chairmanmao
Posts: 19
Joined: Fri Dec 04, 2015 9:32 pm

OpenVPN in bridge mode: internet connectivity lost

Tue May 21, 2019 5:03 pm

Apologies in advance for the length of this. As I'm not sure what's causing the problem I've included info on things I think may be playing a role.

I am trying to set up a Pi3 as an OpenVPN server on my home LAN, in bridge mode so that I can access network resources and devices remotely over the internet. I've been following various directions I've found online to do this, but so far when I am running the openvpn server I lose internet connectivity from the Pi. I haven't tried accessing the system remotely as I presume the lack of internet connectivity would prevent that.

My Pi runs the latest version of Stretch. It has a fixed but not static IP address. Instead, it is always assigned the same IP address by way of how I've set up dnsmasq, /etc/hosts, /etc/ethers and dhcpcd.conf:

dnsmasq.conf:

Code: Select all

# make sure we read /etc/ethers so that fixed IPs get assigned correctly
read-ethers
# don't forward anything other than FQDNs
domain-needed
# don't forward addresses outside the routed address space
bogus-priv
# use the upstream DNS servers in strict order
strict-order
# we are localnet!
local=/localnet/
# only listen on the eth0 interface
interface=eth0
# append domain to simple names read from /etc/hosts
expand-hosts
# append our domain name to simple names
domain=localnet
# tell Windows to release the DHCP lease when it shuts down
dhcp-option=vendor:MSFT,2,1i
# store a boatload of name resolutions to speed up process
cache-size=10000

# set the range of addresses we manage via DHCP
dhcp-range=192.168.1.21,192.168.1.200,12h

# note that the range 192.168.1.230 - 129.168.1.240 is reserved for VPN clients
# and is administered by OpenVPN

# set the parameters we want clients to use to access gateway, etc.
dhcp-option=option:netmask,255.255.255.0
dhcp-option=option:router,192.168.1.254
dhcp-option=option:domain-name,localnet
hosts:

Code: Select all

127.0.0.1	localhost
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

192.168.1.1	arris
192.168.1.2	portal
192.168.1.3	wireheadkitchen
192.168.1.4	raspberrypi
192.168.1.5	mycroft
192.168.1.6	wireheadupstairs
192.168.1.8	colossus
192.168.1.10	sungod
ethers:

Code: Select all

# mapping of MAC addresses to fixed/static IP addresses
bc:67:1c:f7:9e:6c	portal.localnet
F8:F5:32:F6:BC:F1	arris.localnet
44:94:FC:5D:56:2C	wireheadkitchen.localnet
40:16:7e:f4:04:38	wireheadupstairs.localnet
1C:6F:65:39:09:8D	colossus.localnet
00:40:ad:96:96:6d	sungod.localnet
b8:27:eb:44:ea:65	raspberrypi.localnet
b8:27:eb:c2:85:7f	mycroft.localnet
dhcpcd.conf:

Code: Select all

interface eth0
static ip_address=192.168.1.5/24
static routers=192.168.1.254
static domain_name_servers=8.8.8.8 8.8.4.4
I installed OpenVPN using PiVPN and then tweaked the resulting config file, server.conf:

Code: Select all

port **non-default port, firewall is set to forward to it on the Pi**
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_X4O6Por7FYITsLun.crt
key /etc/openvpn/easy-rsa/pki/private/server_X4O6Por7FYITsLun.key
dh none
remote-cert-tls client
server-bridge 192.168.1.5 255.255.255.0 192.168.1.230 192.168.1.240
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-GCM
push "dhcp-option DNS 192.168.1.5"
push "block-outside-dns"
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
Based on directions I found online I set up the following script to run before the openvpn server starts and stops (it's called openvpn-bridge on my system):

Code: Select all

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip_netmask="192.168.1.5/24"
eth_broadcast="192.168.1.255"
eth_gateway="192.168.1.254"

case "$1" in
start)
    for t in $tap; do
        openvpn --mktun --dev $t
    done

    brctl addbr $br
    brctl addif $br $eth

    for t in $tap; do
        brctl addif $br $t
    done

    for t in $tap; do
        ip addr flush dev $t
        ip link set $t promisc on up
    done

    ip addr flush dev $eth
    ip link set $eth promisc on up

    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br
    ip link set $br up

    ip route add default via $eth_gateway
    ;;

stop)
    ip link set $br down
    brctl delbr $br

    for t in $tap; do
        openvpn --rmtun --dev $t
    done

    ip link set $eth promisc off up
    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth

    ip route add default via $eth_gateway
    ;;

