OpenVPN Bridged

fuhdan · Jul 16, 2012

Hi all
I have installed open VPN as follows:

LAN --> VPNClient (1 NIC) --> Router (NAT) --> Internet --> VPNServer (2NIC's) --> LAN

The LAN has 192.168.40.0/24
VPN Server has x.x.x.x (Public IP) and 192.168.40.60 (LAN IP)
VPN Client has 192.168.40.2 (LAN interface)
The Router makes a NAT to the Address y.y.y.y

When I connect the Client to the Server i have the following Logs on the Server:

Code:

Jul 13 18:16:28 fortknox1 openvpn[1671]: OpenVPN 2.2.2 amd64-portbld-freebsd8.3 [SSL] [LZO2] [eurephia] built on Jul 13 2012
Jul 13 18:16:28 fortknox1 openvpn[1671]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Jul 13 18:16:28 fortknox1 openvpn[1671]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 13 18:16:28 fortknox1 openvpn[1671]: Diffie-Hellman initialized with 2048 bit key
Jul 13 18:16:28 fortknox1 openvpn[1671]: Control Channel Authentication: using '/usr/local/etc/openvpn/x.509/ta.key' as a OpenVPN static key file
Jul 13 18:16:28 fortknox1 openvpn[1671]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 13 18:16:28 fortknox1 openvpn[1671]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 13 18:16:28 fortknox1 openvpn[1671]: TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jul 13 18:16:28 fortknox1 openvpn[1671]: Socket Buffers: R=[42080->65536] S=[9216->65536]
Jul 13 18:16:28 fortknox1 openvpn[1671]: TUN/TAP device /dev/tap0 opened
Jul 13 18:16:28 fortknox1 openvpn[1671]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Jul 13 18:16:28 fortknox1 openvpn[1672]: GID set to nobody
Jul 13 18:16:28 fortknox1 openvpn[1672]: UID set to nobody
Jul 13 18:16:28 fortknox1 openvpn[1672]: UDPv4 link local (bound): [undef]:1194
Jul 13 18:16:28 fortknox1 openvpn[1672]: UDPv4 link remote: [undef]
Jul 13 18:16:28 fortknox1 openvpn[1672]: MULTI: multi_init called, r=256 v=256
Jul 13 18:16:28 fortknox1 openvpn[1672]: IFCONFIG POOL: base=192.168.40.2 size=8
Jul 13 18:16:28 fortknox1 openvpn[1672]: Initialization Sequence Completed
Jul 13 18:17:36 fortknox1 openvpn[1672]: MULTI: multi_create_instance called
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Re-using SSL/TLS context
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 LZO compression initialized
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Local Options hash (VER=V4): '360696c5'
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Expected Remote Options hash (VER=V4): '13a273ba'
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 TLS: Initial packet from y.y.y.y:35907, sid=8684c990 215e9047
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 VERIFY OK: depth=1, /C=CH/ST=Switzerland/L=Location/O=Daniel/OU=Daniel/CN=Daniel-CA/name=Name/emailAddress=daniel@domain.com
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 VERIFY OK: depth=0, /C=CH/ST=Switzerland/L=Location/O=Daniel/OU=Daniel/CN=fortknox2.domain.com/name=Name/emailAddress=daniel@domain.com
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jul 13 18:17:36 fortknox1 openvpn[1672]: y.y.y.y:35907 [fortknox2.domain.com] Peer Connection Initiated with y.y.y.y:35907
Jul 13 18:17:36 fortknox1 openvpn[1672]: fortknox2.domain.com/y.y.y.y:35907 OPTIONS IMPORT: reading client specific options from: ccd/fortknox2.domain.com
Jul 13 18:17:36 fortknox1 openvpn[1672]: fortknox2.domain.com/y.y.y.y:35907 Options error: Unrecognized option or missing parameter(s) in ccd/fortknox2.domain.com:1: 192.168.40.4 (2.2.2)
Jul 13 18:17:38 fortknox1 openvpn[1672]: fortknox2.domain.com/y.y.y.y:35907 PUSH: Received control message: 'PUSH_REQUEST'
Jul 13 18:17:38 fortknox1 openvpn[1672]: fortknox2.domain.com/y.y.y.y:35907 SENT CONTROL [fortknox2.domain.com]: 'PUSH_REPLY,dhcp-option DNS 192.168.40.10,dhcp-option DNS 192.168.40.40,route-gateway 192.168.40.60,ping 10,ping-restart 120,ifconfig 192.168.40.2 255.255.255.0' (status=1)
Jul 13 18:17:38 fortknox1 openvpn[1672]: fortknox2.domain.com/y.y.y.y:35907 MULTI: Learn: 00:bd:15:61:02:00 -> fortknox2.domain.com/y.y.y.y:35907

