Bridging OpenVPN and LAN
Hello, I am trying to setup an OpenVPN server on OpenBSD 6.9 that's bridged to my LAN. The topology looks like this: 10.70.0.1 (gateway) - 10.70.0.118 (server, on em1). I've set-up the em1 interface as DHCP and it get's the expected address. Next up I created a tap0 and bridge0 devices like this: ifconfig tap0 create ifconfig bridge0 create ifconfig bridge0 add em1 ifconfig bridge0 add tap0 The ifconfig output looks like this now: lo0: flags=8049 mtu 32768 index 4 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 em0: flags=8843 mtu 1500 lladdr 00:0c:29:0f:74:62 index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.20.0.108 netmask 0xff00 broadcast 10.20.0.255 em1: flags=8b43 mtu 1500 lladdr 00:0c:29:0f:74:6c index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.70.0.118 netmask 0xff00 broadcast 10.70.0.255 enc0: flags=0<> index 3 priority 0 llprio 3 groups: enc status: active pflog0: flags=141 mtu 33136 index 5 priority 0 llprio 3 groups: pflog tap0: flags=8902 mtu 1500 lladdr fe:e1:ba:d0:6a:1c index 6 priority 0 llprio 3 groups: tap status: no carrier bridge0: flags=0<> index 7 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp em1 flags=3 port 2 ifpriority 0 ifcost 0 tap0 flags=3 port 6 ifpriority 0 ifcost 0 In my OpenVPN config I have: port 1194 proto udp dev tap0 dev-type tap ca /etc/openvpn/ca.crt cert /etc/openvpn/vpnserver.crt key /etc/openvpn/vpnserver.key dh /etc/openvpn/dh.pem tls-server tls-auth /etc/openvpn/vpn-ta.key 0 push "route 10.70.0.0 255.255.255.0 10.70.0.1" cipher AES-256-CBC comp-lzo ping-timer-rem keepalive 10 60 user _openvpn group _openvpn persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1 And the client has: client dev tap proto udp remote example.com 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo verb 3 The client connects OK, but it never gets a DHCP address from the router that's in charge for 10.70.0.0/24 and running the DHCP server. Is the issue in my OpenBSD configuration, OpenVPN, or on my router? I'm having trouble debugging this... Thank you, Andrei
Re: Bridging OpenVPN and LAN
05.09.2021 16:31, Andrei пишет: Hello, I am trying to setup an OpenVPN server on OpenBSD 6.9 that's bridged to my LAN. The topology looks like this: 10.70.0.1 (gateway) - 10.70.0.118 (server, on em1). I've set-up the em1 interface as DHCP and it get's the expected address. Next up I created a tap0 and bridge0 devices like this: ifconfig tap0 create ifconfig bridge0 create ifconfig bridge0 add em1 ifconfig bridge0 add tap0 The ifconfig output looks like this now: lo0: flags=8049 mtu 32768 index 4 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 em0: flags=8843 mtu 1500 lladdr 00:0c:29:0f:74:62 index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.20.0.108 netmask 0xff00 broadcast 10.20.0.255 em1: flags=8b43 mtu 1500 lladdr 00:0c:29:0f:74:6c index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.70.0.118 netmask 0xff00 broadcast 10.70.0.255 enc0: flags=0<> index 3 priority 0 llprio 3 groups: enc status: active pflog0: flags=141 mtu 33136 index 5 priority 0 llprio 3 groups: pflog tap0: flags=8902 mtu 1500 lladdr fe:e1:ba:d0:6a:1c index 6 priority 0 llprio 3 groups: tap status: no carrier bridge0: flags=0<> index 7 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp em1 flags=3 port 2 ifpriority 0 ifcost 0 tap0 flags=3 port 6 ifpriority 0 ifcost 0 In my OpenVPN config I have: port 1194 proto udp dev tap0 dev-type tap ca /etc/openvpn/ca.crt cert /etc/openvpn/vpnserver.crt key /etc/openvpn/vpnserver.key dh /etc/openvpn/dh.pem tls-server tls-auth /etc/openvpn/vpn-ta.key 0 push "route 10.70.0.0 255.255.255.0 10.70.0.1" cipher AES-256-CBC comp-lzo ping-timer-rem keepalive 10 60 user _openvpn group _openvpn persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1 And the client has: client dev tap proto udp remote example.com 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo verb 3 The client connects OK, but it never gets a DHCP address from the router that's in charge for 10.70.0.0/24 and running the DHCP server. Is the issue in my OpenBSD configuration, OpenVPN, or on my router? I'm having trouble debugging this... Thank you, Andrei I've should correct myself in last message. You actually may try to proxy dhcp answers to vpn, adding option server-bridge to server config without pool definition. Please respond if it works. I'm really curious about it. I use similar configuration, but with manual pool definition in server-bridge
Re: Bridging OpenVPN and LAN
