[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Bridging, more information

  • Subject: [Openvpn-users] Bridging, more information
  • From: Doug Hubbard <doug@xxxxxxxxxxxxxxx>
  • Date: Mon, 01 Aug 2005 13:42:31 -0700
More data on my issue (I can get routing to work like a charm, but when I try to switch to bridging, I connect but cannot even ping between the server and client). Original message and follow ups are below.

My TCPDump and ethereal dumps (I will be happy to provide them to anyone interested, but would rather not waste the bandwidth to post them if not needed) show that for some reason I am not getting traffic to the TAP0 interface on the Linux Server. (I cannot find anywhere that is blocking traffic and the br0 interface seems to see the traffic across the VPN, but it doesn't get appear to get from br0 to the tap0 interface)

Is my bridging setup incorrectly?

Here again is an output from ifconfig on the server side.
br0       Link encap:Ethernet  HWaddr 00:0C:F1:AA:23:65
          inet addr:299.99.99.63  Bcast:299.99.99.127  Mask:255.255.255.128
          inet6 addr: fe80::20c:f1ff:feaa:2365/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3481095 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6113141 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:224537344 (214.1 Mb)  TX bytes:407742293 (388.8 Mb)

eth0      Link encap:Ethernet  HWaddr 00:0C:F1:AA:23:65
          inet6 addr: fe80::20c:f1ff:feaa:2365/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:3831588 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6113113 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:473669033 (451.7 Mb)  TX bytes:432225082 (412.2 Mb)
          Base address:0xcc00 Memory:fe9e0000-fea00000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:23969 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23969 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1751928 (1.6 Mb)  TX bytes:1751928 (1.6 Mb)

tap0      Link encap:Ethernet  HWaddr FE:FD:00:00:00:00
          inet6 addr: fe80::fcfd:ff:fe00:0/64 Scope:Link
          UP BROADCAST RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:880984 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:240513371 (229.3 Mb)

and the script that is building the bridge

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
#exit

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="299.99.99.63"
eth_netmask="255.255.255.128"
eth_broadcast="299.99.99.127"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl stp $br on
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast


(Is it possible to have the client set up incorrectly on this, since everything is pushed out from the server)?

I have shut off IP Tables on the linux box completely to eliminate it as an issue (since the FAQ mentions that firewalls are the most common cause of my problem). I have also completely disabled the firewalls on my client machine as well as all filtering at my Server router, which made no difference.
Any and all pointers to how I might correct this would be greatly appreciated.


The client is a Windows XP machine (at least for now, I will be adding
others once I get this working),
On the Client side I get assigned an IP of 299.99.99.55 (first IP in the
range I allocated) and my route looks as follows

===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.250 192.168.0.12 40
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.12 192.168.0.12 40
192.168.0.12 255.255.255.255 127.0.0.1 127.0.0.1 40
192.168.0.255 255.255.255.255 192.168.0.12 192.168.0.12 40
299.99.99.0 255.255.255.128 299.99.99.55 299.99.99.55 30
299.99.99.0 255.255.255.128 299.99.99.63 299.99.99.55 1
299.99.99.2 255.255.255.255 299.99.99.63 299.99.99.55 1
299.99.99.55 255.255.255.255 127.0.0.1 127.0.0.1 30
299.99.99.255 255.255.255.255 299.99.99.55 299.99.99.55 30
224.0.0.0 240.0.0.0 192.168.0.12 192.168.0.12 40
224.0.0.0 240.0.0.0 299.99.99.55 299.99.99.55 30
255.255.255.255 255.255.255.255 192.168.0.12 192.168.0.12 1
255.255.255.255 255.255.255.255 192.168.0.12 20005 1
255.255.255.255 255.255.255.255 299.99.99.55 299.99.99.55 1
Default Gateway: 192.168.0.250
===========================================================================
Persistent Routes:
None 



Michael Hieb wrote:

When you connect what do you see on the client for ip(s) and routing. I.e. on linux what do 'ifconfig' and 'route' return?

Doug Hubbard wrote:

Hello all,
Apologies for the duplicated message, but I realized that the Rich Text version I sent may not be the most legible.
Here is the same message again, in plain text.

Please bear with me as I am new at this VPN stuff (and understand just enough about networking to be really dangerous).
I am sure this has been covered before, but I can't seem to find the right answer.
I am running Suse 9.1 as the server with a public IP address (our LAN is all public IP addresses).
Running XP Pro SP2 as the client.
I am able to connect to the server using routing, however I need to be able to browse the lan (and don't want to set up that many routes) so bridging looks like the right answer, however I cannot get it to work for me.
If I change from tap to tun and bridged to routed, I can get in without issue (and if I set up the routes on the internal lan all traffic passes fine).
When I go to bridged I can't even ping the server.
I have disabled the Suse Firewall completely (to eliminate that issue) and tried it will all firewalls between the server and myself turned off, still no joy.

Any more info I can provide, please let me know.

TIA for any help you can provide.

Some info that may help find where I am messed up. (with IP's munged for security).

the script that is creating the bridged interface

br="br0"

tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="299.99.99.63"
eth_netmask="255.255.255.128"
eth_broadcast="299.99.99.127"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl stp $br on
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast 



And the Server's conf file. (comments removed)


# listen on? (optional)
local 299.99.99.63

port 1194

proto udp

dev tap0
;dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/doug2000.crt
key /etc/openvpn/certs/doug2000.key  # This file should be kept secret

dh /etc/openvpn/certs/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 299.99.99.63 255.255.255.128 299.99.99.55 299.99.99.62
push "route 299.99.99.0 255.255.255.128"
client-to-client
keepalive 10 120
comp-lzo
max-clients 5
user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

log         openvpn.log
;log-append  openvpn.log

verb 9

mute 20 



And Finally the client .conf (comments removed)

client

dev tap0
;dev tun

dev-node OpenVPN

proto udp

remote 299.99.99.63 1194


resolv-retry infinite

nobind

persist-key
persist-tun

mute-replay-warnings

ca ..\\easy-rsa\\keys\\ca.crt
cert ..\\easy-rsa\\keys\\doug-laptop.crt
key ..\\easy-rsa\\keys\\doug-laptop.key # This file should be kept secret

ns-cert-type server

comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 20










--

*********************
Doug Hubbard - IT Manager
TrackMaster, an Equibase Company
email doug@xxxxxxxxxxxxxxx <mailto:doug@xxxxxxxxxxxxxxx>
Website www.trackmaster.com <http://www.trackmaster.com>
*********************



This message is intended only for the use of the Addressee and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately.
Thank you!

begin:vcard
fn:Doug Hubbard
n:Hubbard;Doug
org:TrackMaster, an Equibase Company
adr:;;14515 56th Ave SE;Everett;WA;98208;USA
email;internet:doug@xxxxxxxxxxxxxxx
title:IT Manager
tel;work:650-316-1020 x138
tel;fax:781-623-0331
tel;pager:650-599-8883
tel;home:425-338-9520
x-mozilla-html:TRUE
url:http://www.trackmaster.com
version:2.1
end:vcard

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-08/msg00009.html on line 435

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-08/msg00009.html on line 435