Openvpn (tun0 + bridge) : Comunication bridge –> tun0 works but not the opposite direction

bridgeopenvpnpingroutetcpdump

My network is composed as follows:

Host A with ip 9.x.x.x and vpn ip 192.15.206.x (openvpn client)
Host B with ip 9.x.x.x and vpn ip 192.15.206.1 (openvpn server)
this host has a bridge br0 with ip 192.168.206.1
Host C with ip 192.168.206.2/192.168.206.255 who lives in the vnet0 of host B.
the vnet0 is bridged with br0

I want reach C from A.
This is what happens:

From host B I can ping both A (with 9.x.x.x or 192.15.206.x) and C
From host C I can ping both B and A (with 192.15.206.x)
From host A I can ping B either with IP 192.15.206.1 or 192.168.206.1 but not C who has IP 192.168.206.2

So the question is why ?
The route table is:

192.15.206.2    0.0.0.0         255.255.255.255 UH    0      0        0 tun0
9.168.58.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.15.206.0    192.15.206.2    255.255.255.0   UG    0      0        0 tun0
192.168.206.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1004   0        0 br0
0.0.0.0         9.168.58.254    0.0.0.0         UG    0      0        0 eth0

the bridge configuration is:

bridge name     bridge id               STP enabled     interfaces
br0             8000.005056a67d62       no              eth1
                                                        vnet0

The command:

cat /proc/sys/net/ipv4/ip_forward

returns 1

With tcpdump -i tun0 if i run ping 192.168.206.1 on host A:

14:33:23.927126 IP 192.15.206.6 > 192.168.206.1: ICMP echo request, id 768, seq 513, length 40
14:33:23.927191 IP 192.168.206.1 > 192.15.206.6: ICMP echo reply, id 768, seq 513, length 40

the replay it's sent back. But if i run ping 192.168.206.2 on host A the replay it's not sent back.

14:36:33.262959 IP 192.15.206.6 > 192.168.206.2: ICMP echo request, id 768, seq 1281, length 40
14:36:38.749631 IP 192.15.206.6 > 192.168.206.2: ICMP echo request, id 768, seq 1537, length 40

Seems like the packets arrive from A to B with the tun0 device but these are not forwarded to br0 who should send then the packet to vnet0 that connects the C host.

The problem it's related to iptables, indeed by stopping the iptables service i can ping C from A. I tried this rules without success:

-A FORWARD -i br0 -j ACCEPT
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i vnet0 -j ACCEPT
-A FORWARD -o vnet0 -j ACCEPT
-A FORWARD -i vnet0 -j ACCEPT
-A FORWARD -o vnet0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT

Any ideas ?

Best Answer

This can be

a firewall problem on B (counter intuitive Netfilter blocks packets over a bridge, too)
a firewall problem on C (not very probable)
a routing problem on C

So check iptables -L -nv on B for forwarding and ip route on C.

Edit 1

The firewall on B can be configured to let those packets through by e.g.

iptables -I FORWARD 2 -m physdev --physdev-in vnet0 -j ACCEPT
iptables -I FORWARD 2 -m physdev --physdev-out vnet0 -j ACCEPT

Of course, you may use source and destination addresses instead (or in addition).

Edit 2

Like:

iptables -I FORWARD 2 -s 192.15.206.2 -d 192.168.206.2 -j ACCEPT
iptables -I FORWARD 2 -d 192.15.206.2 -s 192.168.206.2 -j ACCEPT

Creating a new IP rule table

Begin by inspecting iproute2's table definition file. We want to make sure we don't use the name or number of any existing rule tables.

cat /etc/iproute2/rt_tables

You'll likely see something along these lines:

# reserved values
255      local 
254      main
253      default   
0        unspec
#
# local
#
#1      inr.ruhep

Pick an arbitrary number and name for your new rule table -- anything not used above. I will use number 201 and name novpn for the remainder of this answer.

Append a definition directly to the definition file or edit it in the text editor of your choice:

echo "201 novpn" >> /etc/iproute2/rt_tables

Add a new IP rule to lookup the no-VPN table

Check for any existing ip rules that deal with netfilter masks:

ip rule show | grep fwmark

If grep turns up nothing, you're in the clear. If it does print some lines, take note of the hexadecimal number to the right of the word fwmark in each line. You will need to pick a number that is not currently in use. Since I had no existing fwmark rules, I chose the number 65.

ip rule add fwmark 65 table novpn

What this does is cause any packets with netfilter mask 65 to lookup our new novpn table for instructions on how to route the packets.

Direct all traffic in our new table to use the Ethernet interface

ip route add default via YOUR.GATEWAY.IP.HERE dev eth0 table novpn

The important thing to note here is dev eth0. This forces all traffic that passes through the novpn table to only use the hardware Ethernet interface, instead of the virtual tunnel interface that your VPN creates.

Now would be a good time to flush your iproute cache, to make sure your new rules and routes take immediate effect:

ip route flush cache

Instruct firewall rule to mark all SSH traffic with the designated netfilter mask

iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65

There are too many options here for me to explain in any great depth. I strongly encourage you to read the manual page for iptables to get a sense of what's going on here:

man iptables

In a nutshell: we are appending an output rule to the firewall's mangle table (for specialized packet handling) that instructs it to mark any TCP packets originating from source port 22 with our designated netfilter mask 65.

What next?

At this point, you should be ready to test SSH. If all goes well, you should be met with the happy "login as" prompt.

For security's sake, I recommend you instruct your firewall to drop any incoming SSH requests from the tunnel interface:

iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP

Note that the all of the instructions above are transient (except for the creation of the rule table ID) -- they will clear the next time you restart your computer. Making them permanent is an exercise I leave to you.

Iptables – Route traffic to some host in Internet via VPN server

You don't need to mark the packets, To do what are planing to you need the following

in the server config file add the following:

"push route q.q.q.q 255.255.255.255"

The above will push the route to the client side so all the traffic sent from the client to that ip will be sent through the openvpn tunnel.

Also at the server side you need to accept the incomming traffic from the client, you can accept all the traffic comming from the client subnet as following

iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT

you might also need this not sure:

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

You need to nat the comming traffic from client to server side [do this on the server side]

iptables -t nat -A POSTROUTING -d q.q.q.q -j SNAT --to-source PUBLIC_IP_OR_YOUR_VPN_SERVER

And you don't need iproute2 or mangle table.

The order of the rules matter, so please them before a matching drop rule