Clients cannot reach network behind server (bridge, vSphere)

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
kossmann
OpenVpn Newbie
Posts: 1
Joined: Wed May 20, 2020 8:43 am

Clients cannot reach network behind server (bridge, vSphere)

Post by kossmann » Wed May 20, 2020 9:29 am

Hi there,

i reinstalled my Debian server with running OpenVPN daemon inside a vSphere 7.0 instance. Nearly all is running fine but not OpenVPN - the VPN-clients cannot reach any server in the network anymore, only the VPN server itself.

Firt hint by Google: Activate promiscuous mode on virtual network switch - done, but no effect.

Debian 10.4 with OpenVPN 2.4.7, following configuration:

cat /etc/network/interfaces

Code: Select all

auto lo
iface lo inet loopback

auto ens192
iface ens192 inet manual
        up ip link set $IFACE up promisc on
        down ip link set $IFACE down promisc off
        mtu 1492

auto br0
iface br0 inet static
        pre-up openvpn --mktun --dev tap0
        post-down openvpn --rmtun --dev tap0
        address 10.81.0.101/24
        gateway 10.81.0.1
        bridge_ports ens192 tap0
        mtu 1492
netstat -i

Code: Select all

Kernel-Schnittstellentabelle
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
br0       1492    15479      0      2 0          8860      0      0      0 BMRU
ens192    1492    25446      0     42 0          8889      0      0      0 BMPRU
lo       65536     3426      0      0 0          3426      0      0      0 LRU
tap0      1492       76      0      0 0          8855      0      0      0 BMRU
brtctl show

Code: Select all

bridge name     bridge id               STP enabled     interfaces
br0             8000.000c294acc4c       no              ens192
                                                        tap0
dmesg | grep br0

Code: Select all

[    6.320641] br0: port 1(ens192) entered blocking state
[    6.320642] br0: port 1(ens192) entered disabled state
[    6.324110] br0: port 2(tap0) entered blocking state
[    6.324112] br0: port 2(tap0) entered disabled state
[    6.326602] br0: port 1(ens192) entered blocking state
[    6.326603] br0: port 1(ens192) entered forwarding state
[    6.504445] br0: port 2(tap0) entered blocking state
[    6.504447] br0: port 2(tap0) entered forwarding state
iptables -vnL

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
cat /proc/sys/net/ipv4/ip_forward # is this even necessary in bridge mode?

Code: Select all

1
cat /etc/openvpn/openvpn.mydomain.tld.conf

Code: Select all

dev                     tap0
port                    1194
proto                   udp4

persist-key
persist-tun

mode                    server
tls-server
cert                    /etc/ssl/openvpn/openvpn.mydomain.tld.pem
key                     /etc/ssl/openvpn/openvpn.mydomain.tld.key
ca                      /etc/ssl/openvpn/CA.pem
tls-auth                /etc/ssl/openvpn/CA.TLS-PSK.key 0
dh                      /etc/ssl/dh4096.pem

local                   10.81.0.101
server-bridge           10.81.0.101 255.255.255.0 10.81.0.200 10.81.0.209
ifconfig-pool-persist   /etc/openvpn/ipp.txt

push                    "dhcp-option DNS 10.81.0.103"
push                    "dhcp-option DOMAIN mydomain.tld"
push                    "persist-key"
push                    "persist-tun"

fragment                1400
mssfix                  1360

keepalive               10 120
float
cipher                  AES-256-CBC
auth                    SHA512
tls-cipher              TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
tls-version-min         1.2
comp-lzo                adaptive
client-to-client

user                    nobody
group                   nogroup

status                  /var/log/openvpn-status.log
log                     /var/log/openvpn.log
verb                    3
The VPN-clients can connect to the VPN-server and get an IP (e.g. 10.81.0.202). They can ping the internal IP of the VPN-server (10.81.0.101), but cannot reach the DNS-server (10.81.0.103), gateway (10.81.0.1) or anything else.

I also tried this, without effect - but I feel that I did not have this on the previous server.

Code: Select all

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
There is no firewall running inside the Debian server (no ufw, apparmor disabled).

Any ideas?

Post Reply