Ethernet HWaddr 08:00:27:68:3D:D8
inet addr:192.168.1.30 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe68:3dd8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:637935 errors:0 dropped:0 overruns:0 frame:0
TX packets:154089 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:71459109 (68.1 MiB) TX bytes:20399688 (19.4 MiB)
br0:0 Link encap:Ethernet HWaddr 08:00:27:68:3D:D8
inet addr:94.22.41.254 Bcast:94.22.41.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr 08:00:27:68:3D:D8
inet6 addr: fe80::a00:27ff:fe68:3dd8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:592682 errors:0 dropped:0 overruns:0 frame:0
TX packets:157850 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:76504192 (72.9 MiB) TX bytes:21193653 (20.2 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:17128 errors:0 dropped:0 overruns:0 frame:0
TX packets:17128 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1917780 (1.8 MiB) TX bytes:1917780 (1.8 MiB)
tap0 Link encap:Ethernet HWaddr 4A:05:AA:EF:6B:06
inet addr:94.22.41.82 Bcast:94.22.41.255 Mask:255.255.255.0
inet6 addr: fe80::4805:aaff:feef:6b06/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:1812 (1.7 KiB)
client.ovpn
Code: Select all
proto udp
port 11194
dev tap
remote 94.22.41.81
script-security 3
route-up "/root/clientside-restore/tap0-up.sh"
tls-client
ca ca.crt
cert client.crt
key client.key
pull
comp-lzo
verb 4
Code: Select all
#!/bin/bash
export PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"
#echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp
#echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp
tap=tap0
remoteip=94.22.41.81
localgateway=192.168.1.1
remotegateway=94.22.41.1
tap0ip=94.22.41.82
br0ip=94.22.41.254
ip route add $remoteip via $localgateway dev br0
ip link set dev $tap address 4A:05:AA:EF:6B:06
ifconfig tap0 94.22.41.82 netmask 255.255.255.0 up
ifconfig br0:0 $br0ip netmask 255.255.255.0 up
route del default gw $localgateway
route add 94.22.41.1 dev tap0
route add default gw $remotegateway dev tap0
#this seems to make it possible for the remote IP to work
#ip route del 94.22.41.0/24 dev tap0
#ip route del 94.22.41.0/24 dev tap0
#adding tap0 to the interface makes the public IP stop working
#however sometimes if you delete and readd it allows a LAN client public IP to work for 30 seconds until the port is enabled very weird
#brctl addif br0 tap0
routing:
Code: Select all
ip route show
94.22.41.81 via 192.168.1.1 dev br0
94.22.41.1 dev tap0 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.30
94.22.41.0/24 dev tap0 proto kernel scope link src 94.22.41.82
169.254.0.0/16 dev br0 scope link metric 1003
default via 94.22.41.1 dev tap0