Bridge Setup - Client cannot access LAN

andys · Post by **andys** » Sun Sep 13, 2015 9:20 pm

Hi all,

I managed to install OpenVPN and got a Windows client to connect to it, but I am having a really tough time PINGING any other device on the internal LAN.

Here is my current set up:

Internal LAN: 10.70.0.0 (255.255.252.0)
10.70.0.1 = NetGear Gateway/Router SRX5308
10.70.0.2 - 10.70.0.254 = internal servers, 10.70.0.50 is the actual OpenVPN server
10.70.1.1 - 10.70.1.254 = internal workstations (DHCP controlled by NetGear)
10.70.2.1 - 10.70.2.254 = reserved for VPN clients

OpenVPN: /etc/network/interfaces

Code: Select all

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
  address 10.70.0.50
  netmask 255.255.252.0
  gateway 10.70.0.1
  bridge_ports eth0 tap0
  bridge_fd 9      ## from the libvirt docs (forward delay time)
  bridge_hello 2   ## from the libvirt docs (hello time)
  bridge_maxage 12 ## from the libvirt docs (maximum message age)
  bridge_stp off   ## from the libvirt docs (spanning tree protocol)

iface eth0 inet manual
  up ifconfig $IFACE 0.0.0.0 up
  up ip link set $IFACE up promisc on
  down ip link set $IFACE down promisc off
  down ifconfig $IFACE down

OpenVPN /etc/openvpn/server.conf

Code: Select all

mode server
tls-server

local 10.70.0.50 ## ip/hostname of server
port 1194 ## default openvpn port
proto udp

#bridging directive
dev tap0
script-security 2
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"

persist-key
persist-tun

#certificates and encryption
ca ca.crt
cert server.crt
key server.key 
dh dh2048.pem
tls-auth ta.key 0

cipher BF-CBC
comp-lzo

#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 10.70.0.50 255.255.252.0 10.70.2.1 10.70.2.254
push "dhcp-option DNS 10.70.0.10"
push "dhcp-option DNS 10.70.0.11"
max-clients 254

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 5

Client config

Code: Select all

client
dev tap
remote [REMOVED] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 5

And the results of the client connection log...

