[Openvpn-users] Bridging and multicast traffic

[Jamie Kirkpatrick <jkp@xxxxxxxxxxxxxxxxxxxx>]

Hi there.

I've been using OpenVPN for quite a while now in one way or another,  
but recently i moved over to a TAP based config in the hope that I  
could get more transparent access to my network as I need to be able  
to receive multicast packets from a couple of services.  I develop  
some software that uses multicasting to announce updates to clients  
and I want to be able to do my development work in a roadwarrior  
scenario.

In terms of the VPN everything is up and running and I have no  
trouble connecting at all.  I've bridged my en0 device with the tap  
device and I get an ip on the destination network when i connect.   
The trouble is that I still cannot see multicasts from the client.

I have used tcpdump to confirm that they are arriving at the bridge  
interface as follows:

[jkp@saltandvinegar ~]$ sudo /usr/sbin/tcpdump -i br0 dst host 239.6.8.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol  
decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
11:03:58.249084 IP 192.168.1.7.2141 > 239.6.8.1.6801: UDP, length 8
11:03:58.249666 IP 192.168.1.7.2141 > 239.6.8.1.6801: UDP, length 84
11:04:41.816646 IP 192.168.1.7.2141 > 239.6.8.1.6801: UDP, length 8
11:04:41.817278 IP 192.168.1.7.2141 > 239.6.8.1.6801: UDP, length 84
11:06:57.036686 IP 192.168.1.7.2141 > 239.6.8.1.6801: UDP, length 8
11:06:57.037360 IP 192.168.1.7.2141 > 239.6.8.1.6801: UDP, length 84

So there are no troubles there.  I then do the same on the client  
end, but I dont see any multicast packets.  Something in my OpenVPN  
config is not right or else OpenVPN doesnt support this properly.  I  
have read various things that seem to conflict on the mailing list -  
the website makes out that bridging is totally transparent, but Im  
not seeing this as being the case.   I can get multicasts to traverse  
the tunnel if i create a seperate multicast tunnel using mTunnel, but  
I'd rather not have to go down this route - ideally I want to be able  
to connect to the VPN and have everything Just Work....I understand  
that I might be expecting too much though.

My server config is as follows....

port 1194
dev tap0
proto udp
ca /etc/openvpn/ca.crt
cert /etc/openvpn/xxx.crt
key /etc/openvpn/xxx.key
dh /etc/openvpn/dh1024.pem
server-bridge 192.168.1.1 255.255.255.0 192.168.1.20 192.168.1.25
keepalive 10 120
cipher BF-CBC
comp-lzo
persist-key
persist-tun
log /var/log/openvpn.log
verb 4
mute 20
status /var/log/ovp-status.log 30
status-version 2

And my client config looks like this....

client
dev tap
proto udp
remote xxx.xxx.xxx.xxx
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert xxx.crt
key xxx.key
cipher BF-CBC
comp-lzo
log /var/log/openvpn.log
verb 3
mute 20

On the server I've used the stock bridging script and I run it when I  
start OpenVPN....

#!/bin/bash

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.1"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"

# Bring up the bridge
for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

----

So, as far as I can tell I've done everything I should.  Is there  
anything I've forgotton to do in order to make this work?  I've seen  
reference to allowing fragmentation of packets, but this was related  
to multicast streams (Im assuming things like real player  
streams)...the packets im transmitting will be fairly small I would  
have thought....

Any thoughts, ideas would be more than welcome as I'd love to crack  
this one.

Cheers

Jamie

ps - Im not subscribed to the list (it wouldnt let me!) so please  
keep me copied in on replies....


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users