OpenVPN Support Forum

Hi Folks.
I'm setting up a test/demonstration network for OpenVPN in VirtualBox and I've run into a problem setting up a bridged connection. OpenVPN connects, and the client gets an appropriate address from the openVPN server but I am unable to ping from the client to the server or from the server to the client.

Network details.
I created two host-only adapters in virtualbox,
vboxnet0:
192.168.56.0 netmask 255.255.255.0
dhcp address range 192.168.56.3 - 192.168.56.254
vboxnet1
192.168.57.0 netmask 255.255.255.0
dhcp address range 192.168.57.3 - 192.168.57.254
On each vboxnet interface I have a linux server vm acting as a router with 2 NIC's, one external, one internal.
Router0
eth0 static 192.168.15.10
eth1 static 192.168.56.2
Router1
eth0 static 192.168.15.20
eth1 static 192.168.57.2
On the internal side of router0 I have a windowsXP VM
eth0 static 192.168.56.3
To be the VPN Server in Bridged mode.
On the internal side of router1 I have a windowsXP vm
eth0 static 192.168.57.3
To be the VPN Client in Bridged mode.

Before configuring vpn I am able to ping from 192.168.57.3 to 192.168.56.3 and vice versa.
I originally configured this network in routed mode using instructions from http://openvpn.net/index.php/open-sourc ... howto.html and everything seemed to work just fine.
Using the same how-to, along with http://www.pavelec.net/adam/openvpn/bridge/ I attempted to convert the network to use Bridged mode.
SERVER:
Initial Settings:
Local Area Connection: 192.168.56.3, netmask 255.255.255.0, gateway 192.168.56.2, dns 192.186.15.1
Tap-32 adapter renamed to OpenVPN: DHCP
I bridged these two adapters to and renamed the bridge to “Bridge”, then set it's network settings to 192.168.56.3, netmask 255.255.255.0, gateway 192.168.56.2, dns 192.168.15.1
In Server.ovpn I have the following settings. (all settings not commented out are listed here)

port 1194
proto udp
dev tap
dev-node OpenVPN
ca "c:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "c:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "c:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key" # This file should be kept secret
dh "c:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server-bridge 192.168.56.3 255.255.255.0 192.168.56.128 192.168.56.254
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 6
On the Client I have the following settings.
Local area network: 192.168.57.3, netmask 255.255.255.0, gateway 192.168.57.2 dns 192.168.15.1
Tap-32 adapter, renamed to “OpenVPN”: DHCP
In client.ovpn I have:
client
dev tap
dev-node "OpenVPN"
proto udp
remote 192.168.56.3 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 6
When I start the server, I get:
...
Wed Aug 10 08:58:04 2011 us=1000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Aug 10 08:58:04 2011 us=91000 Diffie-Hellman initialized with 1024 bit key
Wed Aug 10 08:58:04 2011 us=91000 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Aug 10 08:58:04 2011 us=91000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Aug 10 08:58:04 2011 us=101000 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{5CAD83AE-E049-4A07-A6BF-11958B7ED6EC}.tap
Wed Aug 10 08:58:04 2011 us=101000 NOTE: could not get adapter index for {5CAD83AE-E049-4A07-A6BF-11958B7ED6EC}
Wed Aug 10 08:58:04 2011 us=101000 TAP-Win32 Driver Version 9.8
Wed Aug 10 08:58:04 2011 us=101000 TAP-Win32 MTU=1500
Wed Aug 10 08:58:04 2011 us=101000 Sleeping for 10 seconds...
Wed Aug 10 08:58:14 2011 us=105000 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Aug 10 08:58:14 2011 us=105000 UDPv4 link local (bound): [undef]:1194
Wed Aug 10 08:58:14 2011 us=105000 UDPv4 link remote: [undef]
Wed Aug 10 08:58:14 2011 us=105000 MULTI: multi_init called, r=256 v=256
Wed Aug 10 08:58:14 2011 us=105000 IFCONFIG POOL: base=192.168.56.128 size=127
Wed Aug 10 08:58:14 2011 us=105000 IFCONFIG POOL LIST
Wed Aug 10 08:58:14 2011 us=105000 client1,192.168.56.128
Wed Aug 10 08:58:14 2011 us=105000 server,192.168.56.129
Wed Aug 10 08:58:14 2011 us=105000 Initialization Sequence Completed
When I start the client, I get:
...

