OpenVPN using TAP with a dumthe interface

networkingopenvpn

I have a dream compute instance that only has one network adapter and it has a public IP address. I am attempting to run OpenVPN with the TAP interface bridged to a dummy interface in order to access the instance from home/work/etc securely. Also as an added benefit I want all connected clients to be able to talk to each other.

The client can ping the server and vice versa as well get to sites on the internet. However, I cannot access any of my services running on the instance (apache, pure-ftpd, samba, git, etc.) I have set 192.168.2.1 as a listening address on apache2 and restarted the server after the vpn connection is established but still no luck.

What am I missing?

Here are my details:

eth0 is the interface with the public IP
Dummy interface: eth10:0
OpenVPN IP 192.168.2.1
OpenVPN DHCP IP's 192.168.2.200 - 192.168.2.254
208.xxx.xxx.1 in the openvpn config file is my public gateway on eth0

The Process:

I load my modules:

modprobe dummy
modprobe bridge
modprobe br_netfilter
modprobe tun

Setup forwarding thru sysctl:

sysctl -w net.ipv4.conf.all.forwarding=1

On the server I create a dummy interface as follows:

ip link set name eth10 dev dummy0
ifconfig eth10 hw ether 00:22:22:ff:ff:ff
ip addr add 192.168.2.1/24 brd + dev eth10 label eth10:0

Then I start the bridge:

 # start bridge
 brctl addbr br0
 brctl addif br0 eth10:0
 brctl setageing br0 0 # for vmware?

 # start OpenVPN
 /etc/init.d/openvpn start

 tap="tap0"

 # add tap to bridge
 for t in $tap; do
     brctl addif br0 $t
 done

 # bring taps up and allow access
 for t in $tap; do
     ifconfig $t 0.0.0.0 promisc up
     iptables -A INPUT -i $t -j ACCEPT
 done

 # bring bridge up and assign internal IP
 ifconfig br0 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255

 # allow NAT
 iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

OpenVPN has the following config:

port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server-bridge 192.168.2.1 255.255.255.0 192.168.2.200 192.168.2.254
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
mssfix

#set the WINS server (SAMBA)
push "dhcp-option WINS 192.168.2.1"

#For windows, to make the network recognized
push "route 0.0.0.0 0.0.0.0 208.xxx.xxx.1"
cipher AES-256-CBC
auth SHA512

OpenVPN Log lines below:

Jun 30 09:37:47 pubby systemd[1]: Starting OpenVPN connection to
server…
Jun 30 09:37:47 pubby systemd[1]: Starting OpenVPN
service… Jun 30 09:37:47 pubby systemd[1]: Started OpenVPN service.
Jun 30 09:37:47 pubby ovpn-server[25518]: OpenVPN 2.4.0
x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11]
[MH/PKTINFO] [AEAD] built on Jul 18 2017 Jun 30 09:37:47 pubby
ovpn-server[25518]: library versions: OpenSSL 1.0.2l 25 May 2017, LZO
2.08 Jun 30 09:37:47 pubby systemd[1]: Started OpenVPN connection to server. Jun 30 09:37:48 pubby ovpn-server[25524]: NOTE: when bridging
your LAN adapter with the TAP adapter, note that the new bridge
adapter will often take on its own IP address that is different from
what the LAN adapter was previously set to Jun 30 09:37:48 pubby
ovpn-server[25524]: Diffie-Hellman initialized with 2048 bit key Jun
30 09:37:48 pubby ovpn-server[25524]: Outgoing Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC
authentication Jun 30 09:37:48 pubby ovpn-server[25524]: Incoming
Control Channel Authentication: Using 512 bit message hash 'SHA512'
for HMAC authentication Jun 30 09:37:48 pubby ovpn-server[25524]:
TUN/TAP device tap0 opened Jun 30 09:37:48 pubby ovpn-server[25524]:
TUN/TAP TX queue length set to 100 Jun 30 09:37:48 pubby
ovpn-server[25524]: Could not determine IPv4/IPv6 protocol. Using
AF_INET Jun 30 09:37:48 pubby ovpn-server[25524]: Socket Buffers:
R=[212992->212992] S=[212992->212992] Jun 30 09:37:48 pubby
ovpn-server[25524]: UDPv4 link local (bound): [AF_INET][undef]:1194
Jun 30 09:37:48 pubby ovpn-server[25524]: UDPv4 link remote:
[AF_UNSPEC] Jun 30 09:37:48 pubby ovpn-server[25524]: GID set to
nogroup Jun 30 09:37:48 pubby ovpn-server[25524]: UID set to nobody
Jun 30 09:37:48 pubby ovpn-server[25524]: MULTI: multi_init called,
r=256 v=256 Jun 30 09:37:48 pubby ovpn-server[25524]: IFCONFIG POOL:
base=192.168.2.200 size=55, ipv6=0 Jun 30 09:37:48 pubby
ovpn-server[25524]: ifconfig_pool_read(), in='t430,192.168.2.200',
TODO: IPv6 Jun 30 09:37:48 pubby ovpn-server[25524]: succeeded ->
ifconfig_pool_set() Jun 30 09:37:48 pubby ovpn-server[25524]: IFCONFIG
POOL LIST Jun 30 09:37:48 pubby ovpn-server[25524]: t430,192.168.2.200
Jun 30 09:37:48 pubby ovpn-server[25524]: Initialization Sequence
Completed Jun 30 09:37:56 pubby ovpn-server[25524]:
73.81.xxx.xxx:43841 VERIFY OK: depth=1, CN=ChangeMe Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 VERIFY OK: depth=0,
CN=t430 Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841
peer info: IV_VER=2.4.0 Jun 30 09:37:56 pubby ovpn-server[25524]:
73.81.xxx.xxx:43841 peer info: IV_PLAT=linux Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info: IV_PROTO=2 Jun 30
09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info:
IV_NCP=2 Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841
peer info: IV_LZ4=1 Jun 30 09:37:56 pubby ovpn-server[25524]:
73.81.xxx.xxx:43841 peer info: IV_LZ4v2=1 Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info: IV_LZO=1 Jun 30
09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info:
IV_COMP_STUB=1 Jun 30 09:37:56 pubby ovpn-server[25524]:
73.81.xxx.xxx:43841 peer info: IV_COMP_STUBv2=1 Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info: IV_TCPNL=1 Jun 30
09:37:57 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 Control
Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048
bit RSA Jun 30 09:37:57 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841
[t430] Peer Connection Initiated with [AF_INET]73.81.xxx.xxx:43841 Jun
30 09:37:57 pubby ovpn-server[25524]: t430/73.81.xxx.xxx:43841
MULTI_sva: pool returned IPv4=192.168.2.200, IPv6=(Not enabled) Jun 30
09:37:58 pubby ovpn-server[25524]: t430/73.81.xxx.xxx:43841 PUSH:
Received control message: 'PUSH_REQUEST' Jun 30 09:37:58 pubby
ovpn-server[25524]: t430/73.81.xxx.xxx:43841 SENT CONTROL [t430]:
'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS
8.8.8.8,dhcp-option DNS 8.8.4.4,dhcp-option WINS 192.168.2.1,route 0.0.0.0 0.0.0.0 208.xxx.xxx.1,route-gateway 192.168.2.1,ping 10,ping-restart 120,ifconfig 192.168.2.200 255.255.255.0,peer-id
0,cipher AES-256-GCM' (status=1) Jun 30 09:37:58 pubby
ovpn-server[25524]: t430/73.81.xxx.xxx:43841 Data Channel Encrypt:
Cipher 'AES-256-GCM' initialized with 256 bit key Jun 30 09:37:58
pubby ovpn-server[25524]: t430/73.81.xxx.xxx:43841 Data Channel
Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Jun 30
09:37:58 pubby ovpn-server[25524]: t430/73.81.xxx.xxx:43841 MULTI:
Learn: 92:34:xx:xx:xx:xx -> t430/73.81.xxx.xxx:43841

Best Answer

When ICMP works but not TCP it almost always comes down to a firewall issue. Verify that your server's iptables are in order.

Related Topic