I'm trying to implement ethernet bridging using openVPN on a custom linux router I have. I want clients to use dnsmasq running on the router for DHCP. The linux router has the following interfaces already:
wlan0 - the wireless LAN
eth0 - the wired LAN
eth1 - the WAN
All 3 of these interfaces are bridged together into br0. So I figured adding tap0 to this bridge would be the easiest thing to do. I configured openVPN as the documentation says, but when I connect with a client coming from eth1, I can't ping over the tunnel. I can't even see any DHCP requests from the client when I run tcpdump on tap0. I have added a -j ACCEPT for tap0 to the router's firewall and I've completely disabled iptables on the client so I know that's no the issue. Both the server and client report that the Initialization Sequence completed without errors. I can only assume I'm missing something in the openVPN configuration. Do I need to do something else with brctl maybe? So far all I do is create the tap0 using the command 'openvpn --mktun --dev tap0' and then add it to br0 using 'brctl addif br0 tap0' and then use ifconfig to bring it up.
I am rather suspcious of this particular line in the sample output below:
It looks like openVPN is failing to find IP addresses for clients. Do I maybe need to have an extra push option to forward DHCP traffic to the local LAN?Mon Jan 16 23:44:40 2012 calum/192.168.0.125:42808 MULTI: no dynamic or static remote --ifconfig address is available for calum/192.168.0.125:42808
Server config
Client config:port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server-bridge
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Here is the output from a sample run. The ECONNREFUSED messages appear after the client disconnects(I CTRL+C the client openvpn process)client
dev tap
proto udp
remote 192.168.0.134 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert calum.crt
key calum.key
ns-cert-type server
comp-lzo
verb 3
Mon Jan 16 23:44:38 2012 OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011
Mon Jan 16 23:44:38 2012 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Mon Jan 16 23:44:38 2012 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Jan 16 23:44:38 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jan 16 23:44:38 2012 Diffie-Hellman initialized with 1024 bit key
Mon Jan 16 23:44:38 2012 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Mon Jan 16 23:44:38 2012 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jan 16 23:44:38 2012 Socket Buffers: R=[114688->131072] S=[114688->131072]
Mon Jan 16 23:44:38 2012 TUN/TAP device tap0 opened
Mon Jan 16 23:44:38 2012 TUN/TAP TX queue length set to 100
Mon Jan 16 23:44:38 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Jan 16 23:44:38 2012 UDPv4 link local (bound): [undef]
Mon Jan 16 23:44:38 2012 UDPv4 link remote: [undef]
Mon Jan 16 23:44:38 2012 MULTI: multi_init called, r=256 v=256
Mon Jan 16 23:44:38 2012 Initialization Sequence Completed
Mon Jan 16 23:44:40 2012 MULTI: multi_create_instance called
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Re-using SSL/TLS context
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 LZO compression initialized
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Local Options hash (VER=V4): 'f7df56b8'
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Expected Remote Options hash (VER=V4): 'd79ca330'
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 TLS: Initial packet from [AF_INET]192.168.0.125:42808, sid=4ef771a3 8045a3a8
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 VERIFY OK: depth=1, /C=UK/ST=N/A/L=Glasgow/O=Homework-vpn/CN=Homework-vpn_CA/emailAddress=me@myhost.mydomain
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 VERIFY OK: depth=0, /C=UK/ST=N/A/L=Glasgow/O=Homework-vpn/CN=calum/emailAddress=me@myhost.mydomain
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jan 16 23:44:40 2012 192.168.0.125:42808 [calum] Peer Connection Initiated with [AF_INET]192.168.0.125:42808
Mon Jan 16 23:44:40 2012 calum/192.168.0.125:42808 MULTI: no dynamic or static remote --ifconfig address is available for calum/192.168.0.125:42808
Mon Jan 16 23:44:42 2012 calum/192.168.0.125:42808 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jan 16 23:44:42 2012 calum/192.168.0.125:42808 SENT CONTROL [calum]: 'PUSH_REPLY,route-gateway dhcp,ping 10,ping-restart 120' (status=1)
Mon Jan 16 23:45:39 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Jan 16 23:45:49 2012 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
