Bridge Setup - Client cannot access LAN
Posted: Sun Sep 13, 2015 9:20 pm
Hi all,
I managed to install OpenVPN and got a Windows client to connect to it, but I am having a really tough time PINGING any other device on the internal LAN.
Here is my current set up:
Internal LAN: 10.70.0.0 (255.255.252.0)
10.70.0.1 = NetGear Gateway/Router SRX5308
10.70.0.2 - 10.70.0.254 = internal servers, 10.70.0.50 is the actual OpenVPN server
10.70.1.1 - 10.70.1.254 = internal workstations (DHCP controlled by NetGear)
10.70.2.1 - 10.70.2.254 = reserved for VPN clients
OpenVPN: /etc/network/interfaces
OpenVPN /etc/openvpn/server.conf
Client config
And the results of the client connection log...
It's worth mentioning that the client connects ok and it can ping the VPN server, however it cannot ping anything else on the internal network:
I have tried everything I can think of on the server, even added a static route on the NetGear with no luck:
http://postimg.org/image/o65dazbw5/
Can you please advise what I should do?
Many thanks!
Andy
I managed to install OpenVPN and got a Windows client to connect to it, but I am having a really tough time PINGING any other device on the internal LAN.
Here is my current set up:
Internal LAN: 10.70.0.0 (255.255.252.0)
10.70.0.1 = NetGear Gateway/Router SRX5308
10.70.0.2 - 10.70.0.254 = internal servers, 10.70.0.50 is the actual OpenVPN server
10.70.1.1 - 10.70.1.254 = internal workstations (DHCP controlled by NetGear)
10.70.2.1 - 10.70.2.254 = reserved for VPN clients
OpenVPN: /etc/network/interfaces
Code: Select all
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 10.70.0.50
netmask 255.255.252.0
gateway 10.70.0.1
bridge_ports eth0 tap0
bridge_fd 9 ## from the libvirt docs (forward delay time)
bridge_hello 2 ## from the libvirt docs (hello time)
bridge_maxage 12 ## from the libvirt docs (maximum message age)
bridge_stp off ## from the libvirt docs (spanning tree protocol)
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE up promisc on
down ip link set $IFACE down promisc off
down ifconfig $IFACE down
Code: Select all
mode server
tls-server
local 10.70.0.50 ## ip/hostname of server
port 1194 ## default openvpn port
proto udp
#bridging directive
dev tap0
script-security 2
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-key
persist-tun
#certificates and encryption
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 10.70.0.50 255.255.252.0 10.70.2.1 10.70.2.254
push "dhcp-option DNS 10.70.0.10"
push "dhcp-option DNS 10.70.0.11"
max-clients 254
#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 5
Code: Select all
client
dev tap
remote [REMOVED] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 5
Code: Select all
Sun Sep 13 21:31:59 2015 pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_pin_cache_period = -1
Sun Sep 13 21:31:59 2015 pkcs11_id = '[UNDEF]'
Sun Sep 13 21:31:59 2015 pkcs11_id_management = DISABLED
Sun Sep 13 21:31:59 2015 server_network = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_network_ipv6 = ::
Sun Sep 13 21:31:59 2015 server_netbits_ipv6 = 0
