[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Bridge problem

  • Subject: Re: [Openvpn-users] Bridge problem
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Sat, 19 Nov 2005 12:20:04 +0100 (CET)

On Thu, 17 Nov 2005, luk4sz wrote:

so it means that we are both doing the same stupid mistake or that this howto on openvpn.net page is just crap But how one could publish it when it doesn't work?

Well, I think the documentation is very good and points you in the right direction, but as always with complex tools like VPNs you need a good knowledgle about IP networking and be able to troubleshot and draw your own conclutions about a perticular problem. If you don't have this basic knowledge I'd recommend you pay someone todo it for you. After all, it's a security application you're working with here so if you don't understand it fully you risk exposing your complete network...

Please don't complain about the documentation. If you buy a commersial product, complain as much as you want. With an opensource product, use the documentation as it is, then use your own brain, and when you have found something that could have been documented better supply a patch with your enhanced version.

There is one thing that I don't understand, and maybe You could explain it to me. In Ethernet Bridging Notes on this page: http://openvpn.net/bridge.html they wrote:

The addresses used for local and remote should not be part of the bridged subnet -- otherwise you will end up with a routing loop.

What does it exactly mean? Could someone send an example please?

Draw a picture of what you're trying to acomplish and you will probably understand what it means. In short words, don't tell your OpenVPN client to connect to an OpenVPN server on an IP address that belongs to the local network that you will be bridging across the network.

And for Daniel, in you orignal post you wrote:

At the moment, I've setup the bridge-start/stop scripts from the Howto page, referencing "br0", "tap1" (because tap0 is currently used by a working VPN), and "eth1", with IP So I'm bridging with the external interface and IP - is that correct?

No, this is not correct, you should bridge tap1 with your LOCAL interface.

Just try to think logical. You have made your OpenVPN client use an IP address directly out of your local network. When he tries to ping a machine on the local network, this ping will be encrypted by OpenVPN and sent to the OpenVPN server over the public internet. Then when it arrives on your server, it will be decrypted and sent out on tap1 (as that's the interface you have specified in your openvpn server config).

Now what do you want to happend with this packet?? Do you want it briged with your external interface so it will be forwarded back out there un-encrypted? No, ofcource not, you want it forwarded to your local physical interface (eth0?) so it can reach the machine you were trying to ping. So, bridge it with your local interface.

Here's how I bring my interfaces up before starting OpenVPN on my servers:

openvpn --mktun --dev tap0

brctl addbr br0
brctl addif br0 tap0
brctl addif br0 eth0
brctl stp br0 off

ifconfig tap0 promisc up
ifconfig eth0 promisc up
ifconfig br0 netmask broadcast

ifconfig eth1 my.public.ip netmask broadcast x.x.x.x
route add default gw x.x.x.x

Then I start OpenVPN with a config like this:

port 443
proto tcp-server
dev tap0

pkcs12 server.p12
dh dh1024.pem
mode server
crl-verify crl.pem

client-config-dir /etc/openvpn/clients-config

ifconfig-pool-persist openvpn.ipp 30

ping 10
ping-restart 120
mssfix 1400

user nobody
group nobody

log /var/log/openvpn-tcp.log
status /var/log/openvpn-tcp.status 10
status-version 2
verb 3
mute 10

-- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign OpenVPN GUI for Windows X NO HTML/RTF in e-mail http://openvpn.se/ / \ NO Word docs in e-mail

Openvpn-users mailing list