bridged mode same subnet

smokeman · Post by **smokeman** » Tue Dec 27, 2011 11:21 pm

We are deploying openvpn, as it is the vpn supported by our yealink phones. It is important that these phones end up with internal ip's so they can be remotely managed, and provisioned.
openvpnclient---10.0.28.x tunnel ip----tap0 on br0(br0 is 10.0.0.4/16)---internal network 10.0.0.0/16

We have successfully deployed openvpn on a centos 5.6 server(previously used as a firewall/secondary gateway on our network), and have our clients connecting. I modified the iptables firewall script to work with the br0 interface instead of eth0, so web surfing using this box as an internal gateway works.

We can ping the client from the openvpn server, yet we can't ping the client from the lan. The client can ping the openvpn server, but nothing behind the lan. We are not sure if we have an iptables error, or config error in the bridge, or openvpn.

I noticed that a brctl showmacs br0 lists the client1 mac, however it's status is not local.
I have an internal windows client running a constant ping -t to the openvpn client1
I've run a tcpdump on the br0 interface, and I notice the arp request for who has ip 10.0.28.2, and the respons with the mac.
there is nothing after that though. Not sure where to go from here.

here is the log session of the client connecting:

Code: Select all

Dec 27 16:41:24 tux1 openvpn[5189]: 170.94.21.60:1026 Re-using SSL/TLS context
Dec 27 16:41:24 tux1 openvpn[5189]: 170.94.21.60:1026 LZO compression initialized
Dec 27 16:41:24 tux1 openvpn[5189]: 170.94.21.60:1026 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec 27 16:41:24 tux1 openvpn[5189]: 170.94.21.60:1026 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Dec 27 16:41:24 tux1 openvpn[5189]: 170.94.21.60:1026 Local Options hash (VER=V4): 'f7df56b8'
Dec 27 16:41:24 tux1 openvpn[5189]: 170.94.21.60:1026 Expected Remote Options hash (VER=V4): 'd79ca330'
Dec 27 16:41:24 tux1 openvpn[5189]: 170.94.21.60:1026 TLS: Initial packet from 170.94.21.60:1026, sid=a2914847 0eb14e78
Dec 27 16:41:27 tux1 openvpn[5189]: 170.94.21.60:1026 VERIFY OK: depth=1, /C=US/ST=AR/L=Little_Rock/O=AR_Legislative_Audit/OU=IT/CN=ftp.arklegaudit.gov/emailAddress=barry.smoke@arklegaudit.gov
Dec 27 16:41:27 tux1 openvpn[5189]: 170.94.21.60:1026 VERIFY OK: depth=0, /C=US/ST=AR/L=Little_Rock/O=AR_Legislative_Audit/CN=client1/emailAddress=barry.smoke@arklegaudit.gov
Dec 27 16:41:27 tux1 openvpn[5189]: 170.94.21.60:1026 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec 27 16:41:27 tux1 openvpn[5189]: 170.94.21.60:1026 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 27 16:41:27 tux1 openvpn[5189]: 170.94.21.60:1026 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec 27 16:41:27 tux1 openvpn[5189]: 170.94.21.60:1026 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 27 16:41:27 tux1 openvpn[5189]: 170.94.21.60:1026 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Dec 27 16:41:27 tux1 openvpn[5189]: 170.94.21.60:1026 [client1] Peer Connection Initiated with 170.94.21.60:1026
Dec 27 16:41:29 tux1 openvpn[5189]: client1/170.94.21.60:1026 PUSH: Received control message: 'PUSH_REQUEST'
Dec 27 16:41:29 tux1 openvpn[5189]: client1/170.94.21.60:1026 SENT CONTROL [client1]: 'PUSH_REPLY,dhcp-option DNS 10.0.0.8,dhcp-option DNS 10.0.0.10,route-gateway 10.0.0.4,ping 10,ping-restart 120,ifconfig 10.0.28.2 255.255.0.0' (status=1)
Dec 27 16:41:29 tux1 openvpn[5189]: client1/170.94.21.60:1026 MULTI: Learn: 00:ff:5e:df:e7:70 -> client1/170.94.21.60:1026

here is our openvpn server.conf:

Code: Select all

local 170.94.21.4
#needed for yealink phones:
topology net30
port 1194
proto udp
dev tap0
ca ca.crt
cert ftp.arklegaudit.gov.crt
key ftp.arklegaudit.gov.key  # This file should be kept secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.0.0.4 255.255.0.0 10.0.28.2 10.0.28.250
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.0.0.8"
push "dhcp-option DNS 10.0.0.10"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

ifconfig:

Code: Select all

[root@tux1 ~]# ifconfig
br0       Link encap:Ethernet  HWaddr 00:50:56:90:00:25
          inet addr:10.0.0.4  Bcast:10.0.255.255  Mask:255.255.0.0
          inet6 addr: fe80::250:56ff:fe90:25/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39127 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5738 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3502837 (3.3 MiB)  TX bytes:1177133 (1.1 MiB)

eth0      Link encap:Ethernet  HWaddr 00:50:56:90:00:25
          inet6 addr: fe80::250:56ff:fe90:25/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:52603 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9202 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5347124 (5.0 MiB)  TX bytes:1991769 (1.8 MiB)

eth1      Link encap:Ethernet  HWaddr 00:50:56:A1:2E:CA
          inet addr:170.94.21.4  Bcast:170.94.21.63  Mask:255.255.255.192
          inet6 addr: fe80::250:56ff:fea1:2eca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5624 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29431 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1318625 (1.2 MiB)  TX bytes:5226779 (4.9 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1983 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1983 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3344320 (3.1 MiB)  TX bytes:3344320 (3.1 MiB)

tap0      Link encap:Ethernet  HWaddr F2:6F:A0:43:87:2C
          inet6 addr: fe80::f06f:a0ff:fe43:872c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1056 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31473 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:214245 (209.2 KiB)  TX bytes:3259606 (3.1 MiB)

and our firewall script:

Code: Select all

#!/bin/sh

# Set INTERFACE equal to the interface your OUTGOING connection is on.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
INTERFACE=eth1
#Delete user made chains. Flush and zero the tables.
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z

#Delete `nat' and `mangle' targets.
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F

#Create a new log and drop (LDROP) convenience target
/sbin/iptables -N LDROP
# --log-level 7 makes it stop logging to the console.
# --log-prefix iptables: makes for easy syslog-ng filtering
/sbin/iptables -A LDROP -j LOG --log-level 4 --log-prefix iptables:
/sbin/iptables -A LDROP -j DROP

#Create a new target (GOOD) to test for good intentions.
/sbin/iptables -N GOOD
#Allow but limit some ICMP (needed for pinging and tracerouting)
/sbin/iptables -A GOOD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A GOOD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A GOOD -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT

#Check State (Only allow incoming connections that have a ESTABLISHED or RELATED outgoing connection)
/sbin/iptables -A GOOD -m state --state ESTABLISHED,RELATED -i ${INTERFACE} -j ACCEPT

#Allowing specific protocols in. Add any you use.
#Allow SSH
/sbin/iptables -A GOOD -p tcp --dport 22 -j ACCEPT

#openvpn
/sbin/iptables -A GOOD -p udp -i eth1 -d 170.94.21.4 --dport 1194 -j ACCEPT

#Setting default input rule to DROP
/sbin/iptables -P INPUT DROP

#Allow all traffic on the local interfaces (Any interface EXCEPT the interface in $INTERFACE)

/sbin/iptables -A INPUT -i ! ${INTERFACE} -j ACCEPT
/sbin/iptables -A INPUT -i tap0 -j ACCEPT

#Test for good intentions (Adds the GOOD target to the INPUT chain)
/sbin/iptables -A INPUT -j GOOD

#Otherwise Log and Drop (This gets rid of anything we might have missed)
/sbin/iptables -A INPUT -j LDROP

#Setting default forwarding rule to DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Let non-evil stuff out
#/sbin/iptables -A FORWARD -i eth0  -j ACCEPT
/sbin/iptables -A FORWARD -i br0 -j ACCEPT
/sbin/iptables -A FORWARD -i tap0 -j ACCEPT
#/sbin/iptables -A FORWARD -i tap0 -m physdev --physdev-out br0 -j ACCEPT
#/sbin/iptables -A FORWARD -o tap0 -m physdev --physdev-in br0 -j ACCEPT

/sbin/iptables -A FORWARD -i lo -j ACCEPT
/sbin/iptables -A FORWARD -s 10.0.0.0/16 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.0.0.0/16 -j ACCEPT

#Test for good intentions (Adds the GOOD target to the FORWARD chain)
/sbin/iptables -A FORWARD -j GOOD
#Otherwise Log and Drop
/sbin/iptables -A FORWARD -j LDROP

#Setting default output rule to ACCEPT
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -d ! 10.0.0.0/16 -o ${INTERFACE} -j MASQUERADE

any help greatly appreciated!

smokeman · Post by **smokeman** » Thu Dec 29, 2011 3:57 pm

I never figured this out, however I'd like to add that the openvpn cookbook, chapter 2 example of proxy_arp worked just fine.

OpenVPN Support Forum

bridged mode same subnet

bridged mode same subnet

Re: bridged mode same subnet