[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients

In message <BAY128-W396B698672589C9A540748A6CD0@xxxxxxx>, Pasada Khumprakob
<khumprp@xxxxxxxxxxx> wrote:

> Hello all -
> I have been unsuccessful so far at my bridging attempts, with just plain
> weird stuff going on. I was accually able to stay connected today for
> about 10 min, then I manually disconnected, and then I could get a good
> connection back.... So I want to start from scratch with the hopes that
> someone can point out my mistake.
> On the server right now, I have disabled IPTABLES totally. The external IP
> of the server is eg: I create the virtual TAP
> adapter on the linux server and bridge it together with the ETH0 (I have
> only one physical NIC). I then assign the BR0 the IP of ETH0.
> In my server.conf file I start by assigning the virtual adapter an address
> of, and set the local directive to that of the
> bridge's IP

The TAP device on the server should not have an IP address if you bridging
it. The general rule on Linux and Windows XP is that IP addresses should be
assigned to devices which are part of a bridge, but instead to the bride

> I do my certificate stuff, and aside from that
> the only other important thing I have is 'push "route
>"' the default gateway on that network.

Thar route command specifies a route to the subnet the client is on, which
should not be done.  Furthermore it specifies a gateway address on the
subnet it is specifying a route to, which must never be done.

> I also 
> have fragment 1500, mssfix 1500, and some other settings that I believe
> are unrelated.
> On the client side I do NOT setup a bridge. I have an adapter created, and
> in my client.conf file I assign it an IP with ifconfig and the
> appropriate netmask.

That netmask should be the same as as the other machines in your network,
which I understand to be

> I also have route-method exe, and route-delay 2 in 
> the file. The rest is standard.

What address have you have you specified in the remote directive? It should
not be in the subnet you are trying to connect to using the VPN, therefore
it should not be It MUST NOT be routed over the VPN. 

This is probally the cause of your problem, the VPN traffic is being 

If there is a router beetwen  the client and server which supports NAT you
could configure port-forwarding and use the client-side address of the
router in the client's configuration file.

Alternatively give the server another address which is outside the subnet(s)
which are routed/bridged to over the VPN, and is reachable from the client.
You would need to give the routers on the LAN a route to this address via
the LAN address ( of the server, but the client must not find
out about this route, eg via RIP.

> What I'm trying to accomplish is having my laptop from a wireless
> connection be able to connect to my private network (201.0.0.xxx).

If there is no router between the client and server you can setup a separate
subnet for use by OpenVPN, this will result in the server having IP
addresses for both subnets on it's software bridge (or ethernet) interface.

> Whats weird is that it work only once out of a
> hundred times without this UDP flood issue. 

Maybe Vista is caching routing information, then it forgets the cached data
and sends the VPN traffic though itself. Then when OpenVPN disconnects the
queued traffic is sent to the server.

OpenPGP key fingerprint: D0A6 F403 9745 CED4 6B3B  94CC 8D74 8FC9 9F7F CFE4

Openvpn-users mailing list