LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-13-2018, 09:55 PM   #1
CrazyDavy
LQ Newbie
 
Registered: May 2018
Posts: 2

Rep: Reputation: Disabled
OpenVPN bridge-server - routing


I am trying to setup tap interfaces on a bridge. This is my first attempt at this level of networking. The hardware is a small router box with a atom processor. The relevant software installed:
Debian stretch 9.4
OpenVPN 2.4.4
Hostapd 2.4
DNSmasq 2.76

The router is set up to connect with NordVPN with a tunnel on the wan port. I initially created two bridges, one for hard wired clients and one for wifi. The intention was to supplement the weak encryption methods for wifi. I have everything working fine with regards to the lan/wifi access between clients and tunnel Internet access. DNSmasq is properly providing leases and DNS requests. However when I added a tap on 'br1', I have a lot of trouble since. I used all of the examples I could find on the Internet, tried using a tunnel as well. I tried adding the bridge at boot and dynamically too. I am using the lan port on the bridge so wifi isn't involved. No luck... Here are the configurations:

Relevant portions of 'interfaces':
Code:
# WLAN bridge
auto br1
iface br1 inet static
  bridge_ports wlan0 lan2
  address   192.168.253.211
  broadcast 192.168.253.255
  netmask   255.255.255.0
  up route add -host 255.255.255.255 br1
  post-up ip link set br1 address c2:cc:cc:cc:cc:cc

# 4 on router
allow-hotplug lan2
iface lan2 inet manual
  pre-up    ip link set dev lan2 up
  pre-down  ip link set dev lan2 down

# Wifi Card
allow-hotplug wlan0
iface wlan0 inet manual
   pre-up    ip link set dev wlan0 up
   post-up   iw dev wlan0 set 4addr on
   pre-down  ip link set dev wlan0 down
Reliant portions of ifconfig:
Code:
gatekeeper@gate:~$ sudo ifconfig
br1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.253.211  netmask 255.255.255.0  broadcast 192.168.253.255
        ether c2:cc:cc:cc:cc:cc  txqueuelen 1000  (Ethernet)
        RX packets 141596  bytes 11487500 (10.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 186096  bytes 212279100 (202.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 16442  bytes 1201113 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16442  bytes 1201113 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tapl0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        ether d2:dd:dd:dd:dd:dd  txqueuelen 100  (Ethernet)
        RX packets 151  bytes 18558 (18.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 440  bytes 84387 (82.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 74:f0:6d:62:19:e4  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2378  bytes 460305 (449.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
The DNSmasq configuration:
Code:
log-dhcp
cache-size=400

interface=br0
dhcp-range=br0,192.168.252.231,192.168.252.239,60m
dhcp-option=br0,option:router,192.168.252.201
dhcp-option=br0,option:ntp-server,192.168.252.201
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user1,192.168.252.231
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user2,192.168.252.232
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user3,192.168.252.233
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user4,192.168.252.234
dhcp-host=br0,xx:xx:xx:xx:xx:xx,user5,192.168.252.235
dhcp-ignore=br0:!known

interface=br1
listen-address=192.168.253.211
dhcp-range=br1,192.168.253.230,192.168.253.239,60m
dhcp-option=br1,option:router,192.168.253.211
dhcp-option=br1,option:ntp-server,192.168.253.211
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user1,192.168.253.230
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user2,192.168.253.231
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user3,192.168.253.232
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user4,192.168.253.233
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user5,192.168.253.234
dhcp-host=br1,xx:xx:xx:xx:xx:xx,user6,192.168.253.235
dhcp-lease-max=20
The OpenVPN server conf:
Code:
dev tapl0
port 1194
proto udp

ca       /etc/openvpn/keys/ca.crt
cert     /etc/openvpn/keys/server.crt
key      /etc/openvpn/keys/server.key
dh       /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/ta.key 0

#server-bridge
server-bridge 192.168.253.211 255.255.255.0 192.168.253.242 192.168.253.249
push "redirect-gateway"
#push "redirect-gateway local"
#push "redirect-gateway def1 autolocal"
#push "redirect-gateway def1"
#push "redirect-gateway def1 bypass-dhcp bypass-dns"
#push "dhcp-option DHCP 192.168.253.211"
#push "route 192.168.253.0 255.255.255.0"

#client-to-client
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
status /var/log/openvpn-status.log
verb 9
log /var/log/openvpn
verb 9
explicit-exit-notify 1
OpenVPN client conf:
Code:
client
dev tapl0
proto udp
remote 192.168.253.211 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca       /etc/openvpn/keys/ca.crt
cert     /etc/openvpn/keys/me.crt
key      /etc/openvpn/keys/me.key
remote-cert-tls server
tls-auth /etc/openvpn/keys/ta.key 1
cipher AES-256-CBC
verb 9
Test version of the firewall script
Code:
*mangle
# Flush previous MAG table
-F PREROUTING
-F POSTROUTING
-F INPUT
-F FORWARD
-F OUTPUT
# Accept everything
-P PREROUTING   ACCEPT
-P POSTROUTING  ACCEPT
-P INPUT        ACCEPT 
-P FORWARD      ACCEPT
-P OUTPUT       ACCEPT
COMMIT

*nat
# Flush previous NAT table
-F PREROUTING
-F POSTROUTING
-F INPUT
-F OUTPUT
# Accept everything
-P PREROUTING   ACCEPT
-P POSTROUTING  ACCEPT
-P INPUT        ACCEPT 
-P OUTPUT       ACCEPT
-A POSTROUTING -o tunv0  -m iprange --src-range 192.168.252.231-192.168.252.239 -j MASQUERADE
-A POSTROUTING -o tunv0  -m iprange --src-range 192.168.253.231-192.168.253.249 -j MASQUERADE
COMMIT