Code: Select all

Sun Sep 13 21:31:59 2015   pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015   pkcs11_pin_cache_period = -1
Sun Sep 13 21:31:59 2015   pkcs11_id = '[UNDEF]'
Sun Sep 13 21:31:59 2015   pkcs11_id_management = DISABLED
Sun Sep 13 21:31:59 2015   server_network = 0.0.0.0
Sun Sep 13 21:31:59 2015   server_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015   server_network_ipv6 = ::
Sun Sep 13 21:31:59 2015   server_netbits_ipv6 = 0
Sun Sep 13 21:31:59 2015   server_bridge_ip = 0.0.0.0
Sun Sep 13 21:31:59 2015   server_bridge_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015   server_bridge_pool_start = 0.0.0.0
Sun Sep 13 21:31:59 2015   server_bridge_pool_end = 0.0.0.0
Sun Sep 13 21:31:59 2015   ifconfig_pool_defined = DISABLED
Sun Sep 13 21:31:59 2015   ifconfig_pool_start = 0.0.0.0
Sun Sep 13 21:31:59 2015   ifconfig_pool_end = 0.0.0.0
Sun Sep 13 21:31:59 2015   ifconfig_pool_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015   ifconfig_pool_persist_filename = '[UNDEF]'
Sun Sep 13 21:31:59 2015   ifconfig_pool_persist_refresh_freq = 600
Sun Sep 13 21:31:59 2015   ifconfig_ipv6_pool_defined = DISABLED
Sun Sep 13 21:31:59 2015   ifconfig_ipv6_pool_base = ::
Sun Sep 13 21:31:59 2015   ifconfig_ipv6_pool_netbits = 0
Sun Sep 13 21:31:59 2015   n_bcast_buf = 256
Sun Sep 13 21:31:59 2015   tcp_queue_limit = 64
Sun Sep 13 21:31:59 2015   real_hash_size = 256
Sun Sep 13 21:31:59 2015   virtual_hash_size = 256
Sun Sep 13 21:31:59 2015   client_connect_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015   learn_address_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015   client_disconnect_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015   client_config_dir = '[UNDEF]'
Sun Sep 13 21:31:59 2015   ccd_exclusive = DISABLED
Sun Sep 13 21:31:59 2015   tmp_dir = 'C:\Users\ASLIVI~1.UNI\AppData\Local\Temp\'
Sun Sep 13 21:31:59 2015   push_ifconfig_defined = DISABLED
Sun Sep 13 21:31:59 2015   push_ifconfig_local = 0.0.0.0
Sun Sep 13 21:31:59 2015   push_ifconfig_remote_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015   push_ifconfig_ipv6_defined = DISABLED
Sun Sep 13 21:31:59 2015   push_ifconfig_ipv6_local = ::/0
Sun Sep 13 21:31:59 2015   push_ifconfig_ipv6_remote = ::
Sun Sep 13 21:31:59 2015   enable_c2c = DISABLED
Sun Sep 13 21:31:59 2015   duplicate_cn = DISABLED
Sun Sep 13 21:31:59 2015   cf_max = 0
Sun Sep 13 21:31:59 2015   cf_per = 0
Sun Sep 13 21:31:59 2015   max_clients = 1024
Sun Sep 13 21:31:59 2015   max_routes_per_client = 256
Sun Sep 13 21:31:59 2015   auth_user_pass_verify_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015   auth_user_pass_verify_script_via_file = DISABLED
Sun Sep 13 21:31:59 2015   client = ENABLED
Sun Sep 13 21:31:59 2015   pull = ENABLED
Sun Sep 13 21:31:59 2015   auth_user_pass_file = '[UNDEF]'
Sun Sep 13 21:31:59 2015   show_net_up = DISABLED
Sun Sep 13 21:31:59 2015   route_method = 0
Sun Sep 13 21:31:59 2015   ip_win32_defined = DISABLED
Sun Sep 13 21:31:59 2015   ip_win32_type = 3
Sun Sep 13 21:31:59 2015   dhcp_masq_offset = 0
Sun Sep 13 21:31:59 2015   dhcp_lease_time = 31536000
Sun Sep 13 21:31:59 2015   tap_sleep = 0
Sun Sep 13 21:31:59 2015   dhcp_options = DISABLED
Sun Sep 13 21:31:59 2015   dhcp_renew = DISABLED
Sun Sep 13 21:31:59 2015   dhcp_pre_release = DISABLED
Sun Sep 13 21:31:59 2015   dhcp_release = DISABLED
Sun Sep 13 21:31:59 2015   domain = '[UNDEF]'
Sun Sep 13 21:31:59 2015   netbios_scope = '[UNDEF]'
Sun Sep 13 21:31:59 2015   netbios_node_type = 0
Sun Sep 13 21:31:59 2015   disable_nbt = DISABLED
Sun Sep 13 21:31:59 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Sun Sep 13 21:31:59 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Sun Sep 13 21:31:59 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Sep 13 21:31:59 2015 Need hold release from management interface, waiting...
Sun Sep 13 21:32:00 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Sep 13 21:32:00 2015 MANAGEMENT: CMD 'state on'
Sun Sep 13 21:32:00 2015 MANAGEMENT: CMD 'log all on'
Sun Sep 13 21:32:01 2015 MANAGEMENT: CMD 'hold off'
Sun Sep 13 21:32:01 2015 MANAGEMENT: CMD 'hold release'
Sun Sep 13 21:32:01 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Sep 13 21:32:01 2015 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sun Sep 13 21:32:01 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:01 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:01 2015 LZO compression initialized
Sun Sep 13 21:32:01 2015 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:3 ]
Sun Sep 13 21:32:01 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Sep 13 21:32:01 2015 MANAGEMENT: >STATE:1442176321,RESOLVE,,,
Sun Sep 13 21:32:02 2015 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:143 ET:32 EL:3 AF:3/1 ]
Sun Sep 13 21:32:02 2015 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep 13 21:32:02 2015 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep 13 21:32:02 2015 Local Options hash (VER=V4): '13a273ba'
Sun Sep 13 21:32:02 2015 Expected Remote Options hash (VER=V4): '360696c5'
Sun Sep 13 21:32:02 2015 UDPv4 link local: [undef]
Sun Sep 13 21:32:02 2015 UDPv4 link remote: [AF_INET][REMOVED]:1194
Sun Sep 13 21:32:02 2015 MANAGEMENT: >STATE:1442176322,WAIT,,,
Sun Sep 13 21:32:02 2015 MANAGEMENT: >STATE:1442176322,AUTH,,,
Sun Sep 13 21:32:02 2015 TLS: Initial packet from [AF_INET][REMOVED], sid=b6d47657 fd2e7180
Sun Sep 13 21:32:07 2015 VERIFY OK: depth=1, C=GB, ST=LON, L=London, O=[REMOVED], OU=MyOrganizationalUnit, CN=[REMOVED], name=server, emailAddress=[REMOVED]
Sun Sep 13 21:32:07 2015 VERIFY OK: depth=0, C=GB, ST=LON, L=London, O=[REMOVED], OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=[REMOVED]
Sun Sep 13 21:32:11 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 13 21:32:11 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:11 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 13 21:32:11 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:12 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Sep 13 21:32:12 2015 [server] Peer Connection Initiated with [AF_INET][REMOVED]:1194
Sun Sep 13 21:32:13 2015 MANAGEMENT: >STATE:1442176333,GET_CONFIG,,,
Sun Sep 13 21:32:14 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Sep 13 21:32:14 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.70.0.10,dhcp-option DNS 10.70.0.11,route-gateway 10.70.0.50,ping 10,ping-restart 120,ifconfig 10.70.2.10 255.255.252.0'
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: route-related options modified
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Sep 13 21:32:14 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Sep 13 21:32:14 2015 MANAGEMENT: >STATE:1442176334,ASSIGN_IP,,10.70.2.10,
Sun Sep 13 21:32:14 2015 open_tun, tt->ipv6=0
Sun Sep 13 21:32:14 2015 TAP-WIN32 device [Local Area Connection 10] opened: \\.\Global\{8FA599A6-8994-4B0F-9072-F25BC5A8DAC1}.tap
Sun Sep 13 21:32:14 2015 TAP-Windows Driver Version 9.21 
Sun Sep 13 21:32:14 2015 TAP-Windows MTU=1500
Sun Sep 13 21:32:14 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.70.2.10/255.255.252.0 on interface {8FA599A6-8994-4B0F-9072-F25BC5A8DAC1} [DHCP-serv: 10.70.0.0, lease-time: 31536000]
Sun Sep 13 21:32:14 2015 DHCP option string: 0f15636f 72702e75 6e696669 65646c6f 6769632e 636f6d06 080a4600 0a0a4600 0c
Sun Sep 13 21:32:14 2015 NOTE: FlushIpNetTable failed on interface [40] {8FA599A6-8994-4B0F-9072-F25BC5A8DAC1} (status=5) : Access is denied.  
Sun Sep 13 21:32:19 2015 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Sun Sep 13 21:32:19 2015 Initialization Sequence Completed
Sun Sep 13 21:32:19 2015 MANAGEMENT: >STATE:1442176339,CONNECTED,SUCCESS,10.70.2.10,[REMOVED]

