OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

OpenVPN linux client unable to acquire IP from DHCP server

https://forums.openvpn.net/viewtopic.php?t=20040

Page 1 of 1

OpenVPN linux client unable to acquire IP from DHCP server

Posted: Tue Oct 27, 2015 4:52 pm
by webanck
Hello there!
I decided to post here about an issue I was not the same to encounter (https://bugs.launchpad.net/ubuntu/+sour ... ug/1193614).
Indeed, with an OpenVPN bridged linux server, a linux OpenVPN client doesn't manage to acquire an IP address for the tap interface from the DHCP server located on the VPN server.
However, it is working on Windows?!
Furthermore, trying to make the dhcp request manually as an up script launched by OpenVPN doesn't work, whereas the same script, launched after the "Initialization Sequence Completed" manages to acquire the address lease.

The server is deployed on a debian with OpenVPN 2.3.8 with a bridged configuration to allow clients to send the traffic through the VPN.

Code: Select all

#Server configuration.
local 192.168.50.2
dev tap0
proto udp
port 1194
persist-key
persist-tun
keepalive 10 120

#Cryptographic & compression informations.
ca ca.crt
cert OpenVPN-Server.crt
key OpenVPN-Server.key
dh dh1024.pem
tls-auth ta.key 0
cipher AES-128-CBC
comp-lzo

#Bridge, dhcp & gateway.
server-bridge nogw
push "route-gateway 192.168.50.1"
script-security 3 system
up ./scripts/bridge-start2
down-pre ip link set tap0 nomaster
down ./scripts/bridge-stop2

#Logs.
status /etc/openvpn/openvpn-status_server-bridge2.log
log /etc/openvpn/openvpn_server-bridge2.log
verb 1

Code: Select all

#The bridge-start2 script
ip address flush dev eth0

ip link set dev eth0 promisc on
ip link set dev tap0 promisc on

ip link add name br0 type bridge
ip link set dev br0 up

ip link set dev eth0 master br0
ip link set dev tap0 master br0

ip addr add dev br0 192.168.50.2/24
ip route add default via 192.168.50.1

Code: Select all

#The bridge-stop2 script
ip link set dev eth0 nomaster
ip link delete br0
ip link set dev eth0 promisc off
ifdown eth0
ifup eth0

Code: Select all

#The /etc/network/interfaces file
auto lo eth0
iface lo inet loopback
iface eth0 inet static
        address 192.168.50.2
        network 192.168.50.0
        netmask 255.255.255.0
        broadcast 192.168.50.255
        gateway 192.168.50.1
My client is running Ubuntu 14.04 with OpenVPN 2.3.8.

Code: Select all

client
dev tap0
proto udp
remote webanck.no-ip.biz 1194
resolv-retry infinite
nobind
redirect-gateway def1

persist-key
persist-tun
#mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 3
mute 20
<ca>
-----BEGIN CERTIFICATE-----
#[...]
This configuration yields errors because the interface doesn't get it's IP:

Code: Select all

#[...]
Tue Oct 27 16:31:44 2015 [OpenVPN-Server] Peer Connection Initiated with [AF_INET]<remote_IP>:1194
Tue Oct 27 16:31:46 2015 SENT CONTROL [OpenVPN-Server]: 'PUSH_REQUEST' (status=1)
Tue Oct 27 16:31:46 2015 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.50.1,ping 10,ping-restart 120'
Tue Oct 27 16:31:46 2015 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 27 16:31:46 2015 OPTIONS IMPORT: route-related options modified
Tue Oct 27 16:31:46 2015 ROUTE_GATEWAY <client_gateway_IP>/255.255.254.0 IFACE=eth0 HWADDR=00:23:55:7c:73:92
Tue Oct 27 16:31:46 2015 TUN/TAP device tap0 opened
Tue Oct 27 16:31:46 2015 TUN/TAP TX queue length set to 100
Tue Oct 27 16:31:46 2015 /sbin/ip route add <remote_IP>/32 via <client_gateway_IP>
Tue Oct 27 16:31:46 2015 /sbin/ip route add 0.0.0.0/1 via 192.168.50.1
RTNETLINK answers: Network is unreachable
Tue Oct 27 16:31:46 2015 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Oct 27 16:31:46 2015 /sbin/ip route add 128.0.0.0/1 via 192.168.50.1
RTNETLINK answers: Network is unreachable
Tue Oct 27 16:31:46 2015 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Oct 27 16:31:46 2015 Initialization Sequence Completed
But running the DHCP lease request by hand and manually adding the before mentioned routes works:

Code: Select all

#!/bin/sh
sudo /sbin/ip address add 192.168.50.2/24 dev tap0
sudo /sbin/dhclient -v tap0
sudo /sbin/ip route add 0.0.0.0/1 via 192.168.50.1
sudo /sbin/ip route add 128.0.0.0/1 via 192.168.50.1
It prints that:

Code: Select all

Internet Systems Consortium DHCP Client 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/tap0/fa:3c:d7:73:ed:e4
Sending on   LPF/tap0/fa:3c:d7:73:ed:e4
Sending on   Socket/fallback
DHCPREQUEST of 192.168.50.123 on tap0 to 255.255.255.255 port 67 (xid=0x1c735ddf)
DHCPNAK from 192.168.50.2 (xid=0xdf5d731c)
DHCPDISCOVER on tap0 to 255.255.255.255 port 67 interval 3 (xid=0xd1c83119)
DHCPREQUEST of 192.168.50.143 on tap0 to 255.255.255.255 port 67 (xid=0x1931c8d1)
DHCPOFFER of 192.168.50.143 from 192.168.50.2
DHCPACK of 192.168.50.143 from 192.168.50.2
bound to 192.168.50.143 -- renewal in 16613 seconds.
And to finish, putting this same script as an up script makes it never getting the IP:

Code: Select all

Tue Oct 27 17:47:22 2015 [OpenVPN-Server] Peer Connection Initiated with [AF_INET]<remote_IP>:1194
Tue Oct 27 17:47:24 2015 SENT CONTROL [OpenVPN-Server]: 'PUSH_REQUEST' (status=1)
Tue Oct 27 17:47:24 2015 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.50.1,ping 10,ping-restart 120'
Tue Oct 27 17:47:24 2015 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 27 17:47:24 2015 OPTIONS IMPORT: route-related options modified
Tue Oct 27 17:47:24 2015 ROUTE_GATEWAY <client_gateway_IP>/255.255.254.0 IFACE=eth0 HWADDR=00:23:55:7c:73:92
Tue Oct 27 17:47:24 2015 TUN/TAP device tap0 opened
Tue Oct 27 17:47:24 2015 TUN/TAP TX queue length set to 100
Tue Oct 27 17:47:24 2015 /tmp/up.sh tap0 1500 1590   init
Internet Systems Consortium DHCP Client 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/tap0/32:6b:1b:d7:6e:95
Sending on   LPF/tap0/32:6b:1b:d7:6e:95
Sending on   Socket/fallback
DHCPREQUEST of 192.168.50.143 on tap0 to 255.255.255.255 port 67 (xid=0x31537b)
DHCPREQUEST of 192.168.50.143 on tap0 to 255.255.255.255 port 67 (xid=0x31537b)
DHCPREQUEST of 192.168.50.143 on tap0 to 255.255.255.255 port 67 (xid=0x31537b)
DHCPDISCOVER on tap0 to 255.255.255.255 port 67 interval 3 (xid=0xc3073427)
DHCPDISCOVER on tap0 to 255.255.255.255 port 67 interval 5 (xid=0xc3073427)
DHCPDISCOVER on tap0 to 255.255.255.255 port 67 interval 14 (xid=0xc3073427)
DHCPDISCOVER on tap0 to 255.255.255.255 port 67 interval 11 (xid=0xc3073427)
Please help me to fix this!
I can post more details if you wish, just let me know.

Re: OpenVPN linux client unable to acquire IP from DHCP serv

Posted: Thu Oct 29, 2015 2:10 pm
by Traffic
webanck wrote:trying to make the dhcp request manually as an up script launched by OpenVPN doesn't work
This is due to security measures, the tunnel is not available to --up script.

DHCP on Linux:
The Manual wrote:Note that only clients that support the binding of a DHCP client with the TAP adapter (such as Windows) can support this mode
See --server-bridge in The Manual v23x
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/