05.09.2021 16:31, Andrei пишет: Hello, I am trying to setup an OpenVPN server on OpenBSD 6.9 that's bridged to my LAN. The topology looks like this: 10.70.0.1 (gateway) - 10.70.0.118 (server, on em1). I've set-up the em1 interface as DHCP and it get's the expected address. Next up I created a tap0 and bridge0 devices like this: ifconfig tap0 create ifconfig bridge0 create ifconfig bridge0 add em1 ifconfig bridge0 add tap0 The ifconfig output looks like this now: lo0: flags=8049 mtu 32768 index 4 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 em0: flags=8843 mtu 1500 lladdr 00:0c:29:0f:74:62 index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.20.0.108 netmask 0xff00 broadcast 10.20.0.255 em1: flags=8b43 mtu 1500 lladdr 00:0c:29:0f:74:6c index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.70.0.118 netmask 0xff00 broadcast 10.70.0.255 enc0: flags=0<> index 3 priority 0 llprio 3 groups: enc status: active pflog0: flags=141 mtu 33136 index 5 priority 0 llprio 3 groups: pflog tap0: flags=8902 mtu 1500 lladdr fe:e1:ba:d0:6a:1c index 6 priority 0 llprio 3 groups: tap status: no carrier bridge0: flags=0<> index 7 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp em1 flags=3 port 2 ifpriority 0 ifcost 0 tap0 flags=3 port 6 ifpriority 0 ifcost 0 In my OpenVPN config I have: port 1194 proto udp dev tap0 dev-type tap ca /etc/openvpn/ca.crt cert /etc/openvpn/vpnserver.crt key /etc/openvpn/vpnserver.key dh /etc/openvpn/dh.pem tls-server tls-auth /etc/openvpn/vpn-ta.key 0 push "route 10.70.0.0 255.255.255.0 10.70.0.1" cipher AES-256-CBC comp-lzo ping-timer-rem keepalive 10 60 user _openvpn group _openvpn persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1 You should add ip pool for bridge in server config. like this: server-bridge 10.70.0.1 255.225.255.0 10.70.0.100 10.70.0.110 Your dhcpd will not write ip's to vpn even it is on bridge And the client has: client dev tap proto udp remote example.com 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo verb 3 The client connects OK, but it never gets a DHCP address from the router that's in charge for 10.70.0.0/24 and running the DHCP server. Is the issue in my OpenBSD configuration, OpenVPN, or on my router? I'm having trouble debugging this... Thank you, Andrei
Re: Bridging OpenVPN and LAN
On 2021-09-05, Andrei wrote: > tap0: flags=8902 mtu 1500 > lladdr fe:e1:ba:d0:6a:1c > index 6 priority 0 llprio 3 > groups: tap > status: no carrier > bridge0: flags=0<> > index 7 llprio 3 > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > em1 flags=3 > port 2 ifpriority 0 ifcost 0 > tap0 flags=3 > port 6 ifpriority 0 ifcost 0 For starters your bridge is not configured "up". Neither is the tap but but I guess the vpn wasn't connected when you captured ifconfig output? -- Please keep replies on the mailing list.
Re: Bridging OpenVPN and LAN
> 5 сент. 2021 г., в 21:53, Andrei написал(а): > > >> On 05.09.2021., at 15:58, kasak wrote: >> I've should correct myself in last message. You actually may try to proxy >> dhcp answers to vpn, adding option >> >> server-bridge >> >> to server config without pool definition. Please respond if it works. I'm >> really curious about it. >> >> I use similar configuration, but with manual pool definition in server-bridge >> > > This results in the same behaviour - the client gets no IP. When I do however > make it say: > > server-bridge 10.70.0.1 255.225.255.0 10.70.0.100 10.70.0.110 > I made a typo. Mask should be 255.255.255.0 I highly recomend not just copying what i say but correcting it to match your configuration > as you said this works but the DHCP is not issuing that IP (+ I'm having some > weird errors saying > > 2021-09-05 20:44:45 /sbin/ifconfig tap0 10.70.0.100 netmask 255.225.255.0 mtu > 1500 > ifconfig: 255.225.255.0: non-contiguous mask > > but that's another topic :).
Re: Bridging OpenVPN and LAN
> On 05.09.2021., at 15:58, kasak wrote: > I've should correct myself in last message. You actually may try to proxy > dhcp answers to vpn, adding option > > server-bridge > > to server config without pool definition. Please respond if it works. I'm > really curious about it. > > I use similar configuration, but with manual pool definition in server-bridge > This results in the same behaviour - the client gets no IP. When I do however make it say: server-bridge 10.70.0.1 255.225.255.0 10.70.0.100 10.70.0.110 as you said this works but the DHCP is not issuing that IP (+ I'm having some weird errors saying 2021-09-05 20:44:45 /sbin/ifconfig tap0 10.70.0.100 netmask 255.225.255.0 mtu 1500 ifconfig: 255.225.255.0: non-contiguous mask but that's another topic :).
Re: Bridging OpenVPN and LAN
> On 05.09.2021., at 21:11, Kasak wrote: > I made a typo. Mask should be 255.255.255.0 > I highly recomend not just copying what i say but correcting it to match your > configuration Agreed! Fix'd the typo and the config works but yeah - I still can't get the router to do DHCP. Bummer. Thanks for the help!
Re: Bridging OpenVPN and LAN
On Sun, 5 Sep 2021 16:52:58 +0300 kasak wrote: > You should add ip pool for bridge in server config. > > like this: > > server-bridge 10.70.0.1 255.225.255.0 10.70.0.100 10.70.0.110 You should *only* do this if you have configured your DHCP server to _not_ hand out IP addresses in that range. The DHCP server can't actually tell what a "VPN client" is and what a local Ethernet client is, so it should work. Likely, it's a lack of a `server-bridge` statement (*without* IP address ranges given) that is likely confusing matters. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.