It's worth mentioning that the client connects ok and it can ping the VPN server, however it cannot ping anything else on the internal network:

Code: Select all

C:\>ping 10.70.0.50

Pinging 10.70.0.50 with 32 bytes of data:
Reply from 10.70.0.50: bytes=32 time=118ms TTL=64
Reply from 10.70.0.50: bytes=32 time=32ms TTL=64
Reply from 10.70.0.50: bytes=32 time=60ms TTL=64
Reply from 10.70.0.50: bytes=32 time=82ms TTL=64

Ping statistics for 10.70.0.50:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 32ms, Maximum = 118ms, Average = 73ms

C:\>ping 10.70.0.10

Pinging 10.70.0.10 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 10.70.2.10: Destination host unreachable.
Request timed out.

Ping statistics for 10.70.0.10:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

I have tried everything I can think of on the server, even added a static route on the NetGear with no luck:

http://postimg.org/image/o65dazbw5/

Can you please advise what I should do?

Many thanks!
Andy

Traffic · Post by **Traffic** » Mon Sep 14, 2015 1:21 pm

Technically, your router 10.70.0.1 already has route for 10.70.0.0/22 so there is no need for a static route to the same network.

Please post details of these files:

up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"

Please set --verb 4 in your server config and post the log.

You may find that you need to set --server-bridge like so:

server-bridge 10.70.0.1 255.255.252.0 10.70.2.1 10.70.2.254

Details found here: Ethernet Bridging

Make sure you have enabled ip_forwarding correctly on the VPN server.

OpenVPN Support Forum

Bridge Setup - Client cannot access LAN

Bridge Setup - Client cannot access LAN

Re: Bridge Setup - Client cannot access LAN