I am trying to setup tap interfaces on a bridge. This is my first attempt at this level of networking. The hardware is a small router box with a atom processor. The relevant software installed:
Debian stretch 9.4
OpenVPN 2.4.4
Hostapd 2.4
DNSmasq 2.76
The router is set up to connect with NordVPN with a tunnel on the wan port. I initially created two bridges, one for hard wired clients and one for wifi. The intention was to supplement the weak encryption methods for wifi. I have everything working fine with regards to the lan/wifi access between clients and tunnel Internet access. DNSmasq is properly providing leases and DNS requests. However when I added a tap on 'br1', I have a lot of trouble since. I used all of the examples I could find on the Internet, tried using a tunnel as well. I tried adding the bridge at boot and dynamically too. I am using the lan port on the bridge so wifi isn't involved. No luck... Here are the configurations:
Relevant portions of 'interfaces':
Code:
# WLAN bridge
auto br1
iface br1 inet static
bridge_ports wlan0 lan2
address 192.168.253.211
broadcast 192.168.253.255
netmask 255.255.255.0
up route add -host 255.255.255.255 br1
post-up ip link set br1 address c2:cc:cc:cc:cc:cc
# 4 on router
allow-hotplug lan2
iface lan2 inet manual
pre-up ip link set dev lan2 up
pre-down ip link set dev lan2 down
# Wifi Card
allow-hotplug wlan0
iface wlan0 inet manual
pre-up ip link set dev wlan0 up
post-up iw dev wlan0 set 4addr on
pre-down ip link set dev wlan0 down
Reliant portions of ifconfig:
Code:
gatekeeper@gate:~$ sudo ifconfig
br1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.253.211 netmask 255.255.255.0 broadcast 192.168.253.255
ether c2:cc:cc:cc:cc:cc txqueuelen 1000 (Ethernet)
RX packets 141596 bytes 11487500 (10.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 186096 bytes 212279100 (202.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 16442 bytes 1201113 (1.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16442 bytes 1201113 (1.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tapl0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
ether d2:dd:dd:dd:dd:dd txqueuelen 100 (Ethernet)
RX packets 151 bytes 18558 (18.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 440 bytes 84387 (82.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 74:f0:6d:62:19:e4 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2378 bytes 460305 (449.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
The DNSmasq configuration:
Code:
log-dhcp
cache-size=400
interface=br0
dhcp-range=br0,192.168.252.231,192.168.252.239,60m
dhcp-option=br0,option:router,192.168.252.201
dhcp-option=br0,option:ntp-server,192.168.252.201
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user1,192.168.252.231
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user2,192.168.252.232
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user3,192.168.252.233
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user4,192.168.252.234
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user5,192.168.252.235
dhcp-ignore=br0:!known
interface=br1
listen-address=192.168.253.211
dhcp-range=br1,192.168.253.230,192.168.253.239,60m
dhcp-option=br1,option:router,192.168.253.211
dhcp-option=br1,option:ntp-server,192.168.253.211
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user1,192.168.253.230
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user2,192.168.253.231
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user3,192.168.253.232
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user4,192.168.253.233
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user5,192.168.253.234
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user6,192.168.253.235
dhcp-lease-max=20
The OpenVPN server conf:
Code:
dev tapl0
port 1194
proto udp
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/ta.key 0
#server-bridge
server-bridge 192.168.253.211 255.255.255.0 192.168.253.242 192.168.253.249
push "redirect-gateway"
#push "redirect-gateway local"
#push "redirect-gateway def1 autolocal"
#push "redirect-gateway def1"
#push "redirect-gateway def1 bypass-dhcp bypass-dns"
#push "dhcp-option DHCP 192.168.253.211"
#push "route 192.168.253.0 255.255.255.0"
#client-to-client
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
status /var/log/openvpn-status.log
verb 9
log /var/log/openvpn
verb 9
explicit-exit-notify 1
OpenVPN client conf:
