OpenVPN server on Cloud's instance machine

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
spark1231
OpenVpn Newbie
Posts: 2
Joined: Tue Mar 20, 2018 8:24 am

OpenVPN server on Cloud's instance machine

Post by spark1231 » Tue Mar 20, 2018 8:54 am

Hi experts of OpenVPN,

Recently, our company build 5 VMs(instances) on a could platform and we select a VM to install OpenVPN server. Our purpose is, once VPN client connect to OpenVPN server, and then he can reach other 4 instances without access their floating IP address (access them by private IP)

We select OpenVPN with TAP mode(bridge) and setup the necessary configuration between server side & client side. The VPN connection can be established. HOWEVER, the VPN client cannot reach any other 4 instances no matter by icmp / ARP / else.

Do any experts know about will this scenario working fine by using OpenVPN? If so, is there any wrong from my configuration file?
So far, my VPN client can ping instance-1's private IP address successfully, but cannot ping others. Moreover, I check client's TAP interface, when it ping to 192.168.111.22, I can see the interface's counter is increased, but when client ping to 192.168.111.23, the counter does not increase. I use wireshark on client's machine, it shows that client broadcast ARP-Request but without ARP-Reply.

Here is our environment information:
instance-1 (Ubuntu 14.04 + OpenVPN server with bridge mode)
private IP: 192.168.111.22
floating IP:10.200.2.114

instance-2
private IP:192.168.111.23
floating IP: none

instance-3
private IP:192.168.111.24
floating IP: none

instance-4
private IP:192.168.111.25
floating IP: none

instance-5
private IP:192.168.111.26
floating IP: none

Server's configuration content:

Code: Select all

port 1194
proto tcp
dev tap0
ca ca.crt
cert vpn-1.crt
key vpn-1.key
dh dh2048.pem
server-bridge 192.168.111.22 255.255.255.0 192.168.111.200 192.168.111.210
push "route 192.168.111.0 255.255.255.0"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 3
Since we refer some tutorials for how-to, so we have 2 more file for bridge interface up/down and iptables rule as following:
bridge-conf.sh

Code: Select all

#!/bin/bash

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.111.22"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.111.255"
eth_gateway="192.168.111.1"
eth_mac="FA:16:3E:15:CE:70"


# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"
bridge-start.sh

Code: Select all

#!/bin/bash

. /etc/openvpn/bridge/bridge-conf.sh 
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
    iptables -A INPUT -i $t -j ACCEPT
done

iptables -A INPUT -i $br -j ACCEPT
iptables -A FORWARD -i $br -j ACCEPT

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ip link set $br address $eth_mac
route add default gw $eth_gateway $br
bridge-stop.sh

Code: Select all

#!/bin/bash

. /etc/openvpn/bridge/bridge-conf.sh
####################################
# Tear Down Ethernet bridge on Linux
####################################


iptables -D INPUT -i $br -j ACCEPT
iptables -D FORWARD -i $br -j ACCEPT

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
    iptables -D INPUT -i $t -j ACCEPT
done

ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway $eth
Any suggestions or advise will be appreciated.

Thank you!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4408
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN server on Cloud's instance machine

Post by TinCanTech » Tue Mar 20, 2018 12:46 pm

Try this:

server-bridge 192.168.111.1 255.255.255.0 192.168.111.200 192.168.111.210

spark1231
OpenVpn Newbie
Posts: 2
Joined: Tue Mar 20, 2018 8:24 am

Re: OpenVPN server on Cloud's instance machine

Post by spark1231 » Tue Mar 20, 2018 2:55 pm

Hi TinCanTech,

Thank your for your reply. Actually, 192.168.111.1 is all instances' default gateway IP address. Should I still use this value? According to my test result, I have configured

Code: Select all

server-bridge 192.168.111.1 255.255.255.0 192.168.111.200 192.168.111.210
this parameter before but it did not work for VPN client's traffic.

Should I provide any other information, and then it can help to find out where the problem is?

Thank you!

Post Reply