OpenVPN Ethernet Bridging doesn't work, no access from client to internal

Question

My Environment:

Host PC is on Windows 11, with VM Ware.
There is a virtual machine (Ubuntu 22.04.3 LTS) in VM Ware, with bridged virtual network card. Everything with network and Internet works fine on that VM.
VM has IP 192.168.0.101 in my internal network
OpenVPN is working in VM, on 1194
Port forwarding for external 1194 is set up on my router to IP 192.168.0.101 port 1194
OpenVPN config is:

;local a.b.c.d
port 1194

proto tcp
;proto udp

dev tap1
;dev tun

;dev-node MyTap

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem

topology subnet

;server 192.168.1.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
server-bridge 192.168.0.101 255.255.255.0 192.168.0.10 192.168.0.80
;server-bridge

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.0.0 255.255.255.0

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

;client-to-client

;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

tls-crypt ta.key

cipher AES-256-CBC

;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nobody

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

log         /var/log/openvpn/openvpn.log
;log-append  /var/log/openvpn/openvpn.log

verb 3

;mute 20
;explicit-exit-notify 1

Bridge is set up by scripts from OpenVPN documentation https://openvpn.net/community-resources/ethernet-bridging/#linuxscript .

When I start OpenVPN without bridge (bridge-start), client (Windows 10 notebook) can connect, but can't ping internal IPs, for example 192.168.0.101 or 192.168.0.1. ifconfig of server on that moment is

ens33: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.0.101  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::20c:29ff:feb0:e3db  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b0:e3:db  txqueuelen 1000  (Ethernet)
        RX packets 253076  bytes 31066696 (31.0 MB)
        RX errors 0  dropped 44  overruns 0  frame 0
        TX packets 36565  bytes 4552858 (4.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 9652  bytes 9347692 (9.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9652  bytes 9347692 (9.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Client connect log is

2023-08-30 00:11:46 NOTE: --user option is not implemented on Windows
2023-08-30 00:11:46 NOTE: --group option is not implemented on Windows
2023-08-30 00:11:46 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations. 
2023-08-30 00:11:46 Note: dev-type not tun, disabling data channel offload.
2023-08-30 00:11:46 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-08-30 00:11:46 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-08-30 00:11:46 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-08-30 00:11:46 DCO version: v0
2023-08-30 00:11:46 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-08-30 00:11:46 Need hold release from management interface, waiting...
2023-08-30 00:11:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:64082
2023-08-30 00:11:46 MANAGEMENT: CMD 'state on'
2023-08-30 00:11:46 MANAGEMENT: CMD 'log on all'
2023-08-30 00:11:46 MANAGEMENT: CMD 'echo on all'
2023-08-30 00:11:46 MANAGEMENT: CMD 'bytecount 5'
2023-08-30 00:11:46 MANAGEMENT: CMD 'state'
2023-08-30 00:11:46 MANAGEMENT: CMD 'hold off'
2023-08-30 00:11:46 MANAGEMENT: CMD 'hold release'
2023-08-30 00:11:46 MANAGEMENT: >STATE:1693343506,RESOLVE,,,,,,
2023-08-30 00:11:47 TCP/UDP: Preserving recently used remote address: [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-08-30 00:11:47 Attempting to establish TCP connection with [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,TCP_CONNECT,,,,,,
2023-08-30 00:11:47 TCP connection established with [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 TCPv4_CLIENT link local: (not bound)
2023-08-30 00:11:47 TCPv4_CLIENT link remote: [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,WAIT,,,,,,
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,AUTH,,,,,,
2023-08-30 00:11:47 TLS: Initial packet from [AF_INET]178.204.152.65:1194, sid=cbb3d817 e15dfba7
2023-08-30 00:11:47 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-08-30 00:11:47 VERIFY KU OK
2023-08-30 00:11:47 Validating certificate extended key usage
2023-08-30 00:11:47 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-08-30 00:11:47 VERIFY EKU OK
2023-08-30 00:11:47 VERIFY OK: depth=0, CN=server
2023-08-30 00:11:47 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-08-30 00:11:47 [server] Peer Connection Initiated with [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-08-30 00:11:47 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-08-30 00:11:47 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.101,ping 10,ping-restart 120,ifconfig 192.168.0.10 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-08-30 00:11:47 OPTIONS IMPORT: --ifconfig/up options modified
2023-08-30 00:11:47 OPTIONS IMPORT: route-related options modified
2023-08-30 00:11:47 interactive service msg_channel=760
2023-08-30 00:11:47 open_tun
2023-08-30 00:11:47 tap-windows6 device [Local Area Connection] opened
2023-08-30 00:11:47 TAP-Windows Driver Version 9.26 
2023-08-30 00:11:47 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.0.10/255.255.255.0 on interface {4E7E51BA-DA46-4527-9AAB-37CD543B55E9} [DHCP-serv: 192.168.0.0, lease-time: 31536000]
2023-08-30 00:11:47 Successful ARP Flush on interface [12] {4E7E51BA-DA46-4527-9AAB-37CD543B55E9}
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,ASSIGN_IP,,192.168.0.10,,,,
2023-08-30 00:11:47 IPv4 MTU set to 1500 on interface 12 using service
2023-08-30 00:11:47 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2023-08-30 00:11:47 Timers: ping 10, ping-restart 120
2023-08-30 00:11:52 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
2023-08-30 00:11:52 Initialization Sequence Completed
2023-08-30 00:11:52 MANAGEMENT: >STATE:1693343512,CONNECTED,SUCCESS,192.168.0.10,178.204.152.65,1194,192.168.8.102,64083