Wed Aug 10 08:59:34 2011 us=495000 WARNING: --remote address [192.168.56.3] conflicts with --ifconfig subnet [192.168.56.129, 255.255.255.0] -- local and remote addresses cannot be inside of the --ifconfig subnet. (silence this warning with --ifconfig-nowarn)
Wed Aug 10 08:59:34 2011 us=515000 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{C97938FB-C1A4-4CF1-9978-3E384D9C6065}.tap
Wed Aug 10 08:59:34 2011 us=515000 TAP-Win32 Driver Version 9.8
Wed Aug 10 08:59:34 2011 us=515000 TAP-Win32 MTU=1500
Wed Aug 10 08:59:34 2011 us=515000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.56.129/255.255.255.0 on interface {C97938FB-C1A4-4CF1-9978-3E384D9C6065} [DHCP-serv: 192.168.56.0, lease-time: 31536000]
Wed Aug 10 08:59:34 2011 us=525000 Successful ARP Flush on interface [3] {C97938FB-C1A4-4CF1-9978-3E384D9C6065}
Wed Aug 10 08:59:34 2011 us=525000 UDPv4 WRITE [22] to 192.168.56.3:1194: P_ACK_V1 kid=0 [ 45 ]
Wed Aug 10 08:59:35 2011 us=387000 UDPv4 READ [93] from 192.168.56.3:1194: P_DATA_V1 kid=0 DATA len=92
Wed Aug 10 08:59:35 2011 us=397000 TUN WRITE [52]
...

Client and server appear to be connected, and the client has received an IP address of 192.168.56.129 but I am unable to ping from the client to any address on the 192.168.56.0/24 range, and I am unable to ping from the server to 192.168.56.129

Can anyone tell me where I went wrong in this setup? Any help would be greatly appreciated.
Thanks. DJ

In server's config change to:

server-bridge 192.168.58.3 255.255.255.0 192.168.58.128 192.168.58.254

for example.
In client's config change to:

remote 192.168.58.3 1194

.

Also, both LAN have to have same IP pool, for example 192.168.56.0/24. Otherwise it will not work and ping. With you want to leave IP pool as is, only linux can transparently masquarade IP.

Can you explain what you mean by making sure the client and server have the same address pool? In the config settings?

I made the indicated changes to server-bridge and remote. Now the client is unable to connect to the server.

On the client I get:

Wed Aug 10 18:48:53 2011 us=591000 LZO compression initialized
Wed Aug 10 18:48:53 2011 us=591000 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Aug 10 18:48:53 2011 us=591000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Aug 10 18:48:53 2011 us=591000 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Aug 10 18:48:53 2011 us=591000 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Aug 10 18:48:53 2011 us=591000 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Aug 10 18:48:53 2011 us=591000 Local Options hash (VER=V4): 'd79ca330'
Wed Aug 10 18:48:53 2011 us=591000 Expected Remote Options hash (VER=V4): 'f7df56b8'
Wed Aug 10 18:48:53 2011 us=591000 UDPv4 link local: [undef]
Wed Aug 10 18:48:53 2011 us=591000 UDPv4 link remote: 192.168.58.3:1194
Wed Aug 10 18:48:53 2011 us=601000 UDPv4 WRITE [14] to 192.168.58.3:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Aug 10 18:48:53 2011 us=671000 UDPv4 READ [0] from [undef]: DATA UNDEF len=-1
Wed Aug 10 18:48:55 2011 us=935000 UDPv4 WRITE [14] to 192.168.58.3:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Aug 10 18:48:59 2011 us=329000 UDPv4 WRITE [14] to 192.168.58.3:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Aug 10 18:49:07 2011 us=982000 UDPv4 WRITE [14] to 192.168.58.3:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Aug 10 18:49:23 2011 us=234000 UDPv4 WRITE [14] to 192.168.58.3:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0

Also:
I'm seeing unanswered arp requests for 192.168.58.3. on the clients local area network.

Did you add routes to Router 0 and 1 for 192.168.58.0 IP pool?

Bridged method is mainly used to link remote LANs as if they where phisical connected to a switch. Like you will plug the remote LAN cable into the local LAN switch. And as for any local computer, in order to interract with other computers on LAN, it must have same LAN mask, like 192.168.56.0/24. The OpenVPN in bridge mode also will transfer or broadcast messages thru tunnel, allowing legacy programs to work.

The routing method on other hand, allows to connect different LANs with different LAN mask, but will lose transferring thru tunnel broadcast packets. Although there are methos to do this with 3rd programs.

Mimiko: Thanks, I really appreciate your help.

Mimiko wrote:Did you add routes to Router 0 and 1 for 192.168.58.0 IP pool?

Most likely this is the problem. Where/how do I add routes to router0 and 1 for the 192.168.58.0 IP pool?

Mimiko wrote: Bridged method is mainly used to link remote LANs as if they where phisical connected to a switch. Like you will plug the remote LAN cable into the local LAN switch. And as for any local computer, in order to interract with other computers on LAN, it must have same LAN mask, like 192.168.56.0/24. The OpenVPN in bridge mode also will transfer or broadcast messages thru tunnel, allowing legacy programs to work.

The scenario I am ultimately trying to simulate in this particular experiment is for a remote computer to be able to join a domain and participate fully as if it were a local machine, a home user logging into a work domain for example. RE your statement about having the same lan mask: The domain I want the client to interact with is on the 192.168.56.0/24 subnet. Am I not defeating the purpose by sending the client an address on the 192.168.58.0/24 net? -- and yet, my attempt to give it an address of 192.168.65.128 resulted in that address conflict warning?