*)
    echo "Usage:  openvpn-bridge {start|stop}"
    exit 1
    ;;

esac

exit 0
Here's how the script is called from [email protected]:

Code: Select all

[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
Before=systemd-user-sessions.service
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn$
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ProtectSystem=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT $
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

[Install]
WantedBy=multi-user.target
When I enable the openvpn service and reboot the system it seems to start okay. I can resolve hosts on the LAN via nslookup, which interacts with dnsmasq via 127.0.0.1. But attempting to resolve any internet address results in a timeout error (which is why I've concluded I've lost internet access).

Here is the output of running "ip a" when the openvpn server is not running, and I have internet access:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:c2:85:7f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.5/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::6f2:d94d:673e:cf8e/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:97:d0:2a brd ff:ff:ff:ff:ff:ff
Here's what I get when I run "route" when openvpn server isn't running:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.254 0.0.0.0 UG 202 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
I'll post comparable results from "ip a" and "route" when openvpn is running in a moment.

- Mark

chairmanmao
Posts: 19
Joined: Fri Dec 04, 2015 9:32 pm

Re: OpenVPN in bridge mode: internet connectivity lost

Tue May 21, 2019 5:10 pm

Back again... :)

Here's the output from "ip a" when the openvpn service is running and I don't have internet connectivity:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether b8:27:eb:c2:85:7f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.5/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::6f2:d94d:673e:cf8e/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:97:d0:2a brd ff:ff:ff:ff:ff:ff
4: tap0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 100
link/ether 4a:f2:c2:33:73:dc brd ff:ff:ff:ff:ff:ff
inet 169.254.10.120/16 brd 169.254.255.255 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::16bb:91f5:88c6:a53b/64 scope link
valid_lft forever preferred_lft forever
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 4a:f2:c2:33:73:dc brd ff:ff:ff:ff:ff:ff
inet 169.254.10.120/16 brd 169.254.255.255 scope global br0
valid_lft forever preferred_lft forever
and here's the output from "route" in the same condition:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.254 0.0.0.0 UG 202 0 0 eth0
link-local 0.0.0.0 255.255.0.0 U 204 0 0 tap0
link-local 0.0.0.0 255.255.0.0 U 205 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
Even to someone with little grasp of routing that looks...wrong.

epoch1970
Posts: 2809
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN in bridge mode: internet connectivity lost

Tue May 21, 2019 6:09 pm

I suggest the following:
  1. remove the script openvpn-bridge
  2. set "denyinterfaces eth0 tap0" in dhcpcd.conf
  3. define a bridge in /etc/network/interfaces, "auto br0" etc. with tap0 and eth0 as bridge members.
    - See examples in the bridge AP howto for points 2. and 3. above
    - Note "br0 inet manual" in interfaces, not "inet dhcp": with "manual" dhcpcd.conf actually takes over to give an IP to br0, that's what you want.
  4. change ethers to match the MAC address of the bridge since it subsumes eth0.
    - The MAC of a bridge is the smallest MAC among its member interfaces (or a random one if no members). E.g. tap0 address 02:ff:be:..., eth0 addr. b8:27:eb:... => br0 MAC address will be 02:ff:be:...
    - The address of tap0 is likely to change at each boot. If you want to control the MAC of the bridge the easiest is to specify the MAC of tap0 within the interfaces file to a high value, e.g. "hwaddress ether fe:00:01:0a:0b:0c". This will make br0 prefer using eth0's MAC address.
    - Use a non null even value for the most significant byte of the MAC, e.g. "02" or "fe". (why, oh why)
With this the bridge is always up and replaces eth0. tap0 is always in the system, openvpn just sets it up or down. Less moving parts, more robust.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

chairmanmao
Posts: 19
Joined: Fri Dec 04, 2015 9:32 pm

Re: OpenVPN in bridge mode: internet connectivity lost

Tue May 21, 2019 10:35 pm

I tried to delete this post but found I was unable to do so, so I've just deleted the content (I made a dumb mistake in applying your instructions).

chairmanmao
Posts: 19
Joined: Fri Dec 04, 2015 9:32 pm

Re: OpenVPN in bridge mode: internet connectivity lost

Tue May 21, 2019 11:30 pm

I'm posting this as a separate entry just to keep things clear (to me :)).