Routes from client in that moment:

C:\Windows\system32>route print
===========================================================================
Interface List
 17...a0 48 1c 11 ee 19 ......Realtek PCIe FE Family Controller
 10...........................Wintun Userspace Tunnel
 12...00 ff 4e 7e 51 ba ......TAP-Windows Adapter V9
 24...........................OpenVPN Data Channel Offload
 15...ae 15 a2 5c 31 dc ......Microsoft Wi-Fi Direct Virtual Adapter
  7...ac 15 a2 5c 31 dc ......Microsoft Wi-Fi Direct Virtual Adapter #2
 20...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
  6...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
 23...ac 15 a2 5c 31 dc ......TP-Link Wireless MU-MIMO USB Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.8.1    192.168.8.102     55
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.0.0    255.255.255.0         On-link      192.168.0.10    281
     192.168.0.10  255.255.255.255         On-link      192.168.0.10    281
    192.168.0.255  255.255.255.255         On-link      192.168.0.10    281
      192.168.8.0    255.255.255.0         On-link     192.168.8.102    311
    192.168.8.102  255.255.255.255         On-link     192.168.8.102    311
    192.168.8.255  255.255.255.255         On-link     192.168.8.102    311
    192.168.137.0    255.255.255.0         On-link     192.168.137.1    291
    192.168.137.1  255.255.255.255         On-link     192.168.137.1    291
  192.168.137.255  255.255.255.255         On-link     192.168.137.1    291
    192.168.159.0    255.255.255.0         On-link     192.168.159.1    291
    192.168.159.1  255.255.255.255         On-link     192.168.159.1    291
  192.168.159.255  255.255.255.255         On-link     192.168.159.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.137.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.159.1    291
        224.0.0.0        240.0.0.0         On-link      192.168.0.10    281
        224.0.0.0        240.0.0.0         On-link     192.168.8.102    311
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.137.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.159.1    291
  255.255.255.255  255.255.255.255         On-link      192.168.0.10    281
  255.255.255.255  255.255.255.255         On-link     192.168.8.102    311
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 23     71 ::/0                     fe80::80fe:5cff:fe1a:6b7e
  1    331 ::1/128                  On-link
 20    291 fe80::/64                On-link
  6    291 fe80::/64                On-link
 12    281 fe80::/64                On-link
 23    311 fe80::/64                On-link
 20    291 fe80::4c1d:375c:cbea:5ad7/128
                                    On-link
 12    281 fe80::5544:4ad8:c313:3fa1/128
                                    On-link
 23    311 fe80::cd04:f255:5713:496b/128
                                    On-link
  6    291 fe80::e8d0:ed33:cc54:3fb0/128
                                    On-link
  1    331 ff00::/8                 On-link
 20    291 ff00::/8                 On-link
  6    291 ff00::/8                 On-link
 12    281 ff00::/8                 On-link
 23    311 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Windows\system32>

bridge-start script in my case is

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap1"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="ens33"
eth_ip="192.168.0.101"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

But when I enable bridge with

sudo systemctl stop openvpn@server
sudo ./bridge-start
sudo systemctl start openvpn@server

my client unable to connect to my OpenVPN server. ifconfig of server on that moment is

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.101  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::6063:77ff:fed1:c82c  prefixlen 64  scopeid 0x20<link>
        ether 62:63:77:d1:c8:2c  txqueuelen 1000  (Ethernet)
        RX packets 699  bytes 65111 (65.1 KB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 264  bytes 26276 (26.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::20c:29ff:feb0:e3db  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b0:e3:db  txqueuelen 1000  (Ethernet)
        RX packets 266676  bytes 32685829 (32.6 MB)
        RX errors 0  dropped 47  overruns 0  frame 0
        TX packets 38148  bytes 4725224 (4.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 9652  bytes 9347692 (9.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9652  bytes 9347692 (9.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap1: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::f064:fdff:fe0b:edde  prefixlen 64  scopeid 0x20<link>
        ether f2:64:fd:0b:ed:de  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33  bytes 13177 (13.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

