Can't reach any of the other machines on the remote subnet

[laboshinl]

Hello,

I am running Ubuntu 12.04 x86_64 and trying to configure openvpn (v2.2.1). Everything seems to be working, connection is established. But when cannot access machine which is in internal network of VPN tunnel. Using tcpdump I see that packets from tap0 interface forwarded to internal network, internal machine sends ARP-reply to ARP request. This packet comes to bridge, but doesn't come to tap0 interface.

Can someone help with this problem?

Here is my config and diagnostics output:
1) IP forwarding is turned on.
2) Firewall config
server:~# iptables-save
-A INPUT -i tap0 -j ACCEPT
-A INPUT -i br1 -j ACCEPT
-A FORWARD -i br1 -j ACCEPT

3) Server configuration
server:~# cat/etc/openvpn/server.conf

Code: Select all

port 1194
proto udp

dev tap

up '/etc/openvpn/up.sh br1'
down '/etc/openvpn/down.sh br1'

persist-key
persist-tun

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

server-bridge 10.0.10.2 255.255.255.0 10.0.10.254 10.0.10.254
client-to-client
keepalive 10 120
comp-lzo
max-clients 1
user nobody
group nogroup
persist-key
persist-tun
script-security 3 system
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
lladdr FA:17:3E:d3:ce:f8
mute 20

4) General network information
server:~# ifconfig
br1 Link encap:Ethernet HWaddr fa:16:3e:1f:07:71
inet addr:10.0.10.2 Bcast:10.0.10.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe1f:771/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23137 errors:0 dropped:0 overruns:0 frame:0
TX packets:4707 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1844123 (1.8 MB) TX bytes:776970 (776.9 KB)

eth0 Link encap:Ethernet HWaddr fa:16:3e:aa:0b:3d
inet addr:172.16.10.2 Bcast:172.16.10.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:feaa:b3d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:150752 errors:0 dropped:0 overruns:0 frame:0
TX packets:98154 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15332034 (15.3 MB) TX bytes:15391479 (15.3 MB)

eth1 Link encap:Ethernet HWaddr fa:16:3e:1f:07:71
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:10665 errors:0 dropped:0 overruns:0 frame:0
TX packets:8291 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1163669 (1.1 MB) TX bytes:1041285 (1.0 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tap0 Link encap:Ethernet HWaddr fa:17:3e:d3:ce:f8
inet6 addr: fe80::f817:3eff:fed3:cef8/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:857 errors:0 dropped:0 overruns:0 frame:0
TX packets:747 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:53295 (53.2 KB) TX bytes:31590 (31.5 KB)

5) Bridge config
server:~# brctl show
bridge name bridge id STP enabled interfaces
br1 8000.fa163e1f0771 no eth1
tap0

server:~# route -n
0.0.0.0 172.16.10.1 0.0.0.0 UG 0 0 0 eth0
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
172.16.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

6) Client configuration
client:~# cat client.conf

Code: Select all

cert client.crt
key client.key
ca ca.crt

client
dev tap
proto udp

remote 172.16.10.2 1194
resolv-retry infinite
nobind
comp-lzo

verb 2
keepalive 10 120
ping-timer-rem
persist-tun
persist-key

7) Client network configuration
client:~# ifconfig
<...>
tap2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.10.254 netmask 255.255.255.0 broadcast 10.0.10.255
inet6 fe80::80d9:6aff:fe76:26a6 prefixlen 64 scopeid 0x20<link>
ether 82:d9:6a:76:26:a6 txqueuelen 100 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 4111 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


client:~# route -n
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 p4p1
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tap2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 p4p1

8) Diagnostics ping to machine in internal network of VPN server
client:~# ping 10.0.10.5
PING 10.0.10.5 (10.0.10.5) 56(84) bytes of data.
From 10.0.10.254 icmp_seq=1 Destination Host Unreachable
From 10.0.10.254 icmp_seq=2 Destination Host Unreachable
From 10.0.10.254 icmp_seq=3 Destination Host Unreachable

9) TCPDump output on bridge - arp reply packets are coming from server to openvpn bridge
server:~# tcpdump -i br1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br1, link-type EN10MB (Ethernet), capture size 65535 bytes
08:50:34.578836 IP 10.0.10.254.17500 > 10.0.10.255.17500: UDP, length 123
08:50:34.578897 IP 10.0.10.254.17500 > 10.0.10.255.17500: UDP, length 123
08:50:35.059538 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:50:35.059854 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:50:35.060177 ARP, Reply 10.0.10.5 is-at fa:16:3e:47:f8:bf (oui Unknown), length 28
08:50:36.061340 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:50:36.061500 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:50:36.061742 ARP, Reply 10.0.10.5 is-at fa:16:3e:47:f8:bf (oui Unknown), length 28
08:50:37.063273 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:50:37.063440 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:50:37.063753 ARP, Reply 10.0.10.5 is-at fa:16:3e:47:f8:bf (oui Unknown), length 28

10) Arp-reply packets do not forwarded to tap interface!
server:~# tcpdump -i tap0
tcpdump -i tap0
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:52:11.081610 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:52:11.081752 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:52:12.083301 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:52:12.083464 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:52:13.085283 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28
08:52:13.085449 ARP, Request who-has 10.0.10.5 tell 10.0.10.254, length 28

[janjust]

change

dev tap
server-bridge 10.0.10.2 255.255.255.0 10.0.10.254 10.0.10.254

to

Code: Select all

dev tap0
server-bridge 10.0.10.2 255.255.255.0 10.0.10.254 10.0.10.254

[laboshinl]

Janjust, thank you for reply, but nothing has changed

[janjust]

when reading the config statements more carefully I see that you've bridged tap0 to eth1; however it's eth0 that is up ....

[laboshinl]

Thank you again!

But does it matter? I have br1 with eth1 port and up.sh script

Code: Select all

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV

so OpenVpn adds tap0 port to br1. IMO OpenVpn needn't know anything about eth0-eth1, only about bridge.

[janjust]

OpenVPN does not care, but Linux does - that's how a bridge works!
A Linux bridge is a special device where all packets sent to the bridge are copied out to all devices that form the bridge; similarly , all packets sent to either device of the bridge (eth0, tap0) are copied to all other devices that make part of that bridge.

What happening now is that openvpn sends info the bridge, the kernel picks it up and forwards it out eth1 (thus, into oblivion).

Either change to a routed setup or use 'eth0'.