[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients

  • Subject: Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients
  • From: "Daniel L. Miller" <dmiller@xxxxxxxxx>
  • Date: Thu, 30 Aug 2007 13:09:59 -0700

Pasada Khumprakob wrote:
> Hello all -
> I have been unsuccessful so far at my bridging attempts, with just 
> plain weird stuff going on. I was accually able to stay connected 
> today for about 10 min, then I manually disconnected, and then I could 
> get a good connection back.... So I want to start from scratch with 
> the hopes that someone can point out my mistake.
> On the server right now, I have disabled IPTABLES totally. The 
> external IP of the server is eg: I create 
> the virtual TAP adapter on the linux server and bridge it together 
> with the ETH0 (I have only one physical NIC). I then assign the BR0 
> the IP of ETH0.
> In my server.conf file I start by assigning the virtual adapter an 
> address of, and set the local directive to 
> that of the bridge's IP I do my certificate stuff, and 
> aside from that the only other important thing I have is 'push "route 
>"' the default gateway on that 
> network.  I also have fragment 1500, mssfix 1500, and some other 
> settings that I believe are unrelated.
> On the client side I do NOT setup a bridge. I have an adapter created, 
> and in my client.conf file I assign it an IP with ifconfig 
> and the appropriate netmask. I also have route-method exe, and 
> route-delay 2 in the file. The rest is standard.
> What I'm trying to accomplish is having my laptop from a wireless 
> connection be able to connect to my private network (201.0.0.xxx). So 
> my laptop has the IP assigned from the wireless, it assigns the TAP 
> device an address on my private network, the server has two addresses, 
> both on the network (which I realize could be a security problem). The 
> one address is for the VPN connections, and the other is the virtual 
> TAP device
> On my Vista machine, I can connect and stay connected for about 30sec 
> before it starts sending out tons and tons of UDP junk packets 
> (10K/s), loses the connection, and then gets it back. On XP machines, 
> they cannot ping or do anything, and the arp table has an invalid 
> entry for the VPN server's address.
> Am I doing this setup wrong? I need to do bridging so we can have 
> access to windows shares and other broadcast-network items. Any 
> thoughts on how to better architect this? Whats weird is that it work 
> only once out of a hundred times without this UDP flood issue. I 
> originally thought it was a bad driver or something along the lines 
> with Vista, but now I am completely lost.
Don't know if Vista is making life difficult - haven't heard anything 
GOOD about it yet - but here's some configs that have worked well for me 
with a Linux server and Windows XP clients:

You didn't mention which distro you're using, but you probably have 
something for configuring the network interfaces.  I'm using Debian 
and/or Ubuntu, so I adjust "/etc/network/interfaces".  If you're not 
using something Debian-based, you'll need to adjust accordingly.

Keep in mind how bridging works - you are joining the external NIC (the 
TAP) with your INTERNAL NIC - NOT the Internet NIC!!  The server-side 
addresses in the bridge config and openvpn should be LAN IP's.  Only the 
client-side config needs to know the public Internet IP of the server to 
reach it.

# Even though eth0 will be brought back down by the bridge setup
# bring it up for a moment to ensure the driver module loads.
auto eth0
iface eth0 inet static
    hwaddress ether <your MAC address goes here>

auto br0
iface br0 inet static
    bridge_ports eth0 tap0
    bridge_bridgeprio 32767
    bridge_fd 5
    bridge_stp on
    bridge_maxwait 90
    pre-up /usr/sbin/openvpn --mktun --dev tap0
    pre-up ifconfig eth0 up
    pre-up ifconfig tap0 up
    pre-up brctl addbr br0
    pre-up brctl addif br0 eth0
    pre-up brctl addif br0 tap0
    post-down ifconfig eth0 down
    post-down ifconfig tap1 down

    post-down brctl delif br0 eth0
    post-down brctl delif br0 tap0
    post-down brctl delbr br0
    post-down /usr/sbin/openvpn --rmtun --dev tap0
Then in openvpn - a server.conf.  I have configured my internal DHCP 
server to support the VPN clients, so all client config is performed by 
the DHCP server:

mode server
port 1194
proto udp
dev tap1
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
keepalive 10 120
status server.log
verb 3
replay-window 72 30

Client configs are real simple.  client.ovpn:
dev tap
dev-node VPNTAP
proto udp
remote <whatever your public IP is>
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
nls-cert-type server
OpenVPN mailing lists