OpenVpn bridge interface does not respond to incoming packets from outer network !

Question

We are trying to set up a roadwarrior vpn setup with openvpn. We want the people to be able to connect to our network via openvpn. And we want them to be able to see and connect to the machines in our network. So the solution is bridged vpn as we see.

I don't have much experience with network environments. I'm going through both the ubuntu (on which we've built openvpn server) and openvpn manuals. Both of them lack in many aspects.

https://help.ubuntu.com/10.10/serverguide/C/openvpn.html

http://openvpn.net/howto.html

When i install a bridge interface through bridge-start script which is part of the openvpn, my network goes down, just letting me ping inside my network. i set up the port forwarding to my openvpn server's port 1194 which is working until i set the bridging interface. After enabling bridge my machine lost contact to the outer network. I'm sure i'm missing something to do.

I put my ifconfig and netstat -rn outputs before and after setting bridge. And my server configuration file and scripts below.

#ifconfig before

eth1      Link encap:Ethernet  HWaddr 52:54:00:57:63:6e  
          inet addr:192.168.22.230  Bcast:192.168.22.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe57:636e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4857 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3199 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:518272 (518.2 KB)  TX bytes:430178 (430.1 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:21 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1804 (1.8 KB)  TX bytes:1804 (1.8 KB)

#netstat before

192.168.22.0  /  0.0.0.0     /    255.255.255.0 /  U         0 0    0  /  eth1

0.0.0.0       /  192.168.22.1 /   0.0.0.0       /  UG        0 0    0  /  eth1

#ifconfig after

br0       Link encap:Ethernet  HWaddr 52:54:00:57:63:6e  
          inet addr:192.168.22.230  Bcast:192.168.22.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe57:636e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:256 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:43790 (43.7 KB)  TX bytes:2328 (2.3 KB)

eth1      Link encap:Ethernet  HWaddr 52:54:00:57:63:6e  
          inet6 addr: fe80::5054:ff:fe57:636e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:5691 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3508 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:622570 (622.5 KB)  TX bytes:470324 (470.3 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:36 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3980 (3.9 KB)  TX bytes:3980 (3.9 KB)

tap0      Link encap:Ethernet  HWaddr 7e:3a:03:48:ad:29  
          inet6 addr: fe80::7c3a:3ff:fe48:ad29/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:243 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

#netstat after

192.168.22.0  /  0.0.0.0  /  255.255.255.0  /  U    0 0     0  /  br0

(This table is bad i know. But i couldn't been able to overcome this table, or make it functional by adding routes.)

bridge-start script

br="br0"
tap="tap0"

eth="eth1"
eth_ip="192.168.22.230"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.22.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

I have this same exact problem it seems. Once I enable the bridge as per the OpenVPN instructions, my server becomes unreachable from an outside network, although I can still see it if I'm on another host on its internal network. — Mr. Shickadance, Dec 06 '11 at 16:15

score 4 · Answer 1 · answered Feb 03 '12 at 18:38

4

The problem is that when the start script takes eth0 down, it destroys your default gateway route. When the script brings the interfaces up, you aren't using DHCP, you're setting the IPs and subnets manually. Normally you would get the route from DHCP without the bridge. You can either comment out parts of the script so that br0 gets eth0's IP (and thus the route as well) from DHCP, or you can add a line to manually add the route at the end of the script:

route add default gw 192.168.22.1

answered Feb 03 '12 at 18:38

Michael

468
2
13

I am using the exact same bridge-start script, but adding the line didn't help. What more can I try? – Petr Peller Dec 15 '13 at 03:40
Can you provide the output of `route` and `ifconfig -a` like above, before and after you start openvpn? – Michael Dec 15 '13 at 03:45

score 0 · Answer 2 · answered Dec 30 '13 at 07:21

Why you don't use /etc/network/interfaces for archive this?

example:

   iface br0 inet static
    bridge_ports eth0 tap0
    address 192.168.1.2
    broadcast 192.168.1.255
    netmask 255.255.255.0
    gateway 192.168.1.1
    pre-up openvpn --mktun --dev tap0