[SOLVED] Openvpn connected, but unable to reach the Network

[blueaquan]

Dear friends, this is my scenario. I am running Openvpn on FreeBSD 8.0. All has been set according to the textbook.
I have two NIC
em0 - A.B.C.D (Configured as External Interface $ext_if)
em1 - 10.10.128.1/20 (Configured as Internal Interface $int_if)

/etc/rc.conf
cloned_interfaces="bridge0 tap0"
autobridge_interfaces="bridge0"
autobridge_bridge0="tap0 em0"
ifconfig_bridge0="inet W.X.Y.Z netmask 255.255.255.248"
ifconfig_tap0="inet 10.10.138.1 netmask 255.255.240.0"

server.conf

local W.X.Y.Z
server-bridge 10.10.138.1 255.255.240.0 10.10.138.200 10.10.138.209
push "route 10.10.128.0 255.255.240.0 10.10.128.1"

pf.conf

pass on { $br_if } proto { tcp udp } from any to <me> port 1194 flags S/SA keep state
pass on { $br_if} proto { icmp } from any to any


----------------------------------------------------------------------------------
Problems

A: On the FreeBSD 8 machine the tap0 interface looses its IP Address assigned and the machine either has to be rebooted or execute /etc/netstart. See the difference before and after /etc/netstart. Irrespective of whether tap0 has the IP or not, the Windows XP machine gets connected.

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 (Removed ether and irrelevant fields)

inet W.X.Y.Z
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>


tap0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 (Removed ether and irrelevant fields)

After I issue /etc/netstart

tap0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 (Removed ether and irrelevant fields)
inet 10.10.138.1 netmask 0xfffff000


B: The most important problem is my windows xp machine although has received all ip information cannot reach 10.10.128.1 nor 10.10.138.1

[Mimiko]

Hello. When bridging, tap and the interface a bind toghether under ONE IP. So, you can use only one IP pool.

Code: Select all

/etc/rc.conf
cloned_interfaces="bridge0 tap0"
autobridge_interfaces="bridge0"
autobridge_bridge0="tap0 em0"
ifconfig_bridge0="inet 10.10.128.1 netmask 255.255.255.248"

Then in server.conf use:

Code: Select all

local 10.10.128.1
server-bridge 10.10.128.1 255.255.255.248 10.10.128.2 10.10.128.7

Of course you may have IP conflicts with local computers, which you have to handle by expanding IP pool.

The purpose of bridge is to all clients have the same IP as the local LAN computers, mainly used for legacy protocols. If you can - use routing method.

[blueaquan]

Hi Mimiko
I tried making changes like what you said, but when you put a private IP to the bridge interface, as you know one cannot connect to it from the Internet. Therefore I put back the earlier configuration where in the bridge interface has its own Public IP W.X.Y.Z.
It wouldn't connect until I changed the local <IP> to local W.X.Y.Z. So now my config is back to how it was earlier with a small change that I've used the same segmet IP on tap0 device.

ifconfig_bridge0="inet W.X.Y.Z netmask 255.255.255.248"
ifconfig_tap0="inet 10.10.128.2 netmask 255.255.240.0"

local W.X.Y.Z
server-bridge 10.10.128.2 255.255.240.0 10.10.128.200 10.10.128.209
push "route 10.10.128.0 255.255.240.0 10.10.128.2"


Its back to where I started, I am able to connect when I put the above configuration, but I am unable to reach even the default gateway given 10.10.128.2. That's my problem, no communication.


Thanks

Blue

[blueaquan]

Hi Mimiko
Irrespective of whether I use a dedicated Public IP W.X.Y.Z on the bridge interface or I use 10.10.128.X or I use a different segment 10.10.138.X, I am able to connect to the FreeBSD 8 box running OpenVpn.
The client XP machine also received the private IP address and Default Gateway correctly from OpenVpn's "server-bridge" configuration.
I've also used the push "redirect-gateway" which also gets correctly executed. However nothing further happens. I am unable to ping the new Default Gateway or reach the LAN behind the FreeBSD box.
When I check my default route, I see that the route also is getting correctly pushed, my default route now points to the new Gateway IP. What else could be wrong...?
Suspecting the "pf" on the FreeBSD box, I enabled ICMP as a first step on all interfaces, but just can't get through...! Please help...


