OpenVPN bridge. Can't access machines on local network
Solution 1
Is the openvpn server a vmware virtual machine on a ESX/ESXi/VSphere server?
If yes, you may need to enable the promiscuous mode in the vmswitch.
The problem is that vmware ESX virtual switch will not "learn" new mac address by default, it just accept the VM mac address and nothing more.
In bridge mode the client TAP mac address is used in the openvpn server network and if the vmswitch is not setup correctly it will never work (tcpdump will show the ARP request, but no ARP reply for the vpn requests on the eth0 network. Until a tcpdump dont show the arp replies arriving for the vpn requests, the vmware vmswitch is still not correctly setup (on some setups, it's needed to setup the promiscuous to enable on two places)
switch the promiscuous mode by following this url
Finally, the openvpn bridge mode DO NOT require the ip_forward to be enable. a correctly setup bridge openvpn require a linux bridge (say br0) with the eth0 and tap0. BOTH are require to be in promiscuous mode (usually setup the eth0 on the machine network setup and the tap0 on the up.sh script). If setup like this, the vpn packages are simply bridge and the linux ip_forward is never called.
Solution 2
The server (the VPN endpoint) must act as a router to forward packets between the local and the VPN network - or rephrased: you got to enable IP forwarding on the server
Either the server announces himself as a router to the local network (if any routing protocol is active) or all clients have to be configured that the server is a gateway to the VPN network (best set up in a DHCP configuration if there is one)
Related videos on Youtube
laleshii
Updated on September 18, 2022Comments
-
laleshii over 1 year
Followed this guide: https://wiki.archlinux.org/index.php/OpenVPN_Bridge
This is my setup: I have a wireless router(192.168.2.1) which connects to the Internet through a PPPoE connection and acts as a gateway and DHCP server for the local network. I'm trying to make a VPN on a machine(192.168.2.201).
I bridged the VPN tap0 with eth0 through br0 like in the guide. Connecting works ok and the client receives the proper IP but I cannot access other machines on the local network (ping works only server and client).
This is my server.conf:
port 1194 proto tcp dev tap0 ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem ifconfig-pool-persist ipp.txt server-bridge 192.168.2.1 255.255.255.0 192.168.2.202 192.168.2.210 push "route 192.168.2.0 255.255.255.0" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 6
This is my client.conf:
client dev tap proto tcp remote hostname.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo verb 6
If you need any more info just ask. Thank you.
-
laleshii over 12 yearsTried IP forwarding on a debian machine with the same setup. Ran
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
andiptables -A FORWARD -i br0 -j ACCEPT
with no luck. IP forwarding is enabled.sysctl net.ipv4.ip_forward
returns 1. -
laleshii over 12 yearsAlso isn't the bridge I have created between eth0 and tap0 suppose to auto forward the packages between those 2 networks?
-
ktf over 12 yearsBefore tampering with the server configuration (OpenVPN may have set up things already correctly for you) I'd check if the other network clients know, that to reach your system they have to use the server as gateway. A simple traceroute (from the other network client to your local VPN interface) would be the fastet solution to get an idea where things may need to be fixed. I suppose you can ssh to the server and from there ssh to an other network client.