Topic: Need HELP - OpenVPN in bridge mode

[smenard]

I am trying to setup a vpn bridge between 1 servers and 5 clients.  They are all in different subnets 192.168.10.0, 192.168.11.0... 192.168.15.0 I need to be able to see (ping or access) the machine from any of the subnets but I am unable to.  I think all I am missing are the routings and the firewall rules. Any help would be appreciated

This is the configuration I have:

Server
--------
port 1194
proto udp
dev tap0

# Drop down privileges
user nobody
group nobody
chroot /etc/openvpn

persist-key
persist-tun

# Certificates config
dh easy-rsa/keys/bridge/dh.pem
ca easy-rsa/keys/bridge/ca.crt
cert easy-rsa/keys/bridge/server.crt
key easy-rsa/keys/bridge/server.key

tls-server
tls-auth easy-rsa/keys/bridge/ta.key 0

# CRL file for certificates verification
crl-verify easy-rsa/keys/bridge/crl.pem

# Auth method options
# Plugin for user-auth as replacement of the script

# Server mode
server-bridge   192.168.101.3   255.255.255.0   192.168.101.95  192.168.101.96 192.168.101.97 192.168.101.98 192.168.101.99
192.168.101.100

# Options
keepalive 10 120
push "ping 10"
push "ping-restart 120"
push "dhcp-option DOMAIN mydomain.on.ca"
push "dhcp-option DNS 192.168.101.3"
push "dhcp-option WINS 192.168.101.3"
mtu-test
reneg-sec 3600
nice 0

# Clients options
client-config-dir ccd-bridge
ccd-exclusive
max-clients 20
comp-lzo

# Log
status-version 2
log-append /var/log/openvpn/server-bridge.log
status bridge-status.log
verb 3

Client 1
-------
client
rport 1194
proto udp
dev tap
nobind
remote 72.1.xxx.xxx
tls-client
tls-auth ta.key 1
tls-remote server
ns-cert-type server
ca ca.crt
cert csense.crt
key csense.key
mtu-test
pull
comp-lzo
verb 4

[smenard]

I can ping vpn server from client pc's that are connected to a remote server and also other pc's that are tied off the vpn server.  I can ping the remote server from the clients that are on the vpn server but cannot ping any of the workstations tied off the client server.

[Daniel B.]

I don't really understand your config file. Have you modified it manually?

the line

Code: [Select]

server-bridge 192.168.101.3 255.255.255.0 192.168.101.95 192.168.101.96 192.168.101.97 192.168.101.98 192.168.101.99
192.168.101.100 is totally wrong, it should be something like this:

Code: [Select]

server-bridge 192.168.101.3 255.255.255.0 192.168.101.95 192.168.101.100

an in this case 192.168.101.95 and 192.168.101.100 are the start and stop address you can configure in the panel, it defines an range of ip address

[smenard]

Sorry about that, yes I modified it manually.

route on the server
----------------------
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
216.x.x.x         0.0.0.0         255.255.255.192  U     0      0        0 eth1
192.168.50.0    0.0.0.0         255.255.255.0     U     0      0        0 br0
192.168.101.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         216.221.65.129  0.0.0.0              UG    0      0        0 eth1

route on the client
---------------------
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.50.0  *               255.255.255.0         U    0      0        0 tap0
192.168.101.0    *               255.255.255.0     U     0      0        0 tap0
192.168.10.0    *               255.255.255.0       U     0      0        0 eth1
default         192.168.10.254  0.0.0.0              UG    0      0        0 eth1

iptable rules on the server
------------------------------
iptables --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.50.0/24 --jump ACCEPT --out-interface 'br0'
iptables --insert INPUT 1 --source 192.168.50.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface 'br0'
iptables --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.50.0/24 --jump ACCEPT --out-interface 'br0'
iptables --insert FORWARD 1 --source 192.168.50.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT
iptables --table nat --append POSTROUTING --out-interface 'br0' --jump MASQUERADE

iptable rules on the client
------------------------------
iptables --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.101.0/24 --jump ACCEPT --out-interface 'tap0'
iptables --insert INPUT 1 --source 192.168.101.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface 'tap0'
iptables --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.101.0/24 --jump ACCEPT --out-interface 'tap0'
iptables --insert FORWARD 1 --source 192.168.101.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT
iptables --table nat --append POSTROUTING --out-interface 'tap0' --jump MASQUERADE

From the client I can ping all the machine on the servers subnet.

From the server I can't ping any machine on the clients except the one connected to the tunnel (192.168.50.1)

[Daniel B.]

It's absolutly normal:

- first, you shouldn't change the server-bridge.conf file manually (exept if you want to push additionnal routes, but I don't think you need to)
- second, you don't have to change the firewall configuration on the server, everything will be set correctly
- Third, the network behind the client is nated, so it's totally normal that the server cannot ping them. The server need to know the gateway for this network. So choose a fixed IP for your client, and add a local network (in the server-manager), setting the network ip and netmask, and the gateway will be the IP you've choosed for your client.

[smenard]

Thanks VIP-ire for all your help. Do you have a paypal account? I would be glad to pay you to solve my problem and to help on the dev. of this contrib.

While I was trying to get this working I fould this error in
/etc/e-smith/templates/etc/openvpn/server-bridge.conf/80clients

 if ($clientToClient eq '1') {

should be

 if ($clientToClient eq 'enabled'){

[Daniel B.]

Thanks VIP-ire for all your help. Do you have a paypal account? I would be glad to pay you to solve my problem and to help on the dev. of this contrib.

While I was trying to get this working I fould this error in
/etc/e-smith/templates/etc/openvpn/server-bridge.conf/80clients

 if ($clientToClient eq '1') {

should be

 if ($clientToClient eq 'enabled'){

Hi, thanks for the repport, I'll correct this in the next release. For a donatation, please, contact me by email daniel AT firewall-services DOT com.
Have you fixed your installation now?

[smenard]

Do you have any documentation that you can point me too. It's still not working for me. I am not sure what I am missing.

[TrevorB]

Do you have any documentation that you can point me too. It's still not working for me. I am not sure what I am missing.

Documentation: smeserver-openvpn-bridge-fws