Bridged OpenVPN not working on FreeBSD 9.1

Hi all,

We are having problems getting bridged OpenVPN to work on FreeBSD 9.1. We used to run bridged mode OpenVPN on a FreeBSD 5.4 machine and everything was fine, but the machine died recently, and now we are trying to install bridged OpenVPN on FreeBSD 9.1 (32 bit).

OpenVPN was able to start, and the client was able to connect to the server. But the client cannot ping anything in the server network, including the OpenVPN server itself. We suspect it is the bridging in FreeBSD that is causing the problem. Here is how we installed OpenVPN bridged mode on the FreeBSD 9.1 machine.

  1. We rebuilt and reinstalled the kernel to include these:
    Code:
    device          if_bridge
    device          tap
    (options BRIDGE - which we used on the FreeBSD 5.4 machine - seems to have be deprecated in FreeBSD 9)
  2. In /etc/rc.conf
    Code:
    gateway_enable="YES"
    openvpn_enable="YES"
    openvpn_configfile="/usr/local/etc/openvpn/bridgedvpn/bridgedserver.conf"
    openvpn_dir="/usr/local/etc/openvpn"
    Later, we added these as well:
    Code:
    cloned_interfaces="bridge0"
    ifconfig_bridge0="addm bge0 addm tap0 up"
    but still it didn't work
  3. In /etc/sysctl.conf
    Code:
    net.link.ether.bridge.enable=1
     (probably redundant since we have [FILE]gateway_enable[/FILE] in [FILE]rc.conf[/FILE])
    net.link.ether.bridge.config=bge0,tap0
  4. We copied the openvpn folder containing the keys, certifications, and configuration files from the old server. When we copied them to a FreeBSD 6.2 machine with OpenVPN 2.2.0, we were able to get bridged OpenVPN working. But it didn't work on the FreeBSD 9.1 machine with OpenVPN 2.3.2. I don't think there is any problem with the OpenVPN configuration files.

Is this a FreeBSD 9.2 bridging issue? Is there something we had missed in our setup? Or is it an OpenVPN 2.3.2 problem?

These are the last few lines of a client connection to the server in the log file (IP changed):
Code:
Jul 30 13:49:24 fxtemp03 openvpn[1467]: 74.102.175.251:51069 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 30 13:49:24 fxtemp03 openvpn[1467]: 74.102.175.251:51069 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 30 13:49:25 fxtemp03 openvpn[1467]: 74.102.175.251:51069 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jul 30 13:49:25 fxtemp03 openvpn[1467]: 74.102.175.251:51069 [brdgedclient80] Peer Connection Initiated with [AF_INET]74.102.175.251:51069
Jul 30 13:49:25 fxtemp03 openvpn[1467]: MULTI: new connection by client 'brdgedclient80' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jul 30 13:49:25 fxtemp03 openvpn[1467]: MULTI_sva: pool returned IPv4=192.168.5.166, IPv6=(Not enabled)
Jul 30 13:49:26 fxtemp03 openvpn[1467]: brdgedclient80/74.102.175.251:51069 PUSH: Received control message: 'PUSH_REQUEST'
Jul 30 13:49:26 fxtemp03 openvpn[1467]: brdgedclient80/74.102.175.251:51069 send_push_reply(): safe_cap=940
Jul 30 13:49:26 fxtemp03 openvpn[1467]: brdgedclient80/74.102.175.251:51069 SENT CONTROL [brdgedclient80]: 'PUSH_REPLY,route 192.168.6.0 255.255.255.0,route 192.168.11.0 255.255.255.0,route 192.168.3.0 255.255.255.0,route 192.168.21.0 255.255.255.0,route 192.168.7.0 255.255.255.0,route 192.168.9.0 255.255.255.0,route-gateway 192.168.5.46,ping 10,ping-restart 120,ifconfig 192.168.5.166 255.255.255.0' (status=1)
Jul 30 13:49:27 fxtemp03 openvpn[1467]: brdgedclient80/74.102.175.251:51069 MULTI: Learn: 00:ff:6e:ed:10:cd -> brdgedclient80/74.102.175.251:51069

In /etc/rc.conf, we also added
Code:
openvpn_if = "tap"
(and later we tried openvpn_if = "tap bridge")

Note that on our old FreeBSD 5.4 machine and FreeBSD 6.2 machine, we didn't have to add

Code:
cloned_interfaces="bridge0"
ifconfig_bridge0="addm bge0 addm tap0 up"
to /etc/rc.conf - and bridged Openvpn worked fine.

Thank you.
 
Hi,

I came across exactly the same issue. I didn't get what the Chinese blog was telling about, though I found some mistakes in my configuration. Can you please point out where exactly your mistake was? What have you changed to make it work?
 
Keep in mind the original post is from July last year and the poster hasn't posted anything since. You may not get a reply.
 
I have a working configuration to forward several Cisco Vo-IP phones from branches to the central office.

