Trouble with proxy-arp setup from OpenVPN Cookbook 2

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
daff
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 30, 2011 8:58 pm

Trouble with proxy-arp setup from OpenVPN Cookbook 2

Post by daff » Thu Jun 30, 2011 9:54 pm

Hi,

I am trying to implement the proxy-arp setup described in OpenVPN 2 Cookbook (page 65) but it doesn't quite work. Clients do not correctly reach the LAN behind the OpenVPN server. I am trying to ping a host on the LAN from a remote OpenVPN client.

The server's subnet, i.e. LAN, is 10.60.2.0/24 and OpenVPN serves 10.61.0.0/16 for the clients, as can be seen below.

The main interface is eth0, IP forwarding is activated and no special routes are set on the LAN. I have also not activated any proxy_arp settings (i.e. /proc/sys/net/ipv4/conf/eth0/proxy_arp), as the recipe doesn't mention anything regarding this. Not that setting or unsetting proxy_arp changes anything, anyway.

The server is a KVM-based virtual machine (bridged to the 10.60.2.0/24 subnet) running Ubuntu 11.04 Server and OpenVPN 2.1.3. The client is Ubuntu 11.04 Desktop.

Using tcpdump I can see that ICMP requests (ping) from a connected client reach the LAN (10.60.2.0/24) correctly and the pinged host replies but those ICMP replies seem to get lost somewhere:

Code: Select all

# On host 10.60.2.40 on the LAN, the client is 10.61.0.2
23:12:19.771667 IP 10.61.0.2 > 10.60.2.40: ICMP echo request, id 9926, seq 629, length 64
23:12:19.771686 IP 10.60.2.40 > 10.61.0.2: ICMP echo reply, id 9926, seq 629, length 64
The ARP table on the server looks like this:

Code: Select all

Address                  HWtype  HWaddress           Flags Mask            Iface
10.60.2.40               ether   0a:34:9d:e4:c9:78   C                     eth0
10.60.2.30               ether   00:22:19:98:c4:5e   C                     eth0
10.60.2.10               ether   00:90:7f:41:61:64   C                     eth0
10.61.0.2                *       <from_interface>    MP                    eth0
What am I missing? Any pointers would be greatly appreciated.

Thanks in advance!

The server configuration:

Code: Select all

port 1194
proto udp
dev tun

ca          /etc/openvpn/ca.crt
cert        /etc/openvpn/server.crt
key         /etc/openvpn/server.key
dh          /etc/openvpn/dh2048.pem
tls-auth    /etc/openvpn/ta.key 0

verb 3

server 10.61.0.0 255.255.0.0

topology subnet

push "route 10.60.2.0 255.255.255.0"
push "dhcp-option DNS 10.60.2.40"

keepalive 10 30
comp-lzo
persist-key
persist-tun

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

client-to-client
client-cert-not-required
username-as-common-name

script-security 2
client-connect      /etc/openvpn/scripts/proxyarp-connect.sh
client-disconnect   /etc/openvpn/scripts/proxyarp-disconnect.sh

status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
proxyarp-connect.sh:

Code: Select all

#!/bin/bash

/usr/sbin/arp -i eth0 -Ds $ifconfig_pool_remote_ip eth0 pub
proxyarp-disconnect.sh:

Code: Select all

#!/bin/bash

/usr/sbin/arp -i eth0 -d $ifconfig_pool_remote_ip
The client configuration:

Code: Select all

client
proto udp
remote vpn.example.com
port 1194
dev tun
nobind
comp-lzo
ca          /etc/openvpn/server.ca.crt
tls-auth    /etc/openvpn/ta.key 1
auth-user-pass
tls-remote vpn.example.com
ns-cert-type server
explicit-exit-notify 5
pull
script-security 2
up      /etc/openvpn/update-resolv-conf
down    /etc/openvpn/update-resolv-conf
Top
daff
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 30, 2011 8:58 pm

Re: Trouble with proxy-arp setup from OpenVPN Cookbook 2

Post by daff » Mon Jul 04, 2011 4:47 pm

Looking at this problem a bit more thoroughly it seems the instructions from the OpenVPN cookbook are wrong or something got mixed up.