The Client gives the following logs:

Code:

Jul 13 18:18:06 fortknox2 openvpn[1148]: OpenVPN 2.2.2 amd64-portbld-freebsd8.3 [SSL] [LZO2] [eurephia] built on Jul 13 2012
Jul 13 18:18:06 fortknox2 openvpn[1148]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 13 18:18:07 fortknox2 openvpn[1148]: Control Channel Authentication: using '/usr/local/etc/openvpn/x.509/ta.key' as a OpenVPN static key file
Jul 13 18:18:07 fortknox2 openvpn[1148]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 13 18:18:07 fortknox2 openvpn[1148]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 13 18:18:07 fortknox2 openvpn[1148]: LZO compression initialized
Jul 13 18:18:07 fortknox2 openvpn[1148]: Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jul 13 18:18:07 fortknox2 openvpn[1148]: Socket Buffers: R=[42080->65536] S=[9216->65536]
Jul 13 18:18:07 fortknox2 openvpn[1148]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Jul 13 18:18:07 fortknox2 openvpn[1148]: Local Options hash (VER=V4): '13a273ba'
Jul 13 18:18:07 fortknox2 openvpn[1148]: Expected Remote Options hash (VER=V4): '360696c5'
Jul 13 18:18:07 fortknox2 openvpn[1149]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jul 13 18:18:07 fortknox2 openvpn[1149]: UDPv4 link local: [undef]
Jul 13 18:18:07 fortknox2 openvpn[1149]: UDPv4 link remote: x.x.x.x:1194
Jul 13 18:18:07 fortknox2 openvpn[1149]: TLS: Initial packet from x.x.x.x:1194, sid=3034f37f 85f99a5a
Jul 13 18:18:07 fortknox2 openvpn[1149]: VERIFY OK: depth=1, /C=CH/ST=Switzerland/L=Location/O=Daniel/OU=Daniel/CN=Daniel-CA/name=Name/emailAddress=daniel@domain.com
Jul 13 18:18:07 fortknox2 openvpn[1149]: VERIFY OK: nsCertType=SERVER
Jul 13 18:18:07 fortknox2 openvpn[1149]: VERIFY OK: depth=0, /C=CH/ST=Switzerland/L=Location/O=Daniel/OU=Daniel/CN=fortknox1.domain.com/name=Name/emailAddress=daniel@domain.com
Jul 13 18:18:08 fortknox2 openvpn[1149]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 13 18:18:08 fortknox2 openvpn[1149]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 13 18:18:08 fortknox2 openvpn[1149]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 13 18:18:08 fortknox2 openvpn[1149]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 13 18:18:08 fortknox2 openvpn[1149]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jul 13 18:18:08 fortknox2 openvpn[1149]: [fortknox1.domain.com] Peer Connection Initiated with x.x.x.x:1194
Jul 13 18:18:10 fortknox2 openvpn[1149]: SENT CONTROL [fortknox1.domain.com]: 'PUSH_REQUEST' (status=1)
Jul 13 18:18:10 fortknox2 openvpn[1149]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.40.10,dhcp-option DNS 192.168.40.40,route-gateway 192.168.40.60,ping 10,ping-restart 120,ifconfig 192.168.40.2 255.255.255.0'
Jul 13 18:18:10 fortknox2 openvpn[1149]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 13 18:18:10 fortknox2 openvpn[1149]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 13 18:18:10 fortknox2 openvpn[1149]: OPTIONS IMPORT: route-related options modified
Jul 13 18:18:10 fortknox2 openvpn[1149]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 13 18:18:10 fortknox2 openvpn[1149]: WARNING: potential TUN/TAP adapter subnet conflict between local LAN [192.168.40.0/255.255.255.0] and remote VPN [192.168.40.0/255.255.255.0]
Jul 13 18:18:10 fortknox2 openvpn[1149]: TUN/TAP device /dev/tap0 opened
Jul 13 18:18:10 fortknox2 openvpn[1149]: /sbin/ifconfig tap0 192.168.40.2 netmask 255.255.255.0 mtu 1500 up
Jul 13 18:18:10 fortknox2 openvpn[1149]: GID set to nobody
Jul 13 18:18:10 fortknox2 openvpn[1149]: UID set to nobody
Jul 13 18:18:10 fortknox2 openvpn[1149]: Initialization Sequence Completed