Sun Sep 13 21:31:59 2015 server_bridge_ip = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_bridge_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_bridge_pool_start = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_bridge_pool_end = 0.0.0.0
Sun Sep 13 21:31:59 2015 ifconfig_pool_defined = DISABLED
Sun Sep 13 21:31:59 2015 ifconfig_pool_start = 0.0.0.0
Sun Sep 13 21:31:59 2015 ifconfig_pool_end = 0.0.0.0
Sun Sep 13 21:31:59 2015 ifconfig_pool_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015 ifconfig_pool_persist_filename = '[UNDEF]'
Sun Sep 13 21:31:59 2015 ifconfig_pool_persist_refresh_freq = 600
Sun Sep 13 21:31:59 2015 ifconfig_ipv6_pool_defined = DISABLED
Sun Sep 13 21:31:59 2015 ifconfig_ipv6_pool_base = ::
Sun Sep 13 21:31:59 2015 ifconfig_ipv6_pool_netbits = 0
Sun Sep 13 21:31:59 2015 n_bcast_buf = 256
Sun Sep 13 21:31:59 2015 tcp_queue_limit = 64
Sun Sep 13 21:31:59 2015 real_hash_size = 256
Sun Sep 13 21:31:59 2015 virtual_hash_size = 256
Sun Sep 13 21:31:59 2015 client_connect_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015 learn_address_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015 client_disconnect_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015 client_config_dir = '[UNDEF]'
Sun Sep 13 21:31:59 2015 ccd_exclusive = DISABLED
Sun Sep 13 21:31:59 2015 tmp_dir = 'C:\Users\ASLIVI~1.UNI\AppData\Local\Temp\'
Sun Sep 13 21:31:59 2015 push_ifconfig_defined = DISABLED
Sun Sep 13 21:31:59 2015 push_ifconfig_local = 0.0.0.0
Sun Sep 13 21:31:59 2015 push_ifconfig_remote_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015 push_ifconfig_ipv6_defined = DISABLED
Sun Sep 13 21:31:59 2015 push_ifconfig_ipv6_local = ::/0
Sun Sep 13 21:31:59 2015 push_ifconfig_ipv6_remote = ::
Sun Sep 13 21:31:59 2015 enable_c2c = DISABLED
Sun Sep 13 21:31:59 2015 duplicate_cn = DISABLED
Sun Sep 13 21:31:59 2015 cf_max = 0
Sun Sep 13 21:31:59 2015 cf_per = 0
Sun Sep 13 21:31:59 2015 max_clients = 1024
Sun Sep 13 21:31:59 2015 max_routes_per_client = 256
Sun Sep 13 21:31:59 2015 auth_user_pass_verify_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015 auth_user_pass_verify_script_via_file = DISABLED
Sun Sep 13 21:31:59 2015 client = ENABLED
Sun Sep 13 21:31:59 2015 pull = ENABLED
Sun Sep 13 21:31:59 2015 auth_user_pass_file = '[UNDEF]'
Sun Sep 13 21:31:59 2015 show_net_up = DISABLED
Sun Sep 13 21:31:59 2015 route_method = 0
Sun Sep 13 21:31:59 2015 ip_win32_defined = DISABLED
Sun Sep 13 21:31:59 2015 ip_win32_type = 3
Sun Sep 13 21:31:59 2015 dhcp_masq_offset = 0
Sun Sep 13 21:31:59 2015 dhcp_lease_time = 31536000
Sun Sep 13 21:31:59 2015 tap_sleep = 0
Sun Sep 13 21:31:59 2015 dhcp_options = DISABLED
Sun Sep 13 21:31:59 2015 dhcp_renew = DISABLED
Sun Sep 13 21:31:59 2015 dhcp_pre_release = DISABLED
Sun Sep 13 21:31:59 2015 dhcp_release = DISABLED
Sun Sep 13 21:31:59 2015 domain = '[UNDEF]'
Sun Sep 13 21:31:59 2015 netbios_scope = '[UNDEF]'
Sun Sep 13 21:31:59 2015 netbios_node_type = 0
Sun Sep 13 21:31:59 2015 disable_nbt = DISABLED
Sun Sep 13 21:31:59 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015
Sun Sep 13 21:31:59 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Sun Sep 13 21:31:59 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Sep 13 21:31:59 2015 Need hold release from management interface, waiting...