*filter
# Flush previous filter table
-F INPUT
-F OUTPUT
-F FORWARD
# Accept everything
-P OUTPUT ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
# Log everything
-A INPUT -j LOG --log-level info --log-prefix "FILTER I/P :"
-A OUTPUT -j LOG --log-level info --log-prefix "FILTER O/P :"
-A FORWARD -j LOG --log-level info --log-prefix "FILTER FWD :"
# Allow dynamic rules for NordVPN connection
-N in_good_vpn_accept
-N out_good_vpn_accept
-A in_good_vpn_accept -j ACCEPT
-A out_good_vpn_accept -j ACCEPT
# Allow router to renew ISP lease
-A INPUT -i wan0 -p udp --sport 67 --dport 68 -s xxx.xxx.xxx.xxx -j ACCEPT
-A OUTPUT -o wan0 -p udp --sport 68 --dport 67 -d xxx.xxx.xxx.xxx -j ACCEPT
# Drop everything but NordVPN and DHCP lease on wan0
-A INPUT -i wan0 -j DROP
-A OUTPUT -o wan0 -j DROP
COMMIT
Script to open tunnel before running openvpn --conf server.conf:
Code:
openvpn --mktun --dev tapl0
brctl addif br1 tapl0
ip link set dev tapl0 address d2:dd:dd:dd:dd:dd
ifconfig tapl0 0.0.0.0 promisc up
Script to close tunnel after running openvpn --conf server.conf:
Code:
openvpn --rmtun --dev tapl0
Output of brctl:
Code:
gatekeeper@gate:~$ sudo brctl show br1
bridge name	bridge id		STP enabled	interfaces
br1		8000.c2cccccccccc	no		lan2
							tapl0
							wlan0
Output of route:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.7.7.1        128.0.0.0       UG    0      0        0 tunv0
default         192.168.0.1     0.0.0.0         UG    0      0        0 wan0
10.7.7.0        0.0.0.0         255.255.255.0   U     0      0        0 tunv0
128.0.0.0       10.7.7.1        128.0.0.0       UG    0      0        0 tunv0
184.75.212.11   192.168.0.1     255.255.255.255 UGH   0      0        0 wan0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 wan0
192.168.252.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.253.0   0.0.0.0         255.255.255.0   U     0      0        0 br1
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 br0
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 br1
Output of netstat -ng
Code:
gatekeeper@gate:~$ sudo netstat -ng
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      224.0.0.1
wan0            2      224.0.0.251
wan0            1      224.0.0.1
lan0            1      224.0.0.1
lan1            1      224.0.0.1
lan2            1      224.0.0.1
br1             2      224.0.0.251
br1             1      224.0.0.1
wlan0           1      224.0.0.1
br0             1      224.0.0.251
br0             1      224.0.0.1
tapl0           1      224.0.0.1
tunv0           1      224.0.0.251
tunv0           1      224.0.0.1
lo              1      ff02::1
lo              1      ff01::1
wan0            1      ff02::1
wan0            1      ff01::1
lan0            1      ff02::1
lan0            1      ff01::1
lan1            1      ff02::1
lan1            1      ff01::1
lan2            1      ff02::1
lan2            1      ff01::1
br1             1      ff02::1
br1             1      ff01::1
wlan0           1      ff02::1
wlan0           1      ff01::1
br0             1      ff02::1
br0             1      ff01::1
tapl0           1      ff02::1
tapl0           1      ff01::1
tunv0           1      ff02::1
tunv0           1      ff01::1
The OpenVPN Status log:

Code:
OpenVPN CLIENT LIST
Updated,Wed Jun 13 19:11:13 2018
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
david,192.168.253.234:45945,11093,12156,Wed Jun 13 19:01:34 2018
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
82:91:6b:4a:88:34,david,192.168.253.234:45945,Wed Jun 13 19:01:36 2018
GLOBAL STATS
Max bcast/mcast queue length,1
END
I have attached two jpgs from wireshark

It seems that the connection is made and assigned 192.168.253.242 by OpenVPN, but there is no response to packets sent through the tap. I can ping this ip from the router. I think this is a routing problem, as the client shows a route for the tap, and the router shows routing for the NordVPN tunnel. The client can access the internet, but it is all between the router and the lDHCP lease ip, nothing through the tap. However when I try to add a route:

Code:
gatekeeper@gate:~$ sudo ip route add 192.168.253.0/24 via 0.0.0.0 dev tapl0
RTNETLINK answers: File exists
gatekeeper@gate:~$ sudo ip route show dev tapl0
gatekeeper@gate:~$
I have attached two snap-shots from wireshark.

Can anyone tell me how to remedy this? It would be greatly appreciated!

Dave
Attached Thumbnails
Click image for larger version

Name:	br1-noinet.jpg
Views:	6
Size:	270.6 KB
ID:	27893   Click image for larger version

Name:	tapl0.jpg
Views:	6
Size:	270.9 KB
ID:	27894  

Last edited by CrazyDavy; 06-13-2018 at 09:58 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenVPN in bridge mode cutting access to web (Server with 3 NICs acting as router) Joaquim Almeida Linux - Networking 1 09-10-2012 12:12 AM
Error When converting Routing OpenVPN to bridge mode openvpn danmartinj Linux - Software 0 11-06-2009 09:23 AM
OpenVPN Bridge... Clients cant ping server or network ligerous Linux - Networking 1 05-24-2008 06:59 PM
Routing from OpenVPN server jjge Linux - Networking 1 08-29-2006 09:34 AM
[openvpn] routing at server side Zym0tiC Linux - Networking 2 10-06-2005 03:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration