3

I have OpenVPN configured on three VirtualBox VMs running Ubuntu 16.04.

The network configuration is as follows: network config picture.

Server config:

local 192.168.2.2
port 1194
proto udp
dev tap0

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.0.2 255.255.255.0 192.168.0.50 192.168.0.100
client-to-client

keepalive 10 20
cipher AES-128-CBC
comp-lzo

persist-key
persist-tun
verb 3

Client config:

client
dev tap
proto udp

remote 192.168.2.2 1194
resolv-retry infinite

nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key

cipher AES-128-CBC
comp-lzo
verb 3

I am using the bridge-start and bridge-stop scripts that come with OpenVPN to use the bridge. Connection opens without no problems. I can ping the clients from the server and the server from the clients. The problem is that I cannot ping client-to-client, e.g. ping from the remote client (lab3) to the other client (lab2) just gets From 192.168.0.50 icmp_seq=1 Destination Host Unreachable.

Seems that the problem has something to do with ARP, because when I tcpdump on br0 on the server, I see that there is a question ARP, Request who-has 192.168.0.1 tell 192.168.0.50, length 28. Then on the client (lab2) I see: 

ARP, Request who-has 192.168.0.1 tell 192.168.0.50, length 46
ARP, Reply 192.168.0.1 is-at 08:00:27:c8:1c:c7, length 28

But the replies don't seem to reach any machine.

When the OpenVPN connection is open, the routing table seems to be correct:

Server:

default via 10.0.2.1 dev enp0s3 
10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.4 
192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.2 
192.168.2.0/24 dev enp0s9  scope link 
192.168.2.0/24 dev enp0s9  proto kernel  scope link  src 192.168.2.2

Client:

default via 10.0.2.1 dev enp0s3 
10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.7 
192.168.0.0/24 dev enp0s8  proto kernel  scope link  src 192.168.0.1

Remote Client: 

default via 10.0.2.1 dev enp0s3 
10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.6 
192.168.0.0/24 dev tap0  proto kernel  scope link  src 192.168.0.50 
192.168.2.0/24 dev enp0s8  proto kernel  scope link  src 192.168.2.1

Any ideas how to get the messages to flow between the two clients? Am I doing something wrong or missing something in the configurations?

jaine
  • 61
  • 7

2 Answers2

1

This was solved by setting the GW's network adapter connected to the 192.168.0.0/24 network to promiscuous mode from the VirtualBox settings, so the interface that does the bridging is in promiscuous mode. All in all, it is nowhere clearly mentioned that VirtualBox needs promiscuous mode to be able to bridge correctly, but at least I can mention it here!

jaine
  • 61
  • 7
0

You should check to see that your VPN server has ipv4 forwarding enabled:

cat /proc/sys/net/ipv4/ip_forward

1=enabled, 0=disabled

enable it with:

echo 1 > /proc/sys/net/ipv4/ip_forward

To make this setting survive a reboot ensure the following line is in /etc/sysctl.conf:

net.ipv4.ip_forward = 1
Alex Berry
  • 2,307
  • 13
  • 23
  • Yes, ipv4 forwarding is enabled. Also, I read somewhere that it only affects routing, but not the bridging mode? – jaine Mar 21 '17 at 17:07
  • Yes but according to your diagram, the two bridges are on two different subnets, so that would require routing. Bridging them on to the same subnet would not require routing. Your first client in your list does not list a route to 192.168.2.0/24, so it would have no method to connect back. To be honest your network layout is a little confusing to me, I'm not sure why you have two physical subnets and one vpn subnet, why not just one of each? – Alex Berry Mar 21 '17 at 17:26
  • The remote client is in different subnet to emulate a situation that it will connect to the network from "outside". When the VPN connection is open, the remote client has IP address of 192.168.0.50, so shouldn't it then be at the same subnet than the server and the other client? – jaine Mar 21 '17 at 17:38