Code:
client
dev tapl0
proto udp
remote 192.168.253.211 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/me.crt
key /etc/openvpn/keys/me.key
remote-cert-tls server
tls-auth /etc/openvpn/keys/ta.key 1
cipher AES-256-CBC
verb 9
Test version of the firewall script
Code:
*mangle
# Flush previous MAG table
-F PREROUTING
-F POSTROUTING
-F INPUT
-F FORWARD
-F OUTPUT
# Accept everything
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
COMMIT
*nat
# Flush previous NAT table
-F PREROUTING
-F POSTROUTING
-F INPUT
-F OUTPUT
# Accept everything
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-A POSTROUTING -o tunv0 -m iprange --src-range 192.168.252.231-192.168.252.239 -j MASQUERADE
-A POSTROUTING -o tunv0 -m iprange --src-range 192.168.253.231-192.168.253.249 -j MASQUERADE
COMMIT
*filter
# Flush previous filter table
-F INPUT
-F OUTPUT
-F FORWARD
# Accept everything
-P OUTPUT ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
# Log everything
-A INPUT -j LOG --log-level info --log-prefix "FILTER I/P :"
-A OUTPUT -j LOG --log-level info --log-prefix "FILTER O/P :"
-A FORWARD -j LOG --log-level info --log-prefix "FILTER FWD :"
# Allow dynamic rules for NordVPN connection
-N in_good_vpn_accept
-N out_good_vpn_accept
-A in_good_vpn_accept -j ACCEPT
-A out_good_vpn_accept -j ACCEPT
# Allow router to renew ISP lease
-A INPUT -i wan0 -p udp --sport 67 --dport 68 -s xxx.xxx.xxx.xxx -j ACCEPT
-A OUTPUT -o wan0 -p udp --sport 68 --dport 67 -d xxx.xxx.xxx.xxx -j ACCEPT
# Drop everything but NordVPN and DHCP lease on wan0
-A INPUT -i wan0 -j DROP
-A OUTPUT -o wan0 -j DROP
COMMIT
Script to open tunnel before running openvpn --conf server.conf:
Code:
openvpn --mktun --dev tapl0
brctl addif br1 tapl0
ip link set dev tapl0 address d2:dd:dd:dd:dd:dd
ifconfig tapl0 0.0.0.0 promisc up
Script to close tunnel after running openvpn --conf server.conf:
Code:
openvpn --rmtun --dev tapl0
Output of brctl:
Code:
gatekeeper@gate:~$ sudo brctl show br1
bridge name bridge id STP enabled interfaces
br1 8000.c2cccccccccc no lan2
tapl0
wlan0
Output of route:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.7.7.1 128.0.0.0 UG 0 0 0 tunv0
default 192.168.0.1 0.0.0.0 UG 0 0 0 wan0
10.7.7.0 0.0.0.0 255.255.255.0 U 0 0 0 tunv0
128.0.0.0 10.7.7.1 128.0.0.0 UG 0 0 0 tunv0
184.75.212.11 192.168.0.1 255.255.255.255 UGH 0 0 0 wan0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wan0
192.168.252.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.253.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 br0
255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 br1
Output of netstat -ng
Code:
gatekeeper@gate:~$ sudo netstat -ng
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 224.0.0.1
wan0 2 224.0.0.251
wan0 1 224.0.0.1
lan0 1 224.0.0.1
lan1 1 224.0.0.1
lan2 1 224.0.0.1
br1 2 224.0.0.251
br1 1 224.0.0.1
wlan0 1 224.0.0.1
br0 1 224.0.0.251
br0 1 224.0.0.1
tapl0 1 224.0.0.1
tunv0 1 224.0.0.251
tunv0 1 224.0.0.1
lo 1 ff02::1
lo 1 ff01::1
wan0 1 ff02::1
wan0 1 ff01::1
lan0 1 ff02::1
lan0 1 ff01::1
lan1 1 ff02::1
lan1 1 ff01::1
lan2 1 ff02::1
lan2 1 ff01::1
br1 1 ff02::1
br1 1 ff01::1
wlan0 1 ff02::1
wlan0 1 ff01::1
br0 1 ff02::1
br0 1 ff01::1
tapl0 1 ff02::1
tapl0 1 ff01::1
tunv0 1 ff02::1
tunv0 1 ff01::1
The OpenVPN Status log:
Code:
OpenVPN CLIENT LIST
Updated,Wed Jun 13 19:11:13 2018
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
david,192.168.253.234:45945,11093,12156,Wed Jun 13 19:01:34 2018
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
82:91:6b:4a:88:34,david,192.168.253.234:45945,Wed Jun 13 19:01:36 2018
GLOBAL STATS
Max bcast/mcast queue length,1
END
I have attached two jpgs from wireshark
It seems that the connection is made and assigned 192.168.253.242 by OpenVPN, but there is no response to packets sent through the tap. I can ping this ip from the router. I think this is a routing problem, as the client shows a route for the tap, and the router shows routing for the NordVPN tunnel. The client can access the internet, but it is all between the router and the lDHCP lease ip, nothing through the tap. However when I try to add a route:
Code:
gatekeeper@gate:~$ sudo ip route add 192.168.253.0/24 via 0.0.0.0 dev tapl0
RTNETLINK answers: File exists
gatekeeper@gate:~$ sudo ip route show dev tapl0
gatekeeper@gate:~$
I have attached two snap-shots from wireshark.
Can anyone tell me how to remedy this? It would be greatly appreciated!
Dave