I can't see any error. But I can't ping any device on the remote site. Both ways don't work.
Thanks for any help.

jmj75 · Jul 23, 2012

What does your /etc/rc.conf look like and what is the output of `ifconfig`?

That said, if you've properly bridged the tap0 interface with your NIC, then do you see any difference if you issue the following command once the OpenVPN server has started # ifconfig tap0 up

I remember reading a post a while back stating that OpenVPN does not bring UP the tap interface after it creates it. So setting:

net.link.tap.up_on_open=1 net.link.tap.user_open=1

can get around the issue.

-jmj

fuhdan · Jul 28, 2012

On the server:
rc.conf

defaultrouter="a.a.a.a"
hostname="fortknox1.domain.com"
ifconfig_em0="inet x.x.x.x netmask 255.255.255.240"
ifconfig_em1="up"
cloned_interfaces="bridge0"
autobridge_interfaces="bridge0"
autobridge_bridge0="em1"
ifconfig_bridge0="inet 192.168.40.60 netmask 255.255.255.0 up"
keymap="swissgerman.iso.acc"

# Deny startup
syslogd_flags="-ss"

# Allow startup
sshd_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
gateway_enable="YES"
natd_enable="YES"
natd_interface="em0"
natd_flags="-f /etc/natd.conf"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_if="tap bridge"
openvpn_flags="--script-security 2"

[CMD="ifconfig"]
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:55:aa:56
inet a.a.a.a netmask 0xfffffff0 broadcast b.b.b.b
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:55:aa:60
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:bf:50:47:3a:00
inet 192.168.40.60 netmask 0xffffff00 broadcast 192.168.40.255
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 2 priority 128 path cost 20000
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:e6:03:00:00
Opened by PID 1003
[/CMD]

On the client:
rc.conf

defaultrouter="192.168.40.1"
hostname="fortknox2.domain.com"
ifconfig_em0="inet 192.168.40.22 netmask 255.255.255.0"
ifconfig_em1="up"
autobridge_interfaces="bridge0"
autobridge_bridge0="em1"
keymap="swissgerman.iso.acc"

# Deny startup
syslogd_flags="-ss"

# Allow startup
sshd_enable="YES"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_if="tap bridge"
openvpn_flags="--script-security 2"

[CMD="ifconfig"]
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:d1:64:0e
inet 192.168.40.22 netmask 0xffffff00 broadcast 192.168.40.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:d1:64:18
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:b2:0d:00:00
inet 192.168.40.2 netmask 0xffffff00 broadcast 192.168.40.255
Opened by PID 683
[/CMD]

nslay · Jul 30, 2012

Maybe the following change to your server rc.conf might help:

Code:

autobridge_bridge0="tap* em1"

I'm not sure it will solve your problem, but you'll probably want that anyway. If you have a firewall, you might need the following in your sysctl.conf to prevent filtering on bridge members:

Code:

net.link.bridge.pfil_member=0

fuhdan · Jul 30, 2012

I changed it. But still the same. I can't ping the other side.
I have tried with "autobridge_bridge0="tap* em1" to the server, to the client and to both with no luck.
Shouldn't have the tap interface on the server a IP Address?

OpenVPN Bridged

fuhdan

jmj75

fuhdan

nslay

fuhdan