Recently, our company build 5 VMs(instances) on a could platform and we select a VM to install OpenVPN server. Our purpose is, once VPN client connect to OpenVPN server, and then he can reach other 4 instances without access their floating IP address (access them by private IP)
We select OpenVPN with TAP mode(bridge) and setup the necessary configuration between server side & client side. The VPN connection can be established. HOWEVER, the VPN client cannot reach any other 4 instances no matter by icmp / ARP / else.
Do any experts know about will this scenario working fine by using OpenVPN? If so, is there any wrong from my configuration file?
So far, my VPN client can ping instance-1's private IP address successfully, but cannot ping others. Moreover, I check client's TAP interface, when it ping to 192.168.111.22, I can see the interface's counter is increased, but when client ping to 192.168.111.23, the counter does not increase. I use wireshark on client's machine, it shows that client broadcast ARP-Request but without ARP-Reply.
Here is our environment information:
instance-1 (Ubuntu 14.04 + OpenVPN server with bridge mode)
private IP: 192.168.111.22
floating IP:10.200.2.114
instance-2
private IP:192.168.111.23
floating IP: none
instance-3
private IP:192.168.111.24
floating IP: none
instance-4
private IP:192.168.111.25
floating IP: none
instance-5
private IP:192.168.111.26
floating IP: none
Server's configuration content:
Code: Select all
port 1194
proto tcp
dev tap0
ca ca.crt
cert vpn-1.crt
key vpn-1.key
dh dh2048.pem
server-bridge 192.168.111.22 255.255.255.0 192.168.111.200 192.168.111.210
push "route 192.168.111.0 255.255.255.0"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
bridge-conf.sh
Code: Select all
#!/bin/bash
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.111.22"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.111.255"
eth_gateway="192.168.111.1"
eth_mac="FA:16:3E:15:CE:70"
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged together
tap="tap0"
Code: Select all
#!/bin/bash
. /etc/openvpn/bridge/bridge-conf.sh
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
iptables -A INPUT -i $t -j ACCEPT
done
iptables -A INPUT -i $br -j ACCEPT
iptables -A FORWARD -i $br -j ACCEPT
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ip link set $br address $eth_mac
route add default gw $eth_gateway $br
Code: Select all
#!/bin/bash
. /etc/openvpn/bridge/bridge-conf.sh
####################################
# Tear Down Ethernet bridge on Linux
####################################
iptables -D INPUT -i $br -j ACCEPT
iptables -D FORWARD -i $br -j ACCEPT
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
iptables -D INPUT -i $t -j ACCEPT
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway $eth
Thank you!