Bridge mode on client side

[josel2047]

Hi, this is my problem:

https://imgur.com/a/pjemGaj

• I need a bridge on client1(ubuntu server) side to get DHCP from R2 on client2 using openvpn vps server

server.conf

Code: Select all

[oconf=Server Config]
mode server
verb 3
key /etc/openvpn/pki/private/key.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/crt.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
client-to-client
key-direction 0
persist-key
persist-tun
proto udp
port 1194
dev tap0
status /tmp/openvpn-status.log
tls-server
user nobody
group nogroup
comp-lzo
float
client-config-dir ccd
ping-timer-rem
ping-restart 60
ping 10

client1 config

Code: Select all

client
nobind
dev tap
remote-cert-tls server
remote [openvpn public ip] udp
script-security 2
up script/up.sh
resolv-retry infinite
persist-key
persist-tun
verify-x509-name server_H1DlsGlwFlG7k4OE name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
remote-cert-tls server
verb 3

#certificates
...

script up

Code: Select all

#!/bin/sh
# the tap interface name is passed as first argument
bridge=br0
brctl addif "$bridge" "$1"
ip link set tap0 up 

client 1 bridge config on netplan:

Code: Select all

network:
  version: 2
  renderer: networkd
  ethernets:
      enp0s3:
          dhcp4: no
  bridges:
      br0:
          dhcp4: yes
          interfaces:
              - enp0s3

client1 iptables

Code: Select all

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

when client1 and client2 connects to openvpn server nothing happens, tap interface always is down without an ip

when add in server.conf

Code: Select all

server-bridge 192.168.10.10 255.255.255.0 192.168.10.128 192.168.10.254

client1 and client2 never communicate

Please help me with these configurations to get dhcp on client2

[openvpn_inc]

Hi Josel,

First thing, why do you need this? What is wrong with having a DHCP service at each location? If it's for DNS, there are lots of ways to deal with that. I even wrote a little howto about DNS sharing in openvpn with dnsmasq:
http://rob0.nodns4.us/dnsmasq.html

Second thing, bridging is not necessary for remote DHCP sharing. In ISC dhcpd(8), simply declare each subnet in your dhcpd.conf(5) file, then configure the very simple dhcrelay(8) helper utility.

You can relay DHCP traffic through the Internet directly, or more safely and securely, through an OpenVPN tun connection.

I'm not interested in commenting on your tap/bridging ideas; my suggestions are far easier and cleaner to manage. They will also be more resilient in handling outages and network issues.

Bridging is almost never the best choice. In general you should only consider it when non-IP and/or broadcast traffic must be carried through the tunnel. With dhcrelay broadcast traffic can remain local, as it should.

Note, I am sure this can work with ISC Kea as well. I think this is the documentation:
https://kea.readthedocs.io/en/kea-2.0.2 ... 4-srv.html
I only suggest dhcpd because I am more familiar with it. Kea is the way of the future, so I'd recommend Kea.

hth, regards, rob0

[josel2047]

Thanks openvpn_inc I need this configuration because I build my remote pentest lab and y need to simulate to be in the same LAN via DHCP to get gateway for the internal network. But thanks for your reply, you had me good ideas