Sun Sep 13 21:32:00 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Sep 13 21:32:00 2015 MANAGEMENT: CMD 'state on'
Sun Sep 13 21:32:00 2015 MANAGEMENT: CMD 'log all on'
Sun Sep 13 21:32:01 2015 MANAGEMENT: CMD 'hold off'
Sun Sep 13 21:32:01 2015 MANAGEMENT: CMD 'hold release'
Sun Sep 13 21:32:01 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Sep 13 21:32:01 2015 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sun Sep 13 21:32:01 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:01 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:01 2015 LZO compression initialized
Sun Sep 13 21:32:01 2015 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:3 ]
Sun Sep 13 21:32:01 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Sep 13 21:32:01 2015 MANAGEMENT: >STATE:1442176321,RESOLVE,,,
Sun Sep 13 21:32:02 2015 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:143 ET:32 EL:3 AF:3/1 ]
Sun Sep 13 21:32:02 2015 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep 13 21:32:02 2015 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep 13 21:32:02 2015 Local Options hash (VER=V4): '13a273ba'
Sun Sep 13 21:32:02 2015 Expected Remote Options hash (VER=V4): '360696c5'
Sun Sep 13 21:32:02 2015 UDPv4 link local: [undef]
Sun Sep 13 21:32:02 2015 UDPv4 link remote: [AF_INET][REMOVED]:1194
Sun Sep 13 21:32:02 2015 MANAGEMENT: >STATE:1442176322,WAIT,,,
Sun Sep 13 21:32:02 2015 MANAGEMENT: >STATE:1442176322,AUTH,,,
Sun Sep 13 21:32:02 2015 TLS: Initial packet from [AF_INET][REMOVED], sid=b6d47657 fd2e7180
Sun Sep 13 21:32:07 2015 VERIFY OK: depth=1, C=GB, ST=LON, L=London, O=[REMOVED], OU=MyOrganizationalUnit, CN=[REMOVED], name=server, emailAddress=[REMOVED]
Sun Sep 13 21:32:07 2015 VERIFY OK: depth=0, C=GB, ST=LON, L=London, O=[REMOVED], OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=[REMOVED]
Sun Sep 13 21:32:11 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 13 21:32:11 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:11 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 13 21:32:11 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:12 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Sep 13 21:32:12 2015 [server] Peer Connection Initiated with [AF_INET][REMOVED]:1194
Sun Sep 13 21:32:13 2015 MANAGEMENT: >STATE:1442176333,GET_CONFIG,,,
Sun Sep 13 21:32:14 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Sep 13 21:32:14 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.70.0.10,dhcp-option DNS 10.70.0.11,route-gateway 10.70.0.50,ping 10,ping-restart 120,ifconfig 10.70.2.10 255.255.252.0'
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: route-related options modified
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Sep 13 21:32:14 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Sep 13 21:32:14 2015 MANAGEMENT: >STATE:1442176334,ASSIGN_IP,,10.70.2.10,
Sun Sep 13 21:32:14 2015 open_tun, tt->ipv6=0
Sun Sep 13 21:32:14 2015 TAP-WIN32 device [Local Area Connection 10] opened: \\.\Global\{8FA599A6-8994-4B0F-9072-F25BC5A8DAC1}.tap
Sun Sep 13 21:32:14 2015 TAP-Windows Driver Version 9.21
Sun Sep 13 21:32:14 2015 TAP-Windows MTU=1500
Sun Sep 13 21:32:14 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.70.2.10/255.255.252.0 on interface {8FA599A6-8994-4B0F-9072-F25BC5A8DAC1} [DHCP-serv: 10.70.0.0, lease-time: 31536000]
Sun Sep 13 21:32:14 2015 DHCP option string: 0f15636f 72702e75 6e696669 65646c6f 6769632e 636f6d06 080a4600 0a0a4600 0c
Sun Sep 13 21:32:14 2015 NOTE: FlushIpNetTable failed on interface [40] {8FA599A6-8994-4B0F-9072-F25BC5A8DAC1} (status=5) : Access is denied.
Sun Sep 13 21:32:19 2015 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Sun Sep 13 21:32:19 2015 Initialization Sequence Completed
Sun Sep 13 21:32:19 2015 MANAGEMENT: >STATE:1442176339,CONNECTED,SUCCESS,10.70.2.10,[REMOVED]
Code: Select all
C:\>ping 10.70.0.50
Pinging 10.70.0.50 with 32 bytes of data:
Reply from 10.70.0.50: bytes=32 time=118ms TTL=64
Reply from 10.70.0.50: bytes=32 time=32ms TTL=64
Reply from 10.70.0.50: bytes=32 time=60ms TTL=64
Reply from 10.70.0.50: bytes=32 time=82ms TTL=64
Ping statistics for 10.70.0.50:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 32ms, Maximum = 118ms, Average = 73ms
C:\>ping 10.70.0.10
Pinging 10.70.0.10 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 10.70.2.10: Destination host unreachable.
Request timed out.
Ping statistics for 10.70.0.10:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
http://postimg.org/image/o65dazbw5/
Can you please advise what I should do?
Many thanks!
Andy