Thanks for your time

Blue

[blueaquan]

Additional Information : After I get connected to the FreeBSD Server from the XP machine and I run a continuous Ping to my newly assigned Default Gateway, I can see those requests coming in through the "bridge0" interface.
A tcpdump on the FreeBSD Box shows the ARP requests from the XP client requesting "who has 10.10.128.1 tell 10.10.128.11". All traffic is allowed on "bridge0" interface, why aren't the machines able to communicate...?
Anybody please help!

Thanks

Blue

[blueaquan]

Dear Friends
I was able to finally resolve this problem. The place where I was going wrong was in using the same subnet on the TAP interface. On an

experimental basis I changed the subnet and it started working.

I would like to summarise the setup that I have, so that it could help others with the similar issues. FYI, I am using FreeBSD 8.0 as my Server and

therefore these are specific to that OS.

I will summarise the important lines that are specific to run Openvpn in my config files...

Extracts from my /etc/rc.conf
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

gateway_enable="YES" - (Either this or net.inet.ip.forwarding=1 in /etc/sysctl.conf)

ifconfig_em1="inet 10.10.128.1 netmask 255.255.240.0" - (My LAN IP)
ifconfig_em0="inet A.B.C.D netmask 255.255.255.248"

cloned_interfaces="bridge0 tap0"
autobridge_interfaces="bridge0"
autobridge_bridge0="tap0 em0"
ifconfig_tap0="inet 10.10.144.1 netmask 255.255.240.0" - (I use a different subnet from my LAN)
ifconfig_bridge0="inet W.X.Y.Z netmask 255.255.255.248" - (I use a different dedicated Public IP on the "bridge0" interface.)

---------------------------------------------------------------------------------------------------------------------------------------------------------------------


Extracts from my /etc/pf.conf
--------------------------------------------------------------------------------------------------------------------------------------
int_if="em1"
br_if="bridge0"
tap_if="tap0"
ovpn_port="{ 1194 }"
dguard_port="{ 8080 }" - (Sample application to which you want the VPN clients to access.)

table <lan> { 10.10.128.0/20 }
table <ovpn_lan> { 10.10.144.0/20 }
table <me> { 10.10.128.1 10.10.144.1 A.B.C.D W.X.Y.Z 127.0.0.1 }

pass on { $br_if } proto { tcp } from any to <me> port $ovpn_port flags S/SA keep state - (The initial connection rule)
pass in on { $tap_if $int_if } proto { icmp } from <ovpn_lan> to any - (I use the $int_if so that the ping reaches the machines behind the Firewall)
pass in on { $tap_if } proto { tcp } from <ovpn_lan> to <me> port $dguard_port flags S/SA keep state - (To access the application port)
---------------------------------------------------------------------------------------------------------------------------------------


Extracts from my server.conf
---------------------------------------------------------------------------------------------
local W.X.Y.Z - (I am listening on the dedicated Public IP)

proto tcp

dev tap

server-bridge 10.10.144.1 255.255.240.0 10.10.144.200 10.10.144.210

push "route 10.10.128.0 255.255.240.0"

push "redirect-gateway"
---------------------------------------------------------------------------------------------


With this config set, my XP remote client gets the IP 10.10.144.200 with a Default Gateway of 10.10.144.1. I am able to reach the FreeBSD server's

IP 10.10.128.1 and also clients behind the IP like 10.10.128.49.
Additionally, I am also able to reach the application port on the Server too.


Hope this helps.


Cheers, Blue

[Mimiko]

Glad to hear that you solved it. But I think there will be problems, because all the time you try to bridge virtual tap adapter with external interface with public ip:

Code: Select all

ifconfig_em0="inet A.B.C.D netmask 255.255.255.248"
autobridge_bridge0="tap0 em0"

Althought, unlike in windows, creating bridge does not reset ip configuration of interfaces that a bridged in FreeBSD. If you want to have the same address pool like local lan on em1, then bridge tap with em1.

I though that you enabled ip forwarding in first place.

[blueaquan]

Hi Mimiko
Thanks for your response, I will try your suggestion too. The IP forwarding was already enabled, in fact all the forums that I read also mentioned IP forwarding as the problem, but in my case it was already enabled, yet there was this problem.
Will keep you posted on the status shortly.


Thanks
Blue

[blueaquan]

Hi Mimiko
Could you kindly close this topic since the problem has been resolved. I also bridged the tap device with the internal interface and everything is working perfectly fine.


Thanks for all your help

Blue