TAP DHCP Client on a Linux (RPi) device failing to work

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ambarusa
OpenVpn Newbie
Posts: 1
Joined: Thu Mar 09, 2023 8:37 am

TAP DHCP Client on a Linux (RPi) device failing to work

Post by ambarusa » Thu Mar 09, 2023 1:07 pm

Hi,

I am trying for a while now to create a TAP VPN network, where any of my external devices would work just like a normal LAN DHCP client.
by this I mean:
  • letting my OpenWrt router handle the DHCP, pushing DHCP options and so on.
  • The device can access my Homelab server, report states for Prometheus, Grafana
  • Having access to a filtering DNS, which also handles local domains. (Adguardhome)
With my current router setup, and .conf files from below, it works like a charm from a Windows client automatically, I can be on the LAN network from anywhere, and have access to every LAN device.
The problem comes when I want to do the same thing from a Debian OS, this case Raspberry. The tap0 interface, brought up by the openvpn didn't talk to the DHCP first, I needed to start a dhclient manually. After having the IP assigned, neither the router or the DNS server don't respond to pings. The main reason could be this from the logs:
NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
I tried so many solutions, setting routes manually, but nothing worked.

After spending many hours on it, it became personal now, and I really want to find out, what is the blocker.

Couple of notes:
Router and DNS server are on 192.168.1.1/24
TAP clients on 192.168.2.1/24
Firewalls, forwardings tested and working on a Windows environment.

client config

client
dev tap
proto tcp-client
remote xxx xxx
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
cipher 'AES-256-CBC'
verb 5
keepalive 10 120
<ca>...
<cert>...
<key>...


server config

dev tap0
port 1194
server-bridge
proto tcp-server
push 'redirect-gateway def1'
push 'dhcp-option DNS 192.168.1.x'
data-ciphers 'AES-256-CBC'
keepalive 10 120
verb 1
mute 5
tls-server
remote-cert-tls client
mssfix 1420
client-to-client
persist-key
persist-tun
status /tmp/openvpn.status
log /tmp/openvpn.log
dh ...
ca ...
key ...
cert ...


Regular client log output

(skipped some lines to make it shorter)
Tue Mar 7 19:50:58 2023 us=473732 Re-using SSL/TLS context
Tue Mar 7 19:50:58 2023 us=474282 Control Channel MTU parms [ L:1655 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Tue Mar 7 19:50:59 2023 us=602478 Data Channel MTU parms [ L:1655 D:1450 EF:123 EB:411 ET:32 EL:3 ]
Tue Mar 7 19:50:59 2023 us=602813 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Tue Mar 7 19:50:59 2023 us=602913 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Tue Mar 7 19:50:59 2023 us=603037 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx:xxx
Tue Mar 7 19:50:59 2023 us=603197 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Mar 7 19:50:59 2023 us=603294 Attempting to establish TCP connection with [AF_INET]xxx:xxx [nonblock]
Tue Mar 7 19:51:00 2023 us=603719 TCP connection established with [AF_INET]xxx:xxx
Tue Mar 7 19:51:00 2023 us=603910 TCP_CLIENT link local: (not bound)
Tue Mar 7 19:51:00 2023 us=604005 TCP_CLIENT link remote: [AF_INET]xxx:xxx
WRTue Mar 7 19:51:00 2023 us=683228 TLS: Initial packet from [AF_INET]xxx:xxx, sid=52305cb8 e64d016d
WWRWRTue Mar 7 19:51:00 2023 us=918932 VERIFY OK: depth=1, CN=ovpnca
Tue Mar 7 19:51:00 2023 us=920265 VERIFY KU OK
Tue Mar 7 19:51:00 2023 us=920403 Validating certificate extended key usage
Tue Mar 7 19:51:00 2023 us=920449 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Mar 7 19:51:00 2023 us=920484 VERIFY EKU OK
Tue Mar 7 19:51:00 2023 us=920517 VERIFY OK: depth=0, CN=xxx
RWWWWRRRTue Mar 7 19:51:01 2023 us=128835 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1591', remote='link-mtu 1575'
Tue Mar 7 19:51:01 2023 us=128965 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Tue Mar 7 19:51:01 2023 us=129027 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
WWTue Mar 7 19:51:01 2023 us=129333 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA
Tue Mar 7 19:51:01 2023 us=129421 [xxx] Peer Connection Initiated with [AF_INET]xxx:xxx
Tue Mar 7 19:51:02 2023 us=144698 SENT CONTROL [xxx]: 'PUSH_REQUEST' (status=1)
WRRTue Mar 7 19:51:02 2023 us=257791 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.1.x,route-gateway dhcp,ping 10,ping-restart 120,peer-id 0,cipher AES-256-CBC'
Tue Mar 7 19:51:02 2023 us=258400 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 7 19:51:02 2023 us=258518 OPTIONS IMPORT: route options modified
Tue Mar 7 19:51:02 2023 us=258578 OPTIONS IMPORT: route-related options modified
Tue Mar 7 19:51:02 2023 us=258634 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 7 19:51:02 2023 us=258694 OPTIONS IMPORT: peer-id set
Tue Mar 7 19:51:02 2023 us=258754 OPTIONS IMPORT: adjusting link_mtu to 1658
Tue Mar 7 19:51:02 2023 us=258808 OPTIONS IMPORT: data channel crypto options modified
Tue Mar 7 19:51:02 2023 us=258927 Data Channel MTU parms [ L:1594 D:1450 EF:62 EB:411 ET:32 EL:3 ]
Tue Mar 7 19:51:02 2023 us=259578 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Mar 7 19:51:02 2023 us=259687 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 7 19:51:02 2023 us=259771 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Mar 7 19:51:02 2023 us=259850 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 7 19:51:02 2023 us=260466 ROUTE_GATEWAY 172.20.10.1/255.255.255.240 IFACE=wlan0 HWADDR=b8:27:eb:64:64:e6
Tue Mar 7 19:51:02 2023 us=262152 TUN/TAP device tap0 opened
Tue Mar 7 19:51:02 2023 us=262840 TUN/TAP TX queue length set to 100
Tue Mar 7 19:51:02 2023 us=263158 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
Tue Mar 7 19:51:02 2023 us=263379 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Mar 7 19:51:02 2023 us=263492 Initialization Sequence Completed


Let me know if someone would need any other information. Thank you a lot! Adam.
Top
Post Reply

Return to “Configuration”