Mimiko wrote: The routing method on other hand, allows to connect different LANs with different LAN mask, but will lose transferring thru tunnel broadcast packets. Although there are methos to do this with 3rd programs.

Yeah. I had this up and running fairly quickly. As I understand it, this will allow simple file sharing with the openVPN server via an encrypted tunnel but not much else, Is that correct?

DJ

Where/how do I add routes to router0 and 1 for the 192.168.58.0 IP pool?

I'm not quite the expert to show you how to do this in Linux. May be something: And set interfaces in promiscuous mode. Better see help about using routes on internet.

As I understand it, this will allow simple file sharing with the openVPN server via an encrypted tunnel but not much else, Is that correct?

No, with routing you can do all the same things you'll do in local LAN, except for some legacy communications, that are rarely used. So for connecting two LAN's the routing method is enough.

Mimiko wrote:

Where/how do I add routes to router0 and 1 for the 192.168.58.0 IP pool?

I'm not quite the expert to show you how to do this in Linux. May be something:

Code: Select all

iptables -A FORWARDING -i eth0 -o eth1 -j ACCEPT

And set interfaces in promiscuous mode. Better see help about using routes on internet.

Hmm. anything I can get TO the linux routers I can route through them, no problem there. I think where I'm unsure is that I was seeing unanswered arp requests from the client for 192.168.58.0 addresses. Do I need to tell the client how to find the server in the clients config file? vice versa for the server? the client is getting a 192.168.58.x address just fine, so it's talking, but I can't ping back and forth once the connection is made.

As I understand it, this will allow simple file sharing with the openVPN server via an encrypted tunnel but not much else, Is that correct?

No, with routing you can do all the same things you'll do in local LAN, except for some legacy communications, that are rarely used. So for connecting two LAN's the routing method is enough.[/quote]

Hm. I will definitely have to try that to join a domain. Something about the addressing is bugging me. oh, the client will have a ip address that no one else, not even the domain controller can route to, unless the openVPN server IS the domain controller as well.
<?>

So, the client is connecting to the OpenVPN server. Show routes from both, client and server.

Mimiko wrote:So, the client is connecting to the OpenVPN server. Show routes from both, client and server.

Sorry, I misspoke. The client and server are not connecting. With the server setting: and client setting: The client will not connect to the server. if I use
on the server, it will connect, but won't ping in either direction and nothing on the 192.168.56.0 network is visible to the client. (same if server-bridge is set to 192.168.56.0 addresses)

Routes on the server via windows command route print: VPN server not started. routes on the client via windows command line: route print. I'm not setting (or pushing) any routes in the server config file.

http://openvpn.net/index.php/open-sourc ... dging.html
For OpenVPN server on Windows box do following:
When OpenVPN is installed on Windows, it automatically creates a single TAP-Win32 adapter which will be assigned a name like "Local Area Connection 2". Go to the Network Connections control panel and rename it to "tap-bridge".

Next select tap-bridge and your ethernet adapter with the mouse, right click, and select Bridge Connections. This will create a new bridge adapter icon in the control panel.

Set the TCP/IP properties on the bridge adapter to an IP of 192.168.58.3 and a subnet mask of 255.255.255.0 with gateway of 192.168.58.2.

Next, edit the OpenVPN server configuration file to enable a bridging configuration.

Comment out the line which says dev tun and replace it instead with: Comment out the line that begins with server and replace it with: If you are running XP SP2, go to the firewall control panel, and disable firewall filtering on the bridge and TAP adapters.

Router0 set: Add route to Router0 to route (and masquarade) all traffic, except for 192.168.58.0/24 to IP 192.168.15.20 (Router1).

Router1 set: Add route to Router1 to route (and masquarade) all traffic, except for 192.168.58.0/24 to IP 192.168.15.10 (Router0).

For OpenVPN client on Windows box do following:
When OpenVPN is installed on Windows, it automatically creates a single TAP-Win32 adapter which will be assigned a name like "Local Area Connection 2". Go to the Network Connections control panel and rename it to "tap-bridge".

Next select tap-bridge and your ethernet adapter with the mouse, right click, and select Bridge Connections. This will create a new bridge adapter icon in the control panel.

Set the TCP/IP properties on the bridge adapter to an IP of 192.168.58.103 and a subnet mask of 255.255.255.0 with gateway of 192.168.58.102.

Next, edit the OpenVPN server configuration file.

Comment out the line which says dev tun and replace it instead with: Comment out the line that begins with server and replace it with: Modify remote address to connect: If you are running XP SP2, go to the firewall control panel, and disable firewall filtering on the bridge and TAP adapters.


Now on Router0 (that is on OpenVPN server side) add an incomming port forwarding:

Map incomming requests to 192.168.15.10 on port UDP 1194 to forward to 192.168.58.3