and client stuck on

2023-08-30 00:20:27 NOTE: --user option is not implemented on Windows
2023-08-30 00:20:27 NOTE: --group option is not implemented on Windows
2023-08-30 00:20:27 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations. 
2023-08-30 00:20:27 Note: dev-type not tun, disabling data channel offload.
2023-08-30 00:20:27 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-08-30 00:20:27 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-08-30 00:20:27 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-08-30 00:20:27 DCO version: v0
2023-08-30 00:20:27 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-08-30 00:20:27 Need hold release from management interface, waiting...
2023-08-30 00:20:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49309
2023-08-30 00:20:27 MANAGEMENT: CMD 'state on'
2023-08-30 00:20:27 MANAGEMENT: CMD 'log on all'
2023-08-30 00:20:27 MANAGEMENT: CMD 'echo on all'
2023-08-30 00:20:27 MANAGEMENT: CMD 'bytecount 5'
2023-08-30 00:20:27 MANAGEMENT: CMD 'state'
2023-08-30 00:20:27 MANAGEMENT: CMD 'hold off'
2023-08-30 00:20:27 MANAGEMENT: CMD 'hold release'
2023-08-30 00:20:27 MANAGEMENT: >STATE:1693344027,RESOLVE,,,,,,
2023-08-30 00:20:28 TCP/UDP: Preserving recently used remote address: [AF_INET]178.204.152.65:1194
2023-08-30 00:20:28 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-08-30 00:20:28 Attempting to establish TCP connection with [AF_INET]178.204.152.65:1194
2023-08-30 00:20:28 MANAGEMENT: >STATE:1693344028,TCP_CONNECT,,,,,,

Looks like I set it up by documentation, but with enabled bridge client unable to connect to OpenVPN. Tell me please what I am missing?

Arthur · Accepted Answer · 2023-08-29 23:08:42Z

Solved.

First, check that you have bridge-utils installed on your server.

After that change /etc/openvpn/server.conf to

port 1194
proto tcp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
remote-cert-tls client
server-bridge 192.168.0.101 255.255.255.0 192.168.0.151 192.168.0.170
client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
verb 3

For example, Free IP address for Linux VM: 192.168.5.100

Subnet mask (netmask): 255.255.255.0 (/24 following the Free IP address in CIDR notation)

Broadcast address: 192.168.5.255

Router's IP address: 192.168.5.1

VM's MAC address: 08:00:27:e7:0e:0a (found in the VM's network settings)

Create file /etc/openvpn/openvpn-bridge with content

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="ens33"
eth_ip_netmask="192.168.5.100/24"
eth_broadcast="192.168.5.255"
eth_gateway="192.168.5.1"
eth_mac="08:00:27:e7:0e:0a"

case "$1" in
start)
    for t in $tap; do
        openvpn --mktun --dev $t
    done

    brctl addbr $br
    brctl addif $br $eth

    for t in $tap; do
        brctl addif $br $t
    done

    for t in $tap; do
        ip addr flush dev $t
        ip link set $t promisc on up
    done

    ip addr flush dev $eth
    ip link set $eth promisc on up

    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br
    ip link set $br address $eth_mac
    ip link set $br up

    ip route add default via $eth_gateway
    ;;
stop)
    ip link set $br down
    brctl delbr $br

    for t in $tap; do
        openvpn --rmtun --dev $t
    done

    ip link set $eth promisc off up
    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth

    ip route add default via $eth_gateway
    ;;
*)
    echo "Usage:  openvpn-bridge {start|stop}"
    exit 1
    ;;
esac
exit 0

Edit the four lines beginning with eth_ip_netmask, eth_broadcast, eth_gateway and eth_mac. Those four variables must be set equal to the free IP address for the Linux VM and its subnet mask, broadcast address, router's IP address, and VM's Mac address, respectively, in quotes as shown.

Make the script executable by entering

chmod 744 /etc/openvpn/openvpn-bridge

We need to tell OpenVPN to make use of our “openvpn-bridge” script. Enter

nano /lib/systemd/system/[email protected]

Copy these two lines:

ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

and paste them at the bottom of the [Service] section.

Exit and save. Reboot the VM by entering

reboot

The OpenVPN server will be running at boot, i.e., no user login is required.

Source: https://www.emaculation.com/doku.php/bridged_openvpn_server_setup

Stack Exchange Network

OpenVPN Ethernet Bridging doesn't work, no access from client to internal

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
networking
vpn
routing
openvpn
bridge
.

Hot Network Questions

OpenVPN Ethernet Bridging doesn't work, no access from client to internal

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged networkingvpnroutingopenvpnbridge.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
networking
vpn
routing
openvpn
bridge
.