[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Routing problems with bridged VPN


  • Subject: Re: [Openvpn-users] Routing problems with bridged VPN
  • From: "Avi Shevin" <avi@xxxxxxxxxxx>
  • Date: Mon, 19 Nov 2007 09:57:46 -0500 (EST)
  • Importance: Normal

I tried both with and without the push "route..." and there was no change
at all in behavior.  I didn't think I would need it, but I figure it's
best to try all suggestions at least once :)

bridge info
-----------
bridge name     bridge id               STP enabled     interfaces
br0             8000.00146c81e551       no              eth1
                                                        tap0

In addition, here are the relevant bits from iptables
-----------------------------------------------------
Chain INPUT (policy ACCEPT 41M packets, 18G bytes)
 pkts bytes target     prot opt in     out     source              
destination
    6   504 ACCEPT     0    --  tun+   any     anywhere             anywhere
    0     0 ACCEPT     0    --  tap+   any     anywhere             anywhere
    0     0 ACCEPT     0    --  tap0   any     anywhere             anywhere
21268 2220K ACCEPT     0    --  br0    any     anywhere             anywhere
    0     0 ACCEPT     0    --  tap0   any     anywhere             anywhere
    0     0 ACCEPT     0    --  br0    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 118M packets, 42G bytes)
 pkts bytes target     prot opt in     out     source              
destination
   10   600 ACCEPT     0    --  tun+   any     anywhere             anywhere
    0     0 ACCEPT     0    --  tap+   any     anywhere             anywhere
 972K  123M ACCEPT     0    --  br0    any     anywhere             anywhere
    0     0 ACCEPT     0    --  br0    any     anywhere             anywhere