I can see no way in which the setup presented in the book works with the provided server configuration settings. For example, the recipe states that a connecting client would have an address from the server's LAN on tun0, which isn't possible when the server configuration contains lines like this:

Code: Select all

server 10.61.0.0 255.255.0.0 # My setup
server 192.168.200 255.255.0.0 # or from the book
When a client connects the ARP table gets updated but it contains an address (MP) from the range the OpenVPN server serves, not from the server's LAN:

Code: Select all

Address                  HWtype  HWaddress           Flags Mask            Iface
10.60.2.40               ether   0a:34:9d:e4:c9:78   C                     eth0
10.60.2.30               ether   00:22:19:98:c4:5e   C                     eth0
10.60.2.10               ether   00:90:7f:41:61:64   C                     eth0
10.61.0.2                *       <from_interface>    MP                    eth0
In the book the ARP table contains an entry for an address from the server's LAN:

Code: Select all

10.198.1.130     *     *     MP eth0
I'd like to know if this is an erratum in the book or in my understanding of things.
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: Trouble with proxy-arp setup from OpenVPN Cookbook 2

Post by janjust » Wed Aug 03, 2011 10:40 am

you've found an erratum in the book: a proxyarp setup is intended for handing out IPs to clients which are in the same range as the server-side LAN; the example in the book is based on the network 192.168.200.0/24 (like most examples are) but for my actual testing I used 10.198.0.0/16 ; the output shown in the book is from the 10.198.0.0/16 network.

This is the server config file that I used for my tests:

Code: Select all

proto udp
port 1194
dev tun

server 10.198.1.128 255.255.255.128

ca       /etc/openvpn/cookbook/ca.crt
cert     /etc/openvpn/cookbook/server.crt
key      /etc/openvpn/cookbook/server.key
dh       /etc/openvpn/cookbook/dh1024.pem
tls-auth /etc/openvpn/cookbook/ta.key 0

persist-key
persist-tun
keepalive 10 60

topology subnet
push "route 10.198.0.0 255.255.0.0"

user  nobody
group nobody

daemon
log-append /var/log/openvpn.log

script-security 2
client-connect /etc/openvpn/cookbook/proxyarp-connect.sh
client-disconnect /etc/openvpn/cookbook/proxyarp-disconnect.sh
If you want to apply this to your setup then the 'server' range would be somehing like

Code: Select all

10.60.2.64 255.255.255.240
which should give you VPN clients in the range 10.60.2.66 - 10.60.2.78
Top
daff
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 30, 2011 8:58 pm

Re: Trouble with proxy-arp setup from OpenVPN Cookbook 2

Post by daff » Wed Aug 10, 2011 12:25 pm

Hi,

thank you for looking into this and confirming the problem! I have updated my configuration accordingly and now the arp-proxy setup works as advertised!

Thanks!

For reference follows my complete configuration:

Code: Select all

# server.conf

port 1194
proto udp
dev tun

ca          /etc/openvpn/ca.crt
cert        /etc/openvpn/server.crt
key         /etc/openvpn/server.key
dh          /etc/openvpn/dh2048.pem
tls-auth    /etc/openvpn/ta.key 0

verb 3

# This puts clients in a range of 10.60.2.193 to 10.60.2.254
server 10.60.2.192 255.255.255.192

topology subnet

push "route 10.60.2.0 255.255.255.0"
push "dhcp-option DNS 10.60.2.40"
push "dhcp-option DOMAIN example.com"

keepalive 10 30
comp-lzo
persist-key
persist-tun

# Run as root so the ARP table can be manipulated
#user nobody
#group nogroup

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

client-to-client
client-cert-not-required
username-as-common-name
duplicate-cn

script-security 2
client-connect      /etc/openvpn/scripts/proxyarp-connect.sh
client-disconnect   /etc/openvpn/scripts/proxyarp-disconnect.sh

status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
Top
Post Reply

Return to “Server Administration”