I'm having trouble getting the right IP addresses assigned to the right interfaces.

tap0 ends up coming up with a 169.x.x.x address, which I recognize as "no IP address assigned so you get a default one". tap0 is being created by the openvpn service when it starts, I think...but then again, if that was the case I would've assumed it'd be given 192.168.1.5 based on /etc/openvpn/server.conf:

Code: Select all

port **nonstandard port**
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_X4O6Por7FYITsLun.crt
key /etc/openvpn/easy-rsa/pki/private/server_X4O6Por7FYITsLun.key
dh none
remote-cert-tls client
server-bridge 192.168.1.5 255.255.255.0 192.168.1.230 192.168.1.240
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-GCM
#compress lz4-v2
#push "compress lz4-v2"
push "dhcp-option DNS 192.168.1.5"
push "block-outside-dns"
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
Then again, now I wonder if what I'm setting in /etc/network/interfaces and dhcpcd.conf means I have to remove some of the bridge stuff from /etc/openvpn/server.conf.

I'm also unclear about where to put that "hwaddress ether..." entry. If it goes into /etc/network/interfaces, do I do that under a entry defining a tap0 interface?

Sorry about all the questions. I really appreciate the help, and feel like I'm close now...just not quite there :).

chairmanmao
Posts: 19
Joined: Fri Dec 04, 2015 9:32 pm

Re: OpenVPN in bridge mode: internet connectivity lost

Wed May 22, 2019 4:30 am

Can't say I understand what's going on yet, but at least I've been learning stuff about configuring network interfaces that I never understood :)

I have a configuration that appears to be working "locally", meaning that devices on my LAN have internet access, and DNS resolution via dnsmasq is working. But it's more than a bit kludgy, and I haven't been able to assign an artificially high MAC address to the tap0 interface (i.e., I try to, but it gets ignored).

/etc/network/interfaces:

Code: Select all

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

# added for openvpn config
auto br0

iface br0 inet manual
    bridge_ports eth0 tap0

iface tap0 inet manual
    hwaddress ether fe:00:01:0a:0b:0c
/etc/dhcpcd.conf:

Code: Select all

# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# Allow users of this group to interact with dhcpcd via the control socket.
#controlgroup wheel

# Inform the DHCP server of our hostname for DDNS.
hostname

# Use the hardware address of the interface for the Client ID.
clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
# Some non-RFC compliant DHCP servers do not reply with this set.
# In this case, comment out duid and enable clientid above.
#duid

# Persist interface configuration when dhcpcd exits.
persistent

# Rapid commit support.
# Safe to enable by default because it requires the equivalent option set
# on the server to actually work.
option rapid_commit

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
# Most distributions have NTP support.
option ntp_servers
# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate Stable Private IPv6 Addresses instead of hardware based ones
slaac private

# for openvpn config
denyinterfaces eth0 tap0

interface br0
    static ip_address=192.168.1.5/24
    static routers=192.168.1.254
    static domain_name_servers=8.8.8.8 8.8.4.4
To get dnsmasq to resolve addresses for other devices on my network I had to change the interface it was listening to from eth0 to br0. This makes sense to me, sort of, in that with the bridge set up eth0 is slaved to br0? Besides, hopefully that also means that by listening to br0 it'll pick up stuff that comes thru tap0 from openvpn?

The kludgiest part is where I assign the br0 interface parameters statically in dhcpcd.conf. That works around my failure to get the tap0 hwaddress set to an arbitrarily large value so br0 always ends up with the eth0 MAC address. But I'd still like to clean this up/simplify it.

Thoughts?

epoch1970
Posts: 2809
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN in bridge mode: internet connectivity lost

Wed May 22, 2019 9:15 am

I overlooked dnsmasq.conf “listen/interfaces” lines, sorry for that. Dnsmasq should listen on the br0 indeed so that it “hears” traffic from every bridged interface.
I'm writing this without actually testing on a Stretch machine. Please excuse and correct further inaccuracies as you find them in the "instructions".

Overall almost there I believe.
- In dhcpcd.conf, move the denyinterfaces line up to the top of the file, just to be sure it is taken into account first, e.g.

