Ovpn into an ESX virtual lab

konigstein · Post by **konigstein** » Fri Aug 10, 2012 9:03 am

I have a class B (192.168.0.0/16) flat network. I have OpenVPN running on ESX (vsphere). I can connect to the vpn, get an address, and ping the physical router as well as other physical devices.

However, I cannot interact with any of the virtual machines or the ESX server itself. I have tested with no firewall rules anywhere on the network, however this had no effect. I've set the ESX switch to promiscuous mode, however this also had no effect on the problem.

Code: Select all

port 443
proto tcp-server
dev tap
ca /etc/openvpn/ca.crt
cert /etc/openvpn/ec2-vpn-server.crt
key /etc/openvpn/ec2-vpn-server.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 192.168.200.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
push "route 192.168.100.0 255.255.255.0"
push "route 192.168.0.0 255.255.0.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 60
tls-server
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-128-CBC   # AES
comp-lzo
max-clients 15
user nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

(Openvpn vm)

Code: Select all

br0       Link encap:Ethernet  HWaddr 00:0c:29:eb:66:18
          inet addr:192.168.10.10  Bcast:192.168.255.255  Mask:255.255.0.0
          inet6 addr: fe80::20c:29ff:feeb:6618/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4826 errors:0 dropped:36 overruns:0 frame:0
          TX packets:3704 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1519079 (1.5 MB)  TX bytes:1452727 (1.4 MB)

eth0      Link encap:Ethernet  HWaddr 00:0c:29:eb:66:18
          inet6 addr: fe80::20c:29ff:feeb:6618/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:50776 errors:12 dropped:302 overruns:0 frame:0
          TX packets:13535 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:32925605 (32.9 MB)  TX bytes:5193102 (5.1 MB)
          Interrupt:16 Base address:0x2400

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:93 errors:0 dropped:0 overruns:0 frame:0
          TX packets:93 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10416 (10.4 KB)  TX bytes:10416 (10.4 KB)

tap0      Link encap:Ethernet  HWaddr 92:d4:14:a0:31:8e
          inet addr:192.168.200.1  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::90d4:14ff:fea0:318e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1619 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1340 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:183439 (183.4 KB)  TX bytes:1003594 (1.0 MB)

/etc/network/interfaces

Code: Select all

auto lo
iface lo inet loopback
auto br0
iface br0 inet static
pre-up /usr/sbin/openvpn --mktun --dev tap0
pre-up /sbin/ifconfig eth0 0.0.0.0 promisc up
pre-up /sbin/ifconfig tap0 0.0.0.0 promisc up
pre-up /sbin/brctl addbr br0
pre-up /sbin/brctl stp br0 off
pre-up /sbin/brctl setfd br0 0
pre-up /sbin/brctl addif br0 eth0
pre-up /sbin/brctl addif br0 tap0
address 192.168.10.10
netmask 255.255.0.0
network 192.168.0.0
broadcast 192.168.255.255
gateway 192.168.10.1

Post by **maikcat** » Fri Aug 10, 2012 9:18 am

hi there,

your config is for openvpn to work in routed mode,but the
contents of interfaces (bridging tap with eth) shows bridging..

what mode do you want to implement?

Michael.

konigstein · Post by **konigstein** » Fri Aug 10, 2012 11:20 pm

Alrighty, so I looked through the documentation and updated the config to the following, however I'm still not seeing traffic getting through. It looks like openvpn is still not properly bridging traffic. Is there anywhere else I'm missing something?

Code: Select all

port 443
proto tcp-server
dev tap
ca /etc/openvpn/ca.crt
cert /etc/openvpn/ec2-vpn-server.crt
key /etc/openvpn/ec2-vpn-server.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server-bridge 192.168.10.10 255.255.0.0 192.168.200.2 192.168.200.254
push "route 192.168.10.0 255.255.255.0"
push "route 192.168.100.0 255.255.255.0"
push "route 192.168.0.0 255.255.0.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 60
tls-server
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-128-CBC   # AES
comp-lzo
max-clients 15
user nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Post by **maikcat** » Sat Aug 11, 2012 8:24 am

hello there,

some things to check:

ip forwarding must be enabled on your openvpn server
check your config that dev directive is dev tap0 (the 0 MUST be there)
ifconfig must report PROMISC for both eth & tap interfaces
brctl show must shows tap & eth under br0 interface

also you have to enable promiscuous mode on the concerning physical interface using the vmware client.

regards.

Michael.

konigstein · Post by **konigstein** » Mon Aug 13, 2012 4:19 am

After changing the configuration to the options above, I can no longer interact with ANY hosts on the network (no ICMP or otherwise). Monitoring the traffic on the VPN box, I see ARP Requests and never see any response.

Here are the points you mentioned:

IP Forwarding is on...

Code: Select all

root@ubuntu:/# cat /proc/sys/net/ipv4/ip_forward 
1

and

Code: Select all

root@ubuntu:/# cat /etc/sysctl.conf | grep "forward"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1

It is tap0 with the zero...

Code: Select all

root@ubuntu:/# ifconfig tap0
tap0      Link encap:Ethernet  HWaddr 5e:52:0f:8f:52:89  
          inet6 addr: fe80::5c52:fff:fe8f:5289/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3888 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:233370 (233.3 KB)

tap0 and eth0 are both in promiscuous mode

Code: Select all

root@ubuntu:/# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0c:29:eb:66:18  
          inet6 addr: fe80::20c:29ff:feeb:6618/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:21512 errors:3 dropped:3 overruns:0 frame:0
          TX packets:274 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10568912 (10.5 MB)  TX bytes:30900 (30.9 KB)
          Interrupt:16 Base address:0x2400

The bridge seems to be setup right, with both tap0 and eth0

Code: Select all

root@ubuntu:/# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000c29eb6618 no eth0
tap0

also you have to enable promiscuous mode on the concerning physical interface using the vmware client.

I'm not sure what you mean by this, if you mean having promiscuous mode on the ESX server (Network Security) then that has been done.

Anything I'm missing?

Post by **maikcat** » Mon Aug 13, 2012 7:11 am

hi there,

the tap0 thing i mentioned is for openvpn config,

are you sure that inside server config the dev directive is

dev tap0

instead of

dev tap

?

Michael.

OpenVPN Support Forum

Ovpn into an ESX virtual lab

Ovpn into an ESX virtual lab

Re: Ovpn into an ESX virtual lab

Re: Ovpn into an ESX virtual lab

Re: Ovpn into an ESX virtual lab

Re: Ovpn into an ESX virtual lab

Re: Ovpn into an ESX virtual lab