Server part:

openvpn.conf:
Code:
float
daemon
dev tap
proto udp
mode server

port 61194
local 172.25.111.126

server-bridge nogw

comp-lzo
persist-key
persist-tun
reneg-sec 0
duplicate-cn
tls-timeout 90
hand-window 120
keepalive 30 300
client-to-client
script-security 2

username-as-common-name
client-cert-not-required
plugin /opt/openvpn/lib/openvpn-auth-pam.so login

tls-server
ca /etc/opt/openvpn/bridge/server/ca-crt.pem
key /etc/opt/openvpn/bridge/server/server-key.pem
cert /etc/opt/openvpn/bridge/server/server-crt.pem

dh /etc/opt/openvpn/bridge/server/dh-key.pem
tls-auth /etc/opt/openvpn/bridge/server/ta-key.pem 0


up /etc/opt/openvpn/bridge/server/openvpn.sh
down /etc/opt/openvpn/bridge/server/openvpn.sh
client-connect /etc/opt/openvpn/bridge/server/openvpn.sh
client-disconnect /etc/opt/openvpn/bridge/server/openvpn.sh
 
verb 1
mute 10
status-version 2 
log /var/opt/openvpn/bridge-server.log
writepid /var/opt/openvpn/bridge-server.pid
status /var/opt/openvpn/bridge-server.stat 60
log-append /var/opt/openvpn/bridge-server.log

tmp-dir /var/opt/openvpn
auth-pam:
Code:
username-as-common-name
client-cert-not-required
plugin /opt/openvpn/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login

openvpn.sh:
Code:
#!/bin/sh
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin"

exec 1>/dev/null 2>&1

TAP=$dev
NIC=vlan21
BIF=bridge0

case "$script_type" in
	up)
		ifconfig $BIF || ifconfig $BIF create
		ifconfig $BIF | awk '/member: / { print $2 }' | grep -w "$NIC" || ifconfig $BIF addm $NIC up
	;;
	down)
		ifconfig $BIF | awk '/member: / { print $2 }' | grep -w "$NIC" && ifconfig $BIF deletem $NIC
		ifconfig $BIF && ifconfig $BIF destroy
	;;
esac

Client side part:

openvpn.conf:
Code:
float
client
daemon
dev tap
proto udp

nobind
comp-lzo
persist-key
persist-tun
reneg-sec 0
tls-timeout 90
hand-window 120
keepalive 30 300
script-security 2
mute-replay-warnings

remote-random
resolv-retry infinite

remote 111.222.333.444 61194

up /etc/opt/openvpn/bridge/client/openvpn.sh
down /etc/opt/openvpn/bridge/client/openvpn.sh

ca /etc/opt/openvpn/bridge/client/ca-crt.pem
tls-auth /etc/opt/openvpn/bridge/client/ta-key.pem 1
auth-user-pass /etc/opt/openvpn/bridge/client/openvpn.pwd

verb 3
mute 10
status-version 2 
log /var/opt/openvpn/bridge-client.log
writepid /var/opt/openvpn/bridge-client.pid
status /var/opt/openvpn/bridge-client.stat 60
log-append /var/opt/openvpn/bridge-client.log

openvpn.sh:
Code:
#!/bin/sh
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin"

exec 1>/dev/null 2>&1

TAP=$dev
NIC=ext1
BIF=bridge0

case "$script_type" in
	up)
		ifconfig $TAP up
		ifconfig $BIF || ifconfig $BIF create
		ifconfig $BIF | awk '/member: / { print $2 }' | grep -w "$NIC" || ifconfig $BIF addm $NIC up
		ifconfig $BIF | awk '/member: / { print $2 }' | grep -w "$TAP" || ifconfig $BIF addm $TAP up
	;;
	down)
		ifconfig $BIF | awk '/member: / { print $2 }' | grep -w "$TAP" && ifconfig $BIF deletem $TAP
		ifconfig $BIF | awk '/member: / { print $2 }' | grep -w "$NIC" && ifconfig $BIF deletem $NIC
		ifconfig $BIF && ifconfig $BIF destroy
		ifconfig $TAP destroy
	;;
esac

openvpn.pwd:
Code:
ClientName
ClientPassword
 
Varda, thanks a lot, but I'm talking about bridge for users, not between offices.

You have
Code:
dev tap
while I'm supposed to have
Code:
dev tap0
in my configuration and this is not the only one difference. But your willingness to help is highly appreciated.
 
Sorry, I do not understand you exactly but just for explanation. I think there is no difference how much clients/users will connect to server. In mentioned configuration TAP device allocated automatically, users authoraized against passwd database by plugin. Script runnig at interface up adds new member to bridge automatically. So there is kind of ethernet switch for users. I can see broadcasts, dhcp address assignment performed, pings passed. Just populate client config to 2-3 points with differnet names/passwords and try how it will work.
 
Back
Top