I have an OpenVPN Server running on Ubuntu 16.04.1. I have set this up as a TAP/Bridging server and added bridging configuration to my /etc/network/interfaces
file. My client is a Windows 10 laptop.
My client connects to the server without issue, and can access the router web interface on the remote network using its local ip address. I've also monitored the TAP interface on the client using Wireshark, and can see broadcast messages being routed through from other hosts on the remote network. I am however unable to ping or initiate any sort of network communication with these hosts, including the server itself. Additionally, the server is unable to ping the client using the allocated ip.
I'm totally stuck and have no idea why my client can talk to the router and use its internet connection, but I'm invisible to all other devices on the network. What have I missed?
Any help greatly appreciated.
Configurations:
Remote Network
subnet = 192.168.100.0/24
router ip = 192.168.100.1
router dhcp range = 192.168.100.100 - 192.168.100.199
OpenVPN server ip = 192.168.100.10
Server
/etc/network/interfaces
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 192.168.100.10
netmask 255.255.255.0
gateway 192.168.100.1
network 192.168.100.0
dns-nameservers 8.8.8.8 8.8.4.4
bridge_ports enp3s0
iface enp3s0 inet manual
up ip link set $IFACE up promisc on
down ifconfig $IFACE down
/etc/openvpn/server.conf
port 1194
proto tcp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
topology subnet
server-bridge 192.168.100.1 255.255.255.0 192.168.100.200 192.168.100.210
push "route 192.168.100.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
log-append openvpn.log
verb 6
up "/etc/openvpn/up.sh br0 enp3s0"
script-security 3
/etc/openvpn/up.sh
#!/bin/sh
BR=$1
ETHDEV=$2
TAPDEV=$3
/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV
/etc/sysctl.conf
net.ipv4.ip_forward=1
iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Client
C:\Program Files\OpenVPN\config\client.ovpn
dev tap
proto tcp
remote my-public-ip-address 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
comp-lzo
verb 3
Ping results
# Remote router
ping 192.168.100.1
Pinging 192.168.100.1 with 32 bytes of data:
Reply from 192.168.100.1: bytes=32 time=108ms TTL=64
Reply from 192.168.100.1: bytes=32 time=32ms TTL=64
# OpenVPN Server
ping 192.168.100.10
Pinging 192.168.100.10 with 32 bytes of data:
Reply from 192.168.100.200: Destination host unreachable.
Best Answer
Well, I feel pretty silly. Turns out in
server.conf
the lineserver-bridge 192.168.100.1 255.255.255.0 192.168.100.200 192.168.100.210
should read
server-bridge 192.168.100.10 255.255.255.0 192.168.100.200 192.168.100.210
i.e. The first argument is the server IP address, not the gateway address which is what I had.