Rough solution:
iptables -A FORWARD -i br200 -j ACCEPT
iptables -A FORWARD -o br200 -j ACCEPT
I still don't understand what's happening. Bridging is made on L2, iptables shouldn't touch that packets.
Configuration:
Debian 6.0 Squeeze
OpenVPN 2.2.1(from backports)
My task is to connect remote clients with local network on data link layer, so that they stay in one broadcast domain and have the same network/netmask as local clients. I'm using TAP interfaces and bridging. All related interfaces(ethernet(local network), TAP(VPN) and bridge) are set to promiscuous mode. Network/netmask is 172.20.200.0/24. Server address is 172.20.200.2.
Both local and remote clients can ping server, but there is no connection between local and remote clients. Using packet capturing program tshark on server (tshark -i br200 -f "icmp" ) I see icmp echo requests from from remote client to local. On local client I don't see that requests(using Wireshark). Moreover, local client have remote client arp address in arp cache, and remote client have local client arp address in arp cache. So, they see each other on data link network layer. But they just can't ping each other! Firewall and antivirus are disabled on both clients. Where is the problem? I don't understand.
/etc/network/interfaces
auto bond0.200
iface bond0.200 inet manual
vlan_raw_device bond0
up ifconfig bond0.200 0.0.0.0 promisc up
auto br200
iface br200 inet static
bridge_ports bond0.200
bridge_stp off
bridge_fd 1
address 172.20.200.2
netmask 255.255.255.0
post-up ifconfig br200 promisc
/etc/openvpn/server.conf
mode server
tls-server
port *****
proto tcp-server
dev tap200
script-security 2
up /etc/openvpn/bridge-start
down /etc/openvpn/bridge-stop
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
#crl-verify crl.pem
auth sha1
cipher AES-256-CBC
; !!!
; comp-lzo
tun-mtu 1500
mssfix 1450
client-config-dir /etc/openvpn/ccd
ccd-exclusive
client-to-client
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn/server-arm.status
log-append /var/log/openvpn/server-arm.log
/etc/openvpn/ccd/client-arm23
ifconfig-push 172.20.200.132 255.255.255.0
/etc/openvpn/bridge-start
#!/bin/bash
#set -x
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
br="br200"
tap="tap200"
openvpn --mktun --dev $tap
ifconfig $tap 0.0.0.0 promisc up
brctl addif $br $tap
exit 0
/etc/openvpn/bridge-stop
#!/bin/bash
#set -x
####################################
# Tear Down Ethernet bridge on Linux
####################################
br="br200"
tap="tap200"
brctl delif $br $tap
openvpn --rmtun --dev $tap
exit 0
MTU and MRU on all interfaces coincide.
bond0.200 is vlan device over bond device. Maybe this in some strange way causes errors?
Best Answer
The most likely you forgot to enable forwarding. Add
net.ipv4.ip_forward=1to/etc/sysctl.conf, thensysctl -por restart. Also try to add following to OpenVPN config:Note that adding interface to bridge, sets promisc flag appropriately. Bridge interface need not to be in promisc mode.
I got the same setup running, but on OpenSUSE, TAP interfaces are created during startup and OpenVPN just opens them - no start/stop script in OpenVPN.