Code: Select all

# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# Allow users of this group to interact with dhcpcd via the control socket.
#controlgroup wheel

# for openvpn bridge config
denyinterfaces eth0 tap0
... etc ...
- In interfaces, move the tap0 block before the br0 block, so that tap0 is defined and active when ifupdown processes the br0 block that refers to tap0:

Code: Select all

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

# br0 member interface
auto tap0  # We need this I think
iface tap0 inet manual
    hwaddress ether fe:00:01:0a:0b:0c  

# added for openvpn bridged config
auto br0
iface br0 inet manual
    bridge_ports eth0 tap0
That should allow tap0 to get properly bridged to br0 and stop tap0 from getting an ipv4ll address (169.254.x.x) it doesn’t need.
“brctl show” will say if br0 has the interface members it should have.

If “hwaddress” still doesn’t give the expected result, I assume ifupdown in Stretch may be lacking the script needed to process the hwaddress keyword.
But we can replace it with the actual command the script would perform.
Here are the manual operations basically equivalent to what the ifupdown block is expected to do:

Code: Select all

$ sudo ip tuntap add tap0 mode tap
$ ip link show tap0
7: tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether c6:aa:40:9b:6b:88 brd ff:ff:ff:ff:ff:ff
$ sudo ip link set tap0 address fe:01:02:0a:0b:0c
$ ip link show tap0
7: tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether fe:01:02:0a:0b:0c brd ff:ff:ff:ff:ff:ff
So the following variant on interfaces should work, I think:

Code: Select all

auto tap0
iface tap0 inet manual
     up ip link set tap0 address fe:00:01:0a:0b:0c  

auto br0
iface br0 inet manual
    bridge_ports eth0 tap0
If that doesn't do the trick, this quite heavy-handed version of interfaces with only the br0 block and no tap0 block at all should put the issue to rest, hopefully:

Code: Select all

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

# added for openvpn bridged config
auto br0
iface br0 inet manual
    pre-up ip tuntap add dev tap0 mode tap
    pre-up ip link set tap0 address fe:01:02:0a:0b:0c
    pre-up ip link set tap0 up
    bridge_ports eth0 tap0
    post-down ip link set tap0 down
    post-down ip link del tap0
HTH
(In openvpn.conf I see you already have "preserve-tun" so ovpn should be using tap0 as is and never try deleting/creating it upon tunnel restarts.)
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

chairmanmao
Posts: 19
Joined: Fri Dec 04, 2015 9:32 pm

Re: OpenVPN in bridge mode: internet connectivity lost

Wed May 22, 2019 4:31 pm

Thanx for the continued help.

Sadly, not even the heavy-handed approach worked -- tap0 insists on setting its own random MAC address. I've worked around that by explicitly configuring br0 in dhcpcd.conf, which appears to work, so it's not that big a deal.

But it would be nice to be able to rely on the system configuring itself, so to speak. OTOH, there are a bunch of moving parts (e.g., /etc/network/interfaces, /etc/dhcpcd.conf, /etc/hosts, /etc/ethers) that appear to have to play well together for this to work, so maybe the kludge is the best that can be done.

If you have other suggestions for me to try, or diagnostic tools to run, or other software whose configuration I should check, I'm happy to follow them.

epoch1970
Posts: 2809
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN in bridge mode: internet connectivity lost

Wed May 22, 2019 5:41 pm

Mhh. I don't see how the "heavy handed" version can fail. Did you reboot between attempts?
If you run the commands manually, can you get a tapX with the MAC address of your choice?

There is not much moving parts now, that is no dynamic configuration, but I agree files are a bit scattered all over the place.
- openvpn.conf, dnsmasq.conf, you can't do without
- interfaces and dhcpcd.conf, unfortunately you cannot combine because dhcpcd doesn't know how to handle a bridge. So for br0 you need the interfaces file
- hosts and ethers: I salute your appropriate use of those sanctified unix files, however you could configure dnsmasq to not use either, and lookup information within its own config directory. Mild progress at best; here is how I organize my stuff usually:

Code: Select all

[email protected]:~$ tree /etc/dnsmasq.d/
/etc/dnsmasq.d/
├── dhcp_leases.conf
├── dnsmasq.conf
├── hosts
│   └── static_hosts.lan
└── README

