No DCHP passing through tap bridge

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
martin525
OpenVpn Newbie
Posts: 1
Joined: Thu Jul 11, 2019 11:02 pm

No DCHP passing through tap bridge

Post by martin525 » Fri Jul 12, 2019 6:18 pm

Hello,
I want to achieve a topology like this:

Code: Select all

           +-----------+       +-------------------------+        +--------------------+ remote network
           |dhcp-server+---+   +vpn-server               |        |client(rpi 3b)      | (hostapd)
           |192.168.1.1|   |   |                         |        |                    |  \ | /
internet   +-----------+   |   |            br0          |        |        br0         |   \|/
    +                      |   |        192.168.1.10     |        |  (ip from dhcp)    |    |
    |    +-------------+   |   |          +     +        |        |      +     +       |    |
    +----+gateway      +-------+ens192+---+     +---+tap0|........|tap0+-+     +-+wlan0+----+
         |192.168.1.254|   |   |                         |        |                    |      internet(lte)
         +-------------+   |   +-------------------------+        |                    |         +
                           |                                      |                eth1+---------+
                           |                                      |                    |
          local network+---+                                      +--------------------+

The remote client is a raspberry 3b with a LTE dongle, which should create a wifi network that is the same as my home network.
It's working (local network and internet access from the remote network) when I assign a static IP to the clients on the remote network.

Why is the DHCP on the local network not serving the clients on the remote network?
Should this even work?

How I want it to work is that the DHCP on the local network, also serves clients on the remote network. I don't want to use a second DCHP server.

The server is a Exsi VM running debian 10, and the client a raspberry 3b running raspbian.

Thanks in advance,
Martin


Here are my configs and bridge scripts

Server config:
server

port 1195
proto udp
dev tap0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

auth SHA512

mode server
tls-server

keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-256-CBC

compress lz4-v2
push "compress lz4-v2"

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log

verb 3
explicit-exit-notify 1

Server bridge script:

Code: Select all

#!/bin/bash

eth="ens192"
eth_ip="192.168.1.10"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
eth_gateway="192.168.1.254"
eth_mac="00:0c:29:76:1b:6e"

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl setageing $br 0
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
    iptables -A INPUT -i $t -j ACCEPT
done

iptables -A INPUT -i $br -j ACCEPT
iptables -A FORWARD -i $br -j ACCEPT

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ip link set $br address $eth_mac
route add default gw $eth_gateway $br

Client config:
client

client

dev tap0
proto udp
remote ramaschaf.de
port 1195
resolv-retry infinite
nobind

persist-tun
persist-key

auth SHA512
tls-client
ca ca.crt
cert wlan_pi.crt
key wlan_pi.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
redirect-gateway autolocal

script-security 2

client bridge (in /etc/network/interfaces):

Code: Select all

iface br0 inet dhcp
bridge_ports tap0 wlan0 # build bridge
bridge_fd 0             # no forwarding delay
bridge_stp off          # disable Spanning Tree Protocol

Post Reply