I am trying to configure an openvpn in an ubuntu 22.04 so that I can access remotely a physical LAN. I not only need access to computers and resources (like an IP printer and several servers) but I also need to be able to receive and send multicast traffic.
I have successfully set up a tap bridge in my openvpn server, and I am able to connect to it and receive an IP in the range of the remote physical LAN. I can also reach the openvpn server on its physical remote LAN IP. However, I can not reach any other machine in the remote physical LAN.
Doing some research, I found that if I ping from my virtual LAN client to a server in my physical LAN I can see the traffic there (I can see the ping requests and responses) but they never get back to the client. In a nutshell, my remote traffic reaches the physical LAN, but it never gets back (except for the openvpn server itself).
Hence, I suppose I have basically a problem in my return traffic routing. However, I have tried to ip_foreward and modify rules but nothing worked...
I have seen that in some examples they provide a different subnet for both the physicial and the virtual lan (example: https://openvpn.net/community-resources ... er-subnet/). Is it necessary? I am afraid I will be having problems with my multicast traffic if I do this, but I am not really sure (I'm not an expert in networking tbh). My intention was to reserve a set pool of ips for the virtual which were inside the physical range. That is, if my physical LAN is 172.16.0.0/16, to provide the range 172.16.11.x/16 for my virtual machines.
I have the impression that my config is quite usual (willing to be remotely exactly as if I was there physically), but I've been unable to find a solution after several days hitting this wall.
Thank you very much
My configs:
Server Config
port someport
proto udp
dev tap
ca ca.crt
cert openvpnserver.crt
key openvpnserver.key # This file should be kept secret
dh none
ifconfig-pool-persist /var/log/openvpn/ipp.txt
server-bridge 172.16.0.0 255.255.0.0 172.16.11.2 172.16.11.250
client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
My server iptables
iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
My server routes
ip route show
default via 172.16.0.1 dev br0 proto static
172.16.0.0/16 dev br0 proto kernel scope link src 172.16.0.11
My sysctl
cat sysctl
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
