[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] openvpn on Debian setup

  • Subject: Re: [Openvpn-users] openvpn on Debian setup
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Thu, 21 Jun 2007 21:24:26 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID988LFVcyY0117X28

Tim Freedom wrote:
> Hi - I'm new to openVPN and I tried to get ethernet bridging running
> to no avail (this is on Debian etch/stable).  I picked bridging so
> that I don't have to worry about the warrior (ie. roaming) laptops
> and what IP addresses they get assigned in hotels, net cafes, etc.
> So here is the situation (and your help is greatly appreciated).
> I have a gateway machine with 2 NICs on it,
>  eth0 connects to the Internet (assume IP is
>  --> inet addr:   Bcast:     Mask:
>  eth1 connects to the LAN      (IP is
>  --> inet addr:  Bcast:  Mask:
> I'm looking to create a VPN bridge using or similar
> (again to avoid IP collisions and from what I've seen 172.x.x.x
> is rarely used) to connect those external traveling laptops back
> to our LAN.

If you're bridging, you don't create a separate subnet for VPN clients,
and this is why your LAN fails.  I can't say I'm familiar with Debian's
method of setting up bridges below, but seems that you are creating br0
out of tap0 and eth1, and giving the bridge the IP of  This
means that when eth1 talks to your LAN, it is doing so with this IP
address; considering you specified as your LAN network, this
is why you can't reach your router.

Instead, remember that a bridged setup is going to give the VPN client
an IP address as if that client had a really long Ethernet cable that
could stretch to the location of the VPN server.  This means that if you
want your router on, this is the address you must used in the
server-bridge directive in OpenVPN and your bridge setup.  When creating
a bridge, both tap0 and eth1 loose their individual identity and act as
a single logical network interface so that both VPN clients and LAN
clients see it as a local computer.

Now, if instead you really did want VPN clients to be given an address
in the network range, you either need to set up a routing
configuration, or re-number your LAN to match the network you want. 
Unless you need VPN clients to send Ethernet frames (Layer2) to other
LAN clients, routing is probably a bit easier anyway since you don't
need to worry about bridging the tap adapter with eth1.  However, that
choice is of course up to you.  Routing is usually also slightly faster
because there's a minor amount less overhead and subnet broadcasts on
your LAN won't be forwarded to the client, saving on bandwidth.

> Could someone please let me know what values I should set in the
> bridge-start script, et al ?  In other words, what should these
> values be (cause what I have below doesn't work and when the bridge
> is brought up I lose my connection to the LAN entirely) ?
> Here are the entries in question in bridge-start,
>   # Define Bridge Interface
>   br="br0"
>   # Define list of TAP interfaces to be bridged,
>   # for example tap="tap0 tap1 tap2".
>   tap="tap0"
>   # Define physical ethernet interface to be bridged
>   # with TAP interface(s) above.
>   eth="eth1"
>   eth_ip=""
>   eth_netmask=""
>   eth_broadcast=""
> In my server.conf I have the following relevant statements,
>   dev tap
>   server-bridge
> and I have this in my iptables file,
>   # OpenVPN: allow external accesses to openvpn
>   iptables -A INPUT -p udp -i eth0 --dport 1194 -j ACCEPT
>   # OpenVPN: Allow interface connections to OpenVPN server
>   iptables -A INPUT   -i tap+ -j ACCEPT
>   iptables -A INPUT   -i br0  -j ACCEPT
>   # OpenVPN: Allow interface connections be forwarded through other interfaces
>   iptables -A FORWARD -i tap+ -j ACCEPT
>   iptables -A FORWARD -i br0  -j ACCEPT
> and I do the following to see if things work,
>   % bridge-start
>   % openvpn /etc/openvpn/server.conf
>   I try to ssh from gateway to LAN machines (no go)
>   I try to ssh from LAN machines back to gateway (no go)
> I didn't even try to see if I can access the VPN from the outside
> since I seem to have more pressing issues (not that it would matter
> if I can't access the LAN).  So what am I doing wrong ? I must have
> read the docs 10 times and searched the net endlessly, I just can't
> seem to get it right and whenever I run that sample bridge-start
> script my LAN connection vanishes and I have to remove the bridge
> and ifdown/ifup eth1 to go back to normal.
> Thanks in advance.
>  .tf


Attachment: signature.asc
Description: OpenPGP digital signature