On Mon, November 19, 2007 9:35 am, David Balazic wrote:
> Remove the Push "route 10.0.0.0 255.255.255.0"
> you dont need a route to the LAN, because you are already bridged to it.
>
> What is in the br0 bridge ? (brctl br0 or similar command)
>
> Regards,
> David
>
>
> ________________________________
>
> From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of Avi Shevin
> Sent: Mon 19-Nov-07 15:07
> To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] Routing problems with bridged VPN
>
>
>
> I've switched to a WinXP client for this test, as changing network
> settings is a pain under Vista with UAC.  Anyway, I tried your suggestion,
> but there's no change in behavior.  Also, please note that the server
> can't ping the client either, and a route on the client won't change that.
>
> Here's the routing table from the client.
> The x's are the real IP address components.
> -------------------------------------------
> Active Routes:
> Network Destination        Netmask          Gateway       Interface
> Metric
>           0.0.0.0          0.0.0.0       xx.xx.xx.1    xx.xx.xx.xx1
> 10
>          10.0.0.0    255.255.255.0       10.0.0.202      10.0.0.202
> 30
>          10.0.0.0    255.255.255.0         10.0.0.1      10.0.0.202
> 1
>        10.0.0.202  255.255.255.255        127.0.0.1       127.0.0.1
> 30
>    10.255.255.255  255.255.255.255       10.0.0.202      10.0.0.202
> 30
>        xx.xx.xx.0    255.255.254.0     xx.xx.xx.xx1    xx.xx.xx.xx1
> 10
>      xx.xx.xx.xx1  255.255.255.255        127.0.0.1       127.0.0.1
> 10
>    xx.255.255.255  255.255.255.255     xx.xx.xx.xx1    xx.xx.xx.xx1
> 10
>         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1
> 1
>         224.0.0.0        240.0.0.0       10.0.0.202      10.0.0.202
> 30
>         224.0.0.0        240.0.0.0     xx.xx.xx.xx1    xx.xx.xx.xx1
> 10
>   255.255.255.255  255.255.255.255       10.0.0.202      10.0.0.202
> 1
>   255.255.255.255  255.255.255.255     xx.xx.xx.xx1    xx.xx.xx.xx1
> 1
> Default Gateway:        xx.xx.xx.1
> ===========================================================================
> Persistent Routes:
>   None
>
> ipconfig from the client
> ------------------------
> Ethernet adapter Local Area Connection 4:
>
>         Connection-specific DNS Suffix  . :
>         IP Address. . . . . . . . . . . . : 10.0.0.202
>         Subnet Mask . . . . . . . . . . . : 255.255.255.0
>         Default Gateway . . . . . . . . . :
>
>
> On Sun, November 18, 2007 4:26 pm, Jon Spriggs wrote:
>> Hi Avi,
>> It's a fairly comon mistake (and one I've made too)
>>
>> On your server config, you need to include the following line
>>
>> Push "route 10.0.0.0 255.255.255.0"
>>
>> This assumes your subnet is a /24.
>>
>> Alternatively, you can include it in your client configs, but each time
>> you grow your network, you'll have to change your client config.
>> Ultimately it's cleaner to do it in the server.
>>
>> Jon
>>
>> -----Original Message-----
>> From: Avi Shevin <avi@xxxxxxxxxxx>
>> Sent: 18 November 2007 21:18
>> To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
>> Subject: [Openvpn-users] Routing problems with bridged VPN
>>
>>
>> Hello all!
>>
>> I have the following problem:
>>
>> I have a Linux server that I use as a gateway from my home LAN to the
>> 'net.  The internal NIC is eth1, serving a 10.0.0.0 network.  I have an
>> ADSL connection that sits over eth0, and I use iptables for NAT.  I have
>> installed openvpn on this box, and I would like to bridge the internal
>> network (eth1) with the VPN clients.  The bridge appears to be setup
>> correctly (br0 has an ip address of 10.0.0.1, and everything except the
>> vpn still works correctly.)  I have a Vista laptop that I'm using as a
>> test client.  It's connected to a public wireless network, so it's not
>> sitting on my home LAN at the moment.  I want to bridge it with my home
>> network (10.0.0.0), but it doesn't work correctly.  It connects just
>> fine
>> without any warnings or errors, but routing is completely broken.
>>
>>
>> openvpn config (server)
>> -----------------------
>> ca /etc/openvpn/keys/ca.crt
>> cert /etc/openvpn/keys/server.crt
>> client-to-client
>> comp-lzo
>> dev tap
>> dh /etc/openvpn/keys/dh1024.pem
>> group nogroup
>> ifconfig-pool-persist ipp.txt
>> keepalive 10 120
>> local 75.42.96.214
>> persist-key
>> persist-tun
>> port 1196
>> proto udp
>> server-bridge 10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.224
>> status openvpn-status.log
>> user nobody
>> verb 3
>>
>> routing table (server)
>> ----------------------
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use
>> Iface adsl-75-42-97-2 *               255.255.255.255 UH    0      0
>>  0 ppp0 10.0.0.0        *               255.255.255.0   U     0      0
>>    0 br0 default         *               0.0.0.0         U     0      0
>>     0 ppp0
>>
>>
>> openvpn config (client)
>> -----------------------
>> client
>> dev tap
>> proto udp
>> remote <my server> 1196
>> resolv-retry infinite
>> nobind
>> persist-key
>> persist-tun
>> ca "c:\\program files\\openvpn\\keys\\ca.crt"
>> cert "c:\\program files\\openvpn\\keys\\vista.crt"
>> key "c:\\program files\\openvpn\\keys\\vista.key"
>> comp-lzo
>> verb 3
>>
>> routing table (client)
>> ----------------------
>> IPv4 Route Table
>> ===========================================================================
>> Active Routes:
>> Network Destination        Netmask          Gateway       Interface
>> Metric
>>           0.0.0.0          0.0.0.0     64.250.128.1   64.250.157.167
>> 25
>>          10.0.0.0    255.255.255.0         On-link        10.0.0.201
>> 286
>>        10.0.0.201  255.255.255.255         On-link        10.0.0.201
>> 286 10.0.0.255  255.255.255.255         On-link        10.0.0.201
>>  286
>>      64.250.128.0    255.255.224.0         On-link    64.250.157.167
>> 281
>>    64.250.157.167  255.255.255.255         On-link    64.250.157.167
>> 281 64.250.159.255  255.255.255.255         On-link    64.250.157.167
>>  281
>>         127.0.0.0        255.0.0.0         On-link         127.0.0.1
>> 306 127.0.0.1  255.255.255.255         On-link         127.0.0.1
>>  306
>>   127.255.255.255  255.255.255.255         On-link         127.0.0.1
>> 306
>>         224.0.0.0        240.0.0.0         On-link         127.0.0.1
>> 306 224.0.0.0        240.0.0.0         On-link    64.250.157.167
>>  281 224.0.0.0        240.0.0.0         On-link        10.0.0.201
>>   286
>>   255.255.255.255  255.255.255.255         On-link         127.0.0.1
>> 306 255.255.255.255  255.255.255.255         On-link    64.250.157.167
>>  281 255.255.255.255  255.255.255.255         On-link        10.0.0.201
>>   286
>> ===========================================================================
>> Persistent Routes:
>>   None
>>
>>
>> ping results (client to server)
>> -------------------------------
>> C:\Users\Avi>ping 10.0.0.1
>>
>> Pinging 10.0.0.1 with 32 bytes of data:
>>
>> Request timed out.
>> Request timed out.
>> Request timed out.
>> Request timed out.
>>
>> Ping statistics for 10.0.0.1:
>>     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>>
>>
>> ping results (server to client)
>> -------------------------------
>> home:/etc/openvpn# ping -c 4 10.0.0.201
>> PING 10.0.0.201 (10.0.0.201) 56(84) bytes of data.
>>>From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
>>>From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
>>>From 10.0.0.1 icmp_seq=3 Destination Host Unreachable
>>>From 10.0.0.1 icmp_seq=4 Destination Host Unreachable
>>
>> --- 10.0.0.201 ping statistics ---
>> 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time
>> 3008ms , pipe 3
>>
>>
>> --
>> - Avi Shevin
>> - avi@xxxxxxxxxxx
>>
>>
>>
>> --
>> - Avi Shevin
>> - avi@xxxxxxxxxxx
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Openvpn-users mailing list
>> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>
>>
>
>
> --
> - Avi Shevin
> - avi@xxxxxxxxxxx
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
>


-- 
- Avi Shevin
- avi@xxxxxxxxxxx

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users