I'm having troubles setting up a bridged VPN connection. I've successfully achieved a routing VPN connection, but bridging is not working and I spent already several hours trying to solve the problem. This is now my last trial, I hope one of you can help me
How it is going so far:
- The VPN server is running on ubuntu server 20.04.3 LTS. The server has a static ip 192.168.0.9, router with dhcp service is at 192.168.0.1
- The local network is 192.168.0.0/24. I'm aware of that this is not ideal and I will change it once it works. The client is connected to a 192.168.43.0/24 subnet.
- I can connect to the VPN server from outside the LAN (see log)
- An ip address is assigned to the client (192.168.200)
- I can't ping/ssh the VPN server nor any other device behind it
- Traffic is not routed through the VPN
Server Config
port 1194
proto udp
dev tap0
script-security 2
ca ca.crt
cert ***.crt
key ***.key
dh dh.pem
ifconfig-pool-persist /var/log/openvpn/ipp.txt
server-bridge 192.168.0.9 255.255.255.0 192.168.0.200 192.168.0.210
topology subnet
mssfix
push "route 0.0.0.0 0.0.0.0 192.168.0.9"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
I also tried (without luck):
- Remove push "route 0.0.0.0 0.0.0.0 192.168.0.9"
- Remove push "route 0.0.0.0 0.0.0.0 192.168.0.9", change to server-bridge nogw
- Remove push "route 0.0.0.0 0.0.0.0 192.168.0.9", change to server-bridge
ip routes on server
default via 192.168.0.1 dev br0 proto static
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.9
iptables on server
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap0 * 0.0.0.0/0 0.0.0.0/0
90 7752 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 9 packets, 1464 bytes)
pkts bytes target prot opt in out source destination
sysctl.conf on server
net.ipv4.ip_forward=1
ip a on server
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
link/ether 50:eb:f6:24:fd:04 brd ff:ff:ff:ff:ff:ff
altname enp0s31f6
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 50:eb:f6:24:fd:04 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.9/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::52eb:f6ff:fe24:fd04/64 scope link
valid_lft forever preferred_lft forever
6: tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 100
link/ether 0e:83:41:5e:01:ec brd ff:ff:ff:ff:ff:ff
Doesn't matter if a client is connected or not, state of tap0 is always "DOWN". Is this the problem? If I try ip link set dev tap0 up, the state changes to "UNKNOWN".
Client Config
client
dev tap0
proto udp
remote 84.***.***.*** 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
cipher AES-256-CBC
verb 3
key-direction 1
script-security 2
<ca>
***
</ca>
<cert>
***
</cert>
<key>
***
</key>
<tls-auth>
***
</tls-auth>
Client log
2022-01-23 11:14:20 NOTE: --user option is not implemented on Windows
2022-01-23 11:14:20 NOTE: --group option is not implemented on Windows
2022-01-23 11:14:20 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-01-23 11:14:20 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-01-23 11:14:20 Windows version 10.0 (Windows 10 or greater) 64bit
2022-01-23 11:14:20 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2022-01-23 11:14:20 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2022-01-23 11:14:20 Need hold release from management interface, waiting...
2022-01-23 11:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2022-01-23 11:14:21 MANAGEMENT: CMD 'state on'
2022-01-23 11:14:21 MANAGEMENT: CMD 'log all on'
2022-01-23 11:14:21 MANAGEMENT: CMD 'echo all on'
2022-01-23 11:14:21 MANAGEMENT: CMD 'bytecount 5'
2022-01-23 11:14:21 MANAGEMENT: CMD 'hold off'
2022-01-23 11:14:21 MANAGEMENT: CMD 'hold release'
2022-01-23 11:14:21 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2022-01-23 11:14:21 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-01-23 11:14:21 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-01-23 11:14:21 TCP/UDP: Preserving recently used remote address: [AF_INET]84.***.***.***:1194
2022-01-23 11:14:21 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-01-23 11:14:21 UDP link local: (not bound)
2022-01-23 11:14:21 UDP link remote: [AF_INET]84.***.***.***:1194
2022-01-23 11:14:21 MANAGEMENT: >STATE:1642932861,WAIT,,,,,,
2022-01-23 11:14:21 MANAGEMENT: >STATE:1642932861,AUTH,,,,,,
2022-01-23 11:14:21 TLS: Initial packet from [AF_INET]84.***.***.***:1194, sid=e56db453 44ba32ce
2022-01-23 11:14:21 VERIFY OK: depth=1, CN=***
2022-01-23 11:14:21 VERIFY OK: depth=0, CN=***
2022-01-23 11:14:21 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-01-23 11:14:21 [***] Peer Connection Initiated with [AF_INET]84.***.***.***:1194
2022-01-23 11:14:22 MANAGEMENT: >STATE:1642932862,GET_CONFIG,,,,,,
2022-01-23 11:14:22 SENT CONTROL [***]: 'PUSH_REQUEST' (status=1)
2022-01-23 11:14:22 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 0.0.0.0 192.168.0.9,route-gateway 192.168.0.9,ping 10,ping-restart 120,ifconfig 192.168.0.200 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2022-01-23 11:14:22 OPTIONS IMPORT: timers and/or timeouts modified
2022-01-23 11:14:22 OPTIONS IMPORT: --ifconfig/up options modified
2022-01-23 11:14:22 OPTIONS IMPORT: route options modified
2022-01-23 11:14:22 OPTIONS IMPORT: route-related options modified
2022-01-23 11:14:22 OPTIONS IMPORT: peer-id set
2022-01-23 11:14:22 OPTIONS IMPORT: adjusting link_mtu to 1656
2022-01-23 11:14:22 OPTIONS IMPORT: data channel crypto options modified
2022-01-23 11:14:22 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-01-23 11:14:22 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-01-23 11:14:22 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-01-23 11:14:22 interactive service msg_channel=884
2022-01-23 11:14:22 open_tun
2022-01-23 11:14:22 tap-windows6 device [tap-bridge] opened
2022-01-23 11:14:22 TAP-Windows Driver Version 9.24
2022-01-23 11:14:22 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.0.200/255.255.255.0 on interface {C47B1A12-D10D-452A-B693-18186B397D13} [DHCP-serv: 192.168.0.0, lease-time: 31536000]
2022-01-23 11:14:22 Successful ARP Flush on interface [25] {C47B1A12-D10D-452A-B693-18186B397D13}
2022-01-23 11:14:22 MANAGEMENT: >STATE:1642932862,ASSIGN_IP,,192.168.0.200,,,,
2022-01-23 11:14:22 IPv4 MTU set to 1500 on interface 25 using service
2022-01-23 11:14:27 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
2022-01-23 11:14:27 MANAGEMENT: >STATE:1642932867,ADD_ROUTES,,,,,,
2022-01-23 11:14:27 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 192.168.0.9
2022-01-23 11:14:27 Route addition via service succeeded
2022-01-23 11:14:27 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-01-23 11:14:27 Initialization Sequence Completed
2022-01-23 11:14:27 MANAGEMENT: >STATE:1642932867,CONNECTED,SUCCESS,192.168.0.200,84.***.***.***,1194,,
syslog on server
Jan 23 11:21:01 ***ovpn-***[1958]: 46.140.1.87:63877 peer info: IV_GUI_VER=OpenVPN_GUI_11
Where is my problem located? I'm very thankful for any advice!
Best,
Stitz