Hey there,
I'm trying to connect two networks using a bridged OpenVPN (site to
site) setup.
The OpenVPN server is located within network A and the OpenVPN client in
network B. Both networks are connected to the internet via a router.
Network A and network B do use different subnets.
The goal is to "move" all clients of network B (which are connected to
server 2's eth1) into network A. All clients of network B should think
they are actually in network A. They should get their DHCP leases from
the router of network A, be able to communicate with every client within
network A, and their internet traffic should look like it has originated
from network A.
The machine which is running the OpenVPN server has only one network
interface. The OpenVPN client, on the other hand, has two, one connected
to the router and the other one to all the clients.
Bridging the tap adapter and the network interface on the OpenVPN server
machine works as expected. On the OpenVPN client's machine, I'm using
the same up script as on the server with minor modifications to bridge
the tap adapter with eth1.
Everything seems to work. Clients of network B do get DHCP leases from
the router of network A and can communicate with all clients located in
network B.
But there is one tiny problem: All the clients of network B do not add
any default routes. When manually adding a default route on the clients
of network B through the router of network a (ip route add default via
router-a-address-here), the setup works as it should. Clients of network
B then can reach the internet through network A.
The OpenVPN guide for ethernet bridging [1] mentions some iptable rules,
which I do not think are necessary, because they did not make any
difference.
The up and down scripts used by me originate from [2].
All machines run Debian Buster.
I do know the directive "redirect-gateway def1" can be used to add a
default route to the OpenVPN client's machine, but this does not affect
the remaining clients of network B.
Do you know why all clients of network B do get DHCP leases of network A
but do not add any default routes? Shouldn't they automatically add
default routes when getting DHCP leases?
Thank you for your help!
Best
Lorenz
[1]
https://openvpn.net/community-resources/ethernet-bridging/#bridge-server-on-linux
[2] https://wiki.archlinux.org/index.php/OpenVPN_Bridge
Network A Network B
------------------ ---------- ----------
------------------ ----------
| Sever 1 | -------- | Router | -------- INTERNET
-------- | Router | -------- eth0 | Server 2 | eth1 -------
| Client |
| OpenVPN Server | | ---------- ---------- |
OpenVPN Client | | ----------
------------------ | ------------------ |
| | ----------
------------------ | |--- | Client |
| Client | ----| | ----------
------------------ | |
| | ----------
------------------ | |---- | Client |
| Client | ----| | ----------
------------------ | |
... ...
client
dev tap
proto udp
remote example.com 1194
resolv-retry infinite
nobind
#user nobody
#group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA512
verb 3
script-security 2
up "client_up br0 eth1"
down "client_down br0 eth1"
down-pre
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth
#!/bin/bash
br=$1
eth=$2
cd /usr/bin/
dhcpcd -k $br
ip link set $br down
brctl delbr $br
# needed if script is run independently
# but when run through openvpn
# openvpn will do this automatically
# could also use 'ip tuntap ..'
#openvpn --rmtun --dev $dev
# only if you start dhcpcd and leave it
# running for eth
#dhcpcd $eth
#!/bin/bash
# switched $2 and $3
br=$1
eth=$3
dev=$2
mtu=$4
cd /usr/bin/
# only if you start dhcpcd and leave it
# running for eth
#dhcpcd -k $eth
# needed if script is run independently
# but when run through openvpn
# openvpn will do this automatically
# could also use 'ip tuntap ..'
#openvpn --mktun --dev $dev
brctl addbr $br
# set forwarding delay to 0
# otherwise dhcp called below would timeout
brctl setfd $br 0
brctl addif $br $eth
# order matters here.. right now there is only
# one mac in the bridge's table
# if there were two.. there is no guarantee
# which would be passed to the dhcp server
dhcpcd $br
brctl addif $br $dev
ip link set $eth up promisc on mtu $mtu
ip link set $dev up promisc on mtu $mtu
port 1194
proto udp
dev tap0
topology subnet
server-bridge
client-to-client
keepalive 10 120
key-direction 0
cipher AES-256-CBC
auth SHA512
compress lz4-v2
push "compress lz4-v2"
max-clients 10
#user nobody
#group nogroup
persist-key
persist-tun
verb 6
mute 20
explicit-exit-notify 1
script-security 2
up "server_up br0 eth0"
down "server_down br0 eth0"
down-pre
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>
<dh>
...
</dh>
#!/bin/bash
br=$1
eth=$2
cd /usr/bin/
dhcpcd -k $br
ip link set $br down
brctl delbr $br
# needed if script is run independently
# but when run through openvpn
# openvpn will do this automatically
# could also use 'ip tuntap ..'
#openvpn --rmtun --dev $dev
# only if you start dhcpcd and leave it
# running for eth
dhcpcd $eth
#!/bin/bash
br=$1
eth=$2
dev=$3
mtu=$4
cd /usr/bin/
# only if you start dhcpcd and leave it
# running for eth
dhcpcd -k $eth
# needed if script is run independently
# but when run through openvpn
# openvpn will do this automatically
# could also use 'ip tuntap ..'
#openvpn --mktun --dev $dev
brctl addbr $br
# set forwarding delay to 0
# otherwise dhcp called below would timeout
brctl setfd $br 0
brctl addif $br $eth
# order matters here.. right now there is only
# one mac in the bridge's table
# if there were two.. there is no guarantee
# which would be passed to the dhcp server
dhcpcd $br
brctl addif $br $dev
ip link set $eth up promisc on mtu $mtu
ip link set $dev up promisc on mtu $mtu
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
