Hi all,
I am trying to deploy a cross platform bridged VPN solution, so I chose openvpn. I need to be able to broadcast which is why I have the bridged requirement. I have a Debian Lenny Server running as the openvpn server and it is configured it appears properly, and my client is a windows machine also apparently configured properly. because I can connect and be authenticated and the connection is up and running. However, I cannot ping the server or anything on the LAN of the remote side. As a matter of fact no data whatsoever, makes it from the client back to the remote LAN side.
I will note I am not testing from external to the company. But I am on a different subnet. This is better explained by the setup so here it is.
Code:
T1---Router-|---LAN1 192.168.100.x----switches---servers+clients
|---LAN2(DMZ) 192.168.50.x----switch---servers
|---LAN3(Specialized equipment) 192.168.1.x----switch-devs
The Router is a Juniper SSG140, and the switches are all linksys. Connectivity and firewall rules on the Router are appropriate to allow traffic between the different LANs currently LAN1 and LAN3 have an allow all policy as LAN 3 is the one where I need the VPN and I want to make sure that rules are not an issue in connectivity.
The openvpn server is running in a VirtualBox VM that has its virtual adapter connected to the physical ethernet port of the host, it is assigned an address statically and is accessible on LAN3 as a host. Bringing up bridging for the openvpn bridge works perfectly with connectivity after that. Connecting from LAN1 to the server in LAN3 works fine with the windows client in so far as it can find the server, and establish a connection, once connected everything appears appropriate in the logs, but I cannot ping anything not the server, not computers on the remote LAN3 and I can likewise not ping the ip of the client that is connected, I can still ping from LAN3 to LAN1 host IP. After looking at route and arp I determined it appeared that the clients arp was not being proxied by the server, the arp command showed that devices on LAN 3 were requesting the clients IP adddress but not receiving any response, the same was noted on the client arp entry for an IP with no MAC address. Running Wireshark revealed that this was true arp requests were being sent out but no response received. I could not see anything coming from the TAP interface on the client coming across wireshark on LAN3. I did see the tunnel between the LAN1 IP address and the LAN3 host IP in other words 192.168.100.109---192.168.1.3 but nothing from the virtual tap interface 192.168.1.243. Running Wireshark on the client revealed something I found interesting though. The client once connected to the VPN was receiving every broadcast on LAN3 and responding to them, the responses were not being forwarded over the VPN connection though. SO I could see every arp request wanting the MAC address for the client and the responses sent from the client when running wireshark on the client and monitoring the tap interface. This would indicate that the VPN is connected fine but that there is an issue sending data upstream. If I set the arp manually on the machines I still have no connectivity though I still cannot ping, so this is not an issue I think with arp so much but with pushing data through the link.
The only thing I can speculate is that since my remote server ip address is on LAN3 and the remote LAN I am trying to connect to is LAN3 is that when the arp cache is cleared by the openvpn connection sequence this is screwing with the traffic in that the client no longer knows where to send the encrytped tunnel traffic and that is causing everything else to fail this also explains why data is seen on the client but not on the LAN itself because the server still has a valid arp entry for the client, but the client no longer has a valid entry for the server.
Anyone have any ideas or suggestions. Do you think I am on the right track in my thinking or way off base? Any ideas how to test my theory and or a way around it if my theory is correct. maybe a script hardcoding the remote server ip on the client or perhaps having to go outside the network, or something else.
Thank you for all your help in advance.
Alex