1 directory, 4 files

[email protected]:~$ grep -- -hosts /etc/dnsmasq.d/dnsmasq.conf 
expand-hosts
no-hosts
addn-hosts=/etc/dnsmasq.d/hosts/static_hosts.lan

[email protected]:~$ head -5 /etc/dnsmasq.d/dhcp_leases.conf 
#SPEC: dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m

# These are in LAN zone 
# odessa 2011 mac mini
dhcp-host=3c:07:54:01:02:03,odessa,172.18.255.15,1h

[email protected]:~$ head -8 /etc/dnsmasq.d/hosts/static_hosts.lan 
# Jan 2016 - This is local data like /etc/hosts
# This file MUST be in a subdir of CONF_DIR otherwise
# it will be parsed as a dnsmasq config file, which it aint.
#
# Elsewhere
172.31.0.10	refclock.some.zone.
# Local net
172.18.0.1	gw.lan.zone.
no-hosts disables reading /etc/hosts, and addn-hosts allows reading another file instead.
Due to the way dnsmasq is launched, every file in /etc/dnsmasq.d/ is parsed (merged) as a dnsmasq config file fragment.

This works to our advantage in that file dhcp_leases.conf, containing only static DHCP lease specifications, is automagically added to the main config file dnsmasq.conf.
It works at our detriment for files that are not dnsmasq config fragments: static_hosts.lan is not in dnsmasq config format, having it in /etc/dnsmasq.d/ would make dnsmasq fail to start. A way to keep the file in there and be able to start is to move it to a subdirectory; thankfully the launcher does not recurse into subdirs of /etc/dnsmasq.d/ looking for config file fragments.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

chairmanmao
Posts: 19
Joined: Fri Dec 04, 2015 9:32 pm

Re: OpenVPN in bridge mode: internet connectivity lost

Wed May 22, 2019 7:12 pm

Interesting directory structure, I may switch to that.

Yes, I did reboot between attempts (thank goodness the Pi3 is so much faster than the Pi1 :)).

I am able to change the tap0 MAC address from the command line by running the commands manually.

For fun, I tried changing the line which sets the MAC address for tap0 in the interfaces file to "post-up" from "pre-up", thinking maybe the interface had to come up first. No joy; same result (i.e., random MAC address).

But - LOL! - since the kludged approach worked I was able to try accessing openvpn from a remote device...during the course of which I learned that iOS devices do not currently support tap endpoints, only tun ones. And since I have to support iOS devices, I'm going to have to figure out how to get the tun approach to work.

Do you mind if I pick your brains on that? And do you think I should open that discussion on a separate thread?

I have several sets of instructions for configuring openvpn to offer tun connections. In fact, that's where I started. My problem was that I couldn't figure out how to get the tun subnet to "interact" with the LAN. For example, I had openvpn providing remote access, but it was assigning addresses in the 192.168.5.x space, while my LAN is 192.168.1.x space. I presume there's a way to route traffic back and forth between those subnets...but I don't know how to do it. So any advice or tips or reading material references would be most appreciate.

epoch1970
Posts: 2809
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN in bridge mode: internet connectivity lost

Wed May 22, 2019 7:41 pm

chairmanmao wrote:
Wed May 22, 2019 7:12 pm
iOS devices do not currently support tap endpoints, only tun ones.
And it's been like that since the beginning of iOS. Don't hold your breath...
I'm going to have to figure out how to get the tun approach to work.
Do you mind if I pick your brains on that? And do you think I should open that discussion on a separate thread?
I don't configure ovpn often these days, and usually I stick with a config even simpler than the one you had above, just peer-to-peer and everything else is handled at kernel or OS level. I never liked "server mode" and the avalanche of options that came with ovpn v2.0
So I'm not going to be your customer, but since routed mode is more common I expect others within the community will be able to help.

If you're interested in routed VPN, perhaps you want to check out Wireguard. One day, one day, linux will handle wg0 network devices natively. Linus said so.
There is a client app for iOS (never tested it myself). I've used wireguard on linux, install is easy, configuration is breathtakingly terse.
L3 (routed) tunnelling only, peer-to-peer or star topology.
Some on the wg mailing-list want to handle automatic mesh setup (any peer to any peer), won't happen immediately I guess but it looks possible. That would be more or less L2 without the broadcast chatter.
I've known OpenVPN almost since it started, it made a tremendous contribution to networking and security; I feel Wireguard is the next.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Return to “Networking and servers”