Tim Freedom wrote:
> Hi - I'm new to openVPN and I tried to get ethernet bridging running
> to no avail (this is on Debian etch/stable). I picked bridging so
> that I don't have to worry about the warrior (ie. roaming) laptops
> and what IP addresses they get assigned in hotels, net cafes, etc.
> So here is the situation (and your help is greatly appreciated).
> I have a gateway machine with 2 NICs on it,
> eth0 connects to the Internet (assume IP is 22.214.171.124)
> --> inet addr:126.96.36.199 Bcast:188.8.131.52 Mask:255.255.255.248
> eth1 connects to the LAN (IP is 10.0.0.1)
> --> inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
> I'm looking to create a VPN bridge using 172.20.0.1 or similar
> (again to avoid IP collisions and from what I've seen 172.x.x.x
> is rarely used) to connect those external traveling laptops back
> to our LAN.
If you're bridging, you don't create a separate subnet for VPN clients,
and this is why your LAN fails. I can't say I'm familiar with Debian's
method of setting up bridges below, but seems that you are creating br0
out of tap0 and eth1, and giving the bridge the IP of 172.20.0.1. This
means that when eth1 talks to your LAN, it is doing so with this IP
address; considering you specified 10.0.0.0/24 as your LAN network, this
is why you can't reach your router.
Instead, remember that a bridged setup is going to give the VPN client
an IP address as if that client had a really long Ethernet cable that
could stretch to the location of the VPN server. This means that if you
want your router on 10.0.0.1, this is the address you must used in the
server-bridge directive in OpenVPN and your bridge setup. When creating
a bridge, both tap0 and eth1 loose their individual identity and act as
a single logical network interface so that both VPN clients and LAN
clients see it as a local computer.
Now, if instead you really did want VPN clients to be given an address
in the 172.16.0.0/12 network range, you either need to set up a routing
configuration, or re-number your LAN to match the network you want.
Unless you need VPN clients to send Ethernet frames (Layer2) to other
LAN clients, routing is probably a bit easier anyway since you don't
need to worry about bridging the tap adapter with eth1. However, that
choice is of course up to you. Routing is usually also slightly faster
because there's a minor amount less overhead and subnet broadcasts on
your LAN won't be forwarded to the client, saving on bandwidth.
> Could someone please let me know what values I should set in the
> bridge-start script, et al ? In other words, what should these
> values be (cause what I have below doesn't work and when the bridge
> is brought up I lose my connection to the LAN entirely) ?
> Here are the entries in question in bridge-start,
> # Define Bridge Interface
> # Define list of TAP interfaces to be bridged,
> # for example tap="tap0 tap1 tap2".
> # Define physical ethernet interface to be bridged
> # with TAP interface(s) above.
> In my server.conf I have the following relevant statements,
> dev tap
> server-bridge 172.20.0.1 255.255.255.0 172.20.0.10 172.20.0.110
> and I have this in my iptables file,
> # OpenVPN: allow external accesses to openvpn
> iptables -A INPUT -p udp -i eth0 --dport 1194 -j ACCEPT
> # OpenVPN: Allow interface connections to OpenVPN server
> iptables -A INPUT -i tap+ -j ACCEPT
> iptables -A INPUT -i br0 -j ACCEPT
> # OpenVPN: Allow interface connections be forwarded through other interfaces
> iptables -A FORWARD -i tap+ -j ACCEPT
> iptables -A FORWARD -i br0 -j ACCEPT
> and I do the following to see if things work,
> % bridge-start
> % openvpn /etc/openvpn/server.conf
> I try to ssh from gateway to LAN machines (no go)
> I try to ssh from LAN machines back to gateway (no go)
> I didn't even try to see if I can access the VPN from the outside
> since I seem to have more pressing issues (not that it would matter
> if I can't access the LAN). So what am I doing wrong ? I must have
> read the docs 10 times and searched the net endlessly, I just can't
> seem to get it right and whenever I run that sample bridge-start
> script my LAN connection vanishes and I have to remove the bridge
> and ifdown/ifup eth1 to go back to normal.
> Thanks in advance.
Description: OpenPGP digital signature