OpenVPN Support Forum

Posted: **Tue Mar 08, 2011 8:05 pm**

I've replaced the first 3 numbers of the ip address with 6.7.8 for privacy purposes but they are public ip addresses (vpn server range has no private ip range). I have the use of the /24. (6.7.8.1 is the network gateway)

I want to basically let clients have an ip in that range. This setup works fine with a tun and private ips but unfortunately i don't have control over the gateway machine and i don't want to put routes in every machine on the range to route a private range to the vpn server.

I'm pretty sure i saw this being done at 27c3 (events.ccc.de/congress/2010/wiki/Welcome) when they had vpn access to a /16 of public addresses they hired out for the conference so I'm holding out hope that it can be done despite this message i got on the client

WARNING: --remote address [6.7.8.16] conflicts with --ifconfig subnet [6.7.8.140, 255.255.255.0] -- local and remote addresses cannot be inside of the --ifconfig subnet. (silence this warning with --ifconfig-nowarn)

I run the bridge-start, (from the example - slightly modified) on the server

Code: Select all

br="br1"
tap="tap1"
eth="eth0"
eth_ip="6.7.8.16"
eth_netmask="255.255.255.0"
eth_broadcast="6.7.8.255"
for t in $tap; do
    openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
    brctl addif $br $t
done
for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

I then did this as it had no routes.

Code: Select all

route add default gw 6.7.8.1

This is route -n

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
6.7.8.0   0.0.0.0         255.255.255.0   U     0      0        0 br1
0.0.0.0         6.7.8.1   0.0.0.0         UG    0      0        0 br1

This is my ifconfig -a

Code: Select all

br1       Link encap:Ethernet  HWaddr <snip>:b5  
          inet addr: 6.7.8.16  Bcast:6.7.8.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8209 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8968 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8476297 (8.0 MiB)  TX bytes:947762 (925.5 KiB)

eth0      Link encap:Ethernet  HWaddr <snip>:b5          
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:8270 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9007 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:8636659 (8.2 MiB)  TX bytes:998260 (974.8 KiB)
          Interrupt:25 



lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:359 (359.0 B)  TX bytes:359 (359.0 B)

tap0      Link encap:Ethernet  HWaddr <snip>:c5  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:46 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:2364 (2.3 KiB)  TX bytes:0 (0.0 B)

tap1      Link encap:Ethernet  HWaddr <snip>:94  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:186 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Then on the client -
I run

Code: Select all

ip route add 6.7.8.16 via my.default.gateway dev eth0

so it will connect to the server through my gateway and not create a routing loop.
client route -n

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
6.7.8.16  my.default.gateway    255.255.255.255 UGH   0      0        0 eth0
my.local.network.0    0.0.0.0         255.255.255.0   U     1      0        0 eth0
6.7.8.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
0.0.0.0         my.default.gateway    0.0.0.0         UG    0      0        0 eth0

Connection runs fine and prints Ws and Rs (which i assume is indication of reads and writes to the line?)

Client ifconfig -a

Code: Select all

eth0      Link encap:Ethernet  HWaddr <snip>:20  
          inet addr:my.local.address  Bcast:mylocal.network.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13538 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11979 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5803418 (5.8 MB)  TX bytes:1557108 (1.5 MB)
          Interrupt:16 Memory:ff9e0000-ffa00000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:7131 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7131 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4154742 (4.1 MB)  TX bytes:4154742 (4.1 MB)

tap0      Link encap:Ethernet  HWaddr <snip>:1b  
          inet addr:6.7.8.140  Bcast:6.7.8.255  Mask:255.255.255.0
          inet6 addr: fe80::c4a0:61ff:fe6f:1c1b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:846 (846.0 B)

I get no route to host when i try any on 6.7.8/24 other than .16 which is the server i'm connected to.

Here are the client and server conf files.
client.conf

Code: Select all

client
dev tap
proto tcp
remote 6.7.8.16 80
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client_mark.crt
key client_mark.key
ns-cert-type server
comp-lzo
verb 5

server.conf

Code: Select all

port 80 
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key  
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 6.7.8.0 255.255.255.0 6.7.8.140 6.7.8.150
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 5

Posted: **Tue Mar 08, 2011 8:17 pm**

To your server config, try adding:

Code: Select all

push "route 6.7.8.16 net_gateway"

Posted: **Wed Mar 09, 2011 12:29 am**

Push is only used for tun isn't it? server-bridge puts the routes to the client. I've fixed a few errors i've spotted myself.

In server.conf
server-bridge 6.7.8.0 255.255.255.0 6.7.8.140 6.7.8.150
i think should be
server-bridge 6.7.8.16 255.255.255.0 6.7.8.140 6.7.8.150

I ran wireshark on the client and sniffed tap0. It just sends out 6 arps looking for the host and then just times out.

I then ran wireshark still on the client, but on my connection to the internet and monitored the vpn port (in this case 80) and saw that it send traffic through when i continiously pinged so at least the client is sending information to the server through tap.

perhaps the issue is in the bridge-start script or in the firewall rules?

Code: Select all

iptables -A INPUT -i tap1 -j ACCEPT
iptables -A INPUT -i br1 -j ACCEPT
iptables -A FORWARD -i br1 -j ACCEPT

Just for reference, i'm following this: http://openvpn.net/index.php/open-sourc ... dging.html

Edit: Just found my final problem. dev tap1 not dev tap

Problem solved

OpenVPN Support Forum

bridge issue - no route to host

bridge issue - no route to host

Re: bridge issue - no route to host

Re: bridge issue - no route to host