OpenVPN cannot reach other clients, arp replies go to client instead of server

bridgeopenvpnvpn

I have OpenVPN configured on three VirtualBox VMs running Ubuntu 16.04.

The network configuration is as follows:
network config picture.

Server config:

local 192.168.2.2
port 1194
proto udp
dev tap0

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.0.2 255.255.255.0 192.168.0.50 192.168.0.100
client-to-client

keepalive 10 20
cipher AES-128-CBC
comp-lzo

persist-key
persist-tun
verb 3

Client config:

client
dev tap
proto udp

remote 192.168.2.2 1194
resolv-retry infinite

nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key

cipher AES-128-CBC
comp-lzo
verb 3

I am using the bridge-start and bridge-stop scripts that come with OpenVPN to use the bridge. Connection opens without no problems. I can ping the clients from the server and the server from the clients. The problem is that I cannot ping client-to-client, e.g. ping from the remote client (lab3) to the other client (lab2) just gets From 192.168.0.50 icmp_seq=1 Destination Host Unreachable.

Seems that the problem has something to do with ARP, because when I tcpdump on br0 on the server, I see that there is a question
ARP, Request who-has 192.168.0.1 tell 192.168.0.50, length 28.
Then on the client (lab2) I see: 

ARP, Request who-has 192.168.0.1 tell 192.168.0.50, length 46
ARP, Reply 192.168.0.1 is-at 08:00:27:c8:1c:c7, length 28

But the replies don't seem to reach any machine.

When the OpenVPN connection is open, the routing table seems to be correct:

Server:

default via 10.0.2.1 dev enp0s3 
10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.4 
192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.2 
192.168.2.0/24 dev enp0s9  scope link 
192.168.2.0/24 dev enp0s9  proto kernel  scope link  src 192.168.2.2

Client:

default via 10.0.2.1 dev enp0s3 
10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.7 
192.168.0.0/24 dev enp0s8  proto kernel  scope link  src 192.168.0.1

Remote Client: 

default via 10.0.2.1 dev enp0s3 
10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.6 
192.168.0.0/24 dev tap0  proto kernel  scope link  src 192.168.0.50 
192.168.2.0/24 dev enp0s8  proto kernel  scope link  src 192.168.2.1

Any ideas how to get the messages to flow between the two clients? Am I doing something wrong or missing something in the configurations?

Best Answer

This was solved by setting the GW's network adapter connected to the 192.168.0.0/24 network to promiscuous mode from the VirtualBox settings, so the interface that does the bridging is in promiscuous mode. All in all, it is nowhere clearly mentioned that VirtualBox needs promiscuous mode to be able to bridge correctly, but at least I can mention it here!

Related Topic