please help with OpenVPN

gnoma · Jan 16, 2011

Hi all, I have a problem with OpenVPN, this is the case:

Code:

workstation--------------------------------Openvpn--------------------private network
(somwhere in internet) (real IP in internet)-|-(NIC in the private network)

The OpenVPN Server is not the gateway, not a router, not a dhcp server. It just have IP in internet and another NIC in the private network.
What I need to do is when a client connect the private network it get IP from that private network (192.168.10.x) and can comunicate with all hosts in that network.
Goodle and openvpn manuals says that I need to do it with TAP device and bridge it with the
NIC witch is in the private network, do not assign IP to the NIC and to the TAP interface, assign IP only to the bridge.
That's basicly what I did:

sis0 is the IF in the private, re1 is the IF in internet.

Code:

vpn# ifconfig
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80008<VLAN_MTU,LINKSTATE>
        ether 00:d0:09:c6:91:a3
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether e0:8f:ec:00:6e:1a
        inet 92.247.11.110 netmask 0xffffffe0 broadcast 92.247.11.127
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 66:f2:52:cc:cc:5c
        inet 192.168.10.8 netmask 0xffffff00 broadcast 192.168.10.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 2000000
        member: sis0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 200000

tap0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 00:bd:b7:fa:04:00
        Opened by PID 1966
vpn#
vpn#

My openvpn conf is is:

Code:

vpn# cat /usr/local/etc/openvpn/openvpn.conf
port 1194

# TCP or UDP server?
proto tcp
;proto udp

dev tap
;dev tun

ca /usr/local/etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/2.0/keys/vpn.deltanews.bg.crt
key /usr/local/etc/openvpn/easy-rsa/2.0/keys/vpn.deltanews.bg.key  # This file should be kept secret

dh /usr/local/etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
server-bridge 192.168.10.8  255.255.255.0 192.168.10.70 192.168.10.80

push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248
;route 10.9.0.0 255.255.255.252

;learn-address ./script


;push "redirect-gateway"

;push "dhcp-option DNS 92.247.11.105"
;push "dhcp-option WINS 10.8.0.1"

client-to-client

;duplicate-cn

keepalive 10 120
;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

;max-clients 100

;user nobody
;group nobody

persist-key
persist-tun

status openvpn-status.log

;log         openvpn.log
;log-append  openvpn.log

verb 3

;mute 20

vpn#

And when I try to connect... here's the output from the client:

Code:

---------------cuted some stuff-----------------------------------------
Sun Jan 16 14:25:28 2011 TAP-Win32 Driver Version 8.4 
Sun Jan 16 14:25:28 2011 TAP-Win32 MTU=1500
Sun Jan 16 14:25:28 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.10.70/255.255.255.0 on interface {4EE5A079-951F-4580-
BA1B-27EEBF3455A7} [DHCP-serv: 192.168.10.0, lease-time: 31536000]
Sun Jan 16 14:25:28 2011 Successful ARP Flush on interface [131075] {4EE5A079-951F-4580-BA1B-27EEBF3455A7}
Sun Jan 16 14:25:28 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:28 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:29 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:29 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:30 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:30 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:31 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:31 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:32 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:32 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:33 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:33 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:34 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:34 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:35 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:35 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:36 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:36 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:38 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:38 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:39 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:45 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:46 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:46 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:47 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:47 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:48 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:48 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:49 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:49 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:50 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:50 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:51 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:51 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:52 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:52 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:53 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:53 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:54 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:54 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:55 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:55 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:56 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:56 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:57 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:57 2011 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 16 14:25:57 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Sun Jan 16 14:25:57 2011 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )

Just for a second it blink the IP I shoud get on the local network - 192.168.10.70
and then it's gone.

When I try to do it without bridge with virtual network, it's working perfectly fine, the client gets IP 10.8.0.2 255.255.255.0 and it can ping the server at 10.8.0.01 255.255.255.0, but I need the client to can access all hosts in 192.168.10.x, not just the VPN server.

Any ideas, suggestions or any kind of help?
Thank you.

acleworth · Jan 17, 2011

Don't assign an IP to the bridge, assign it to your internal interface.

gnoma · Jan 18, 2011

Thank you acleworth, but it didn't solve the problem, it is still the same.

Server's ifconfig:

Code:

vpn# ifconfig
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80008<VLAN_MTU,LINKSTATE>
        ether 00:d0:09:c6:91:a3
        inet 192.168.10.8 netmask 0xffffff00 broadcast 192.168.10.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether e0:8f:ec:00:6e:1a
        inet 92.247.11.110 netmask 0xffffffe0 broadcast 92.247.11.127
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 00:bd:d8:32:00:00
        Opened by PID 3641
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 4e:63:eb:78:ef:8a
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 55
        member: sis0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 200000
vpn#

And the client trying to connect:

Code:

Tue Jan 18 10:23:51 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jan 18 10:23:51 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 18 10:23:51 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jan 18 10:23:51 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 18 10:23:51 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jan 18 10:23:51 2011 [vpn.deltanews.bg] Peer Connection Initiated with 92.247.11.110:1194
Tue Jan 18 10:23:53 2011 SENT CONTROL [vpn.deltanews.bg]: 'PUSH_REQUEST' (status=1)
Tue Jan 18 10:23:53 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 92.247.11.105,route-gateway 192.168.10.8,ping 10,ping-
restart 120,ifconfig 192.168.10.70 255.255.255.0'
Tue Jan 18 10:23:53 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jan 18 10:23:53 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jan 18 10:23:53 2011 OPTIONS IMPORT: route options modified
Tue Jan 18 10:23:53 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jan 18 10:23:53 2011 TAP-Win32 Driver Version 8.4 
Tue Jan 18 10:23:53 2011 TAP-Win32 MTU=1500
Tue Jan 18 10:23:53 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.10.70/255.255.255.0 on interface {4EE5A079-951F-4580-
BA1B-27EEBF3455A7} [DHCP-serv: 192.168.10.0, lease-time: 31536000]
Tue Jan 18 10:23:53 2011 Successful ARP Flush on interface [131075] {4EE5A079-951F-4580-BA1B-27EEBF3455A7}
Tue Jan 18 10:23:53 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:23:53 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:23:54 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:23:54 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:23:55 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:23:55 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:23:56 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:23:56 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:23:57 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:23:57 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:23:57 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:23:57 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:23:59 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:23:59 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:00 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:00 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:00 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:00 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:02 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:02 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:03 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:03 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:04 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:04 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:04 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:04 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:06 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:06 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:07 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:07 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:09 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:09 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:10 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:10 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:11 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:11 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:12 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:12 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:13 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:13 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:14 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:14 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:15 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:15 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:16 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:16 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:17 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:17 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:19 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:19 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:20 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:20 2011 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 18 10:24:22 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Jan 18 10:24:22 2011 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )

and the client still don't have IP and subnet mask from the ineternal network, when I try to set manualy static IP, I can't ping anything on the network and on the network nothing can't ping that IP 192.168.10.70

please help with OpenVPN

gnoma

acleworth

gnoma