OpenVPN Bridge - Can connect, cannot ping

[supeer]

Hey Guys


I'm having quite a problem with my new openvpn setup.
As a start, here are my config files:

server.conf

Code: Select all

port 1195
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.69.9 255.255.255.0 192.168.69.61 192.168.69.100
push "route 192.168.69.1 255.255.255.0"

push "dhcp-option DNS 192.168.69.10"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
script-security 3

Code: Select all

Client.conf
client
dev tap0
proto udp
remote XXXX 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\clientname.crt"
key "C:\\Program Files\\OpenVPN\\config\\clientname.key"
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3

The thing to note here is that my Server is running on a virtual machine.


My network looks like this:


There seems to be traffic on the bridge from the client, but it cant find the router:


I assume this is a routing issue.... Where can I start to find out how to solve the problem?

thanks alot for you help - if you need logs please tell me!

[maikcat]

which hypervisor are you using?
how did you configured your VMs network cards?

also post the output of the command:

brctl show

on your openvpn server AFTER vpn is up...

also this is wrong

Code: Select all

push "route 192.168.69.1 255.255.255.0"

if you want to push a route to host use 32bit mask.

Michael.

[supeer]

which hypervisor are you using?

Hyper-V 2012 R2

how did you configured your VMs network cards?

also post the output of the command:

brctl show

on your openvpn server AFTER vpn is up...

[/quote]



I've also changed the Route issue to use a /32 mask. Still not working though :/

[supeer]

Allright. Im quite sure the connection is built up and working and it seems to be a routing issue. My client can connect and gets an IP. I've run tcpdum -i tap0 on the server to get the traffic running over the interface. This is the output (filtered for just the client 192.168.69.61):

Code: Select all

root@xxxx:/etc/openvpn# tcpdump -i tap0 -v
tcpdump: WARNING: tap0: no IPv4 address assigned
tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:42:26.291261 IP (tos 0x0, ttl 64, id 53922, offset 0, flags [DF], proto UDP (17), length 260)
    192.168.69.9.netbios-dgm > 192.168.69.255.netbios-dgm: NBT UDP PACKET(138)
08:42:46.349635 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.69.9 tell 192.168.69.61, length 28
08:42:46.349674 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.69.9 is-at 00:xx:5d:00:01:xx (oui Unknown), length 28
08:42:47.341384 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.69.9 tell 192.168.69.61, length 28
08:42:47.341425 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.69.9 is-at 00:xx:5d:00:01:xx (oui Unknown), length 28
08:42:48.355457 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.69.9 tell 192.168.69.61, length 28
08:42:48.355494 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.69.9 is-at 00:xx:5d:00:01:xx (oui Unknown), length 28
08:42:49.356289 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.69.1 tell 192.168.69.61, length 28
08:42:50.352020 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.69.1 tell 192.168.69.61, length 28
08:42:51.350366 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.69.1 tell 192.168.69.61, length 28
08:42:59.665922 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.69.10 tell 192.168.69.61, length 28
08:43:00.355562 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.69.10 tell 192.168.69.61, length 28
08:43:01.351596 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.69.10 tell 192.168.69.61, length 28
^C
13 packets captured
13 packets received by filter
0 packets dropped by kernel

The OpenVPN server @ 192.168.69.9 seems to be getting the traffic and even replys to the arp requests. The other clients in the network don't get any arp requests for some reason. The client on the VPN connection can't ping the server at all so I guess he doesn't get the ARP reply. I'm not totally sure here, could anyone correct me if I'm wrong? How can I get the routing to work?

Wireshark Output from the client - doesn't get an ARP response:

Code: Select all

No.     Time           Source                Destination           Protocol Length Info
    331 101.791820000  00:ff:90:37:c8:93     Broadcast             ARP      42     Who has 192.168.69.1?  Tell 192.168.69.61

Frame 331: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Ethernet II, Src: 00:ff:90:37:c8:93 (00:ff:90:37:c8:93), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info
    335 102.218563000  00:ff:90:37:c8:93     Broadcast             ARP      42     Who has 192.168.69.9?  Tell 192.168.69.61

Frame 335: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Ethernet II, Src: 00:ff:90:37:c8:93 (00:ff:90:37:c8:93), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info
    338 102.717758000  00:ff:90:37:c8:93     Broadcast             ARP      42     Who has 192.168.69.1?  Tell 192.168.69.61

Frame 338: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Ethernet II, Src: 00:ff:90:37:c8:93 (00:ff:90:37:c8:93), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info
    342 103.716069000  00:ff:90:37:c8:93     Broadcast             ARP      42     Who has 192.168.69.1?  Tell 192.168.69.61

Frame 342: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Ethernet II, Src: 00:ff:90:37:c8:93 (00:ff:90:37:c8:93), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

[maikcat]

did you enabled ip forwarding on your openvpn server?

Michael.

[supeer]

Ran

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward

once again... --> Still no change

[maikcat]

change this

Code: Select all

server-bridge 192.168.69.9 255.255.255.0 192.168.69.61 192.168.69.100

to this

Code: Select all

server-bridge 192.168.69.1 255.255.255.0 192.168.69.61 192.168.69.100

Michael.

[supeer]

Changed, rebooted server and client - the issue still persists...

[maikcat]

i dont know if something in virtual switch needs to be enabled..

f.e in esxi you need to change something in order bridging to work correctly..

Michael.