Openvpn – What are the proper routes to push for a bridged OpenVPN server

networkingopenvpn

I've set up an OpenVPN server on a machine with a private IP address of 10.0.0.13. The gateway is at 10.0.0.2, and it hands out 10.0.0.* addresses to other machines on the network. The VPN is set up with bridging. My /etc/network/interfaces file looks like this:

# Bring these interfaces up automatically
auto lo br0

# The loopback network interface
iface lo inet loopback

# The bridge connection
iface br0 inet static
    address         10.0.0.13
    bridge_ports    eth0
    bridge_stp      on
    broadcast       10.0.0.255
    gateway         10.0.0.2
    netmask         255.255.255.0
    network         10.0.0.0

# The primary network interface
iface eth0 inet manual
    up ifconfig $IFACE 0.0.0.0 up
    up ip link set $IFACE promisc on
    down ip link set $IFACE promisc off
    down ifconfig $IFACE down

The server config file (/etc/openvpn/server.conf) looks like this:

port 1194
proto udp
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
ca ca.crt
cert VPNserver.crt
key VPNserver.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt

server-bridge 10.0.0.13 255.255.255.0 10.0.0.200 10.0.0.219
push "route 10.0.0.2 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
tls-auth ta.key 0
comp-lzo
max-clients 20
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
crl-verify crl.pem

I think server-bridge and the line below it might be in need of adjustment. Is OpenVPN supposed to be creating a subnet for itself and for connecting clients? At first I was under the impression I could just have OpenVPN assign IP addresses in the same subnet as long as they were outside the router's DHCP range; now I'm not so sure.

Anyway, here are the symptoms of the current config. The client machine (which lives in a 10.6.0.0 network — you'll see this in the output to follow) is able to connect, but only the IP of the OpenVPN server is pingable and I can't browse the web. I'm connecting from a Linux CLI; here's some of the output I get which leads me to believe that routing is the problem. I've bolded the output that seems relevant to me.

Fri Jun  3 12:54:51 2011 [VPNserver] Peer Connection Initiated with [AF_INET]SERVER.PUBLIC.IP.ADDRESS:1194  
Fri Jun  3 12:54:53 2011 SENT CONTROL [VPNserver]: 'PUSH_REQUEST' (status=1)  
Fri Jun  3 12:54:53 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.2 255.255.255.0,redirect-gateway def1 bypass-dhcp,route-gateway 10.0.0.13,ping 10,ping-restart 120,ifconfig 10.0.0.201 255.255.255.0'  
Fri Jun  3 12:54:53 2011 OPTIONS IMPORT: timers and/or timeouts modified  
Fri Jun  3 12:54:53 2011 OPTIONS IMPORT: --ifconfig/up options modified  
Fri Jun  3 12:54:53 2011 OPTIONS IMPORT: route options modified  
Fri Jun  3 12:54:53 2011 OPTIONS IMPORT: route-related options modified  
Fri Jun  3 12:54:53 2011 ROUTE default_gateway=10.6.0.1  
Fri Jun  3 12:54:53 2011 TUN/TAP device tap0 opened  
Fri Jun  3 12:54:53 2011 TUN/TAP TX queue length set to 100  
Fri Jun  3 12:54:53 2011 /sbin/ifconfig tap0 10.0.0.201 netmask 255.255.255.0 mtu 1500 broadcast 10.0.0.255  
Fri Jun  3 12:54:53 2011 /sbin/route add -net SERVER.PUBLIC.IP.ADDRESS netmask 255.255.255.255 gw 10.6.0.1  
**SIOCADDRT: File exists  
Fri Jun  3 12:54:53 2011 ERROR: Linux route add command failed: external program exited with error status: 7**  
Fri Jun  3 12:54:53 2011 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.0.0.13  
Fri Jun  3 12:54:53 2011 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.0.0.13  
**Fri Jun  3 12:54:53 2011 /sbin/route add -net 10.0.0.2 netmask 255.255.255.0 gw 10.0.0.13
route: netmask doesn't match route address**  
Usage: route [-nNvee] [-FC] [<AF>]           List kernel routing tables  
   route [-v] [-FC] {add|del|flush} ...  Modify routing table for AF.  

   route {-h|--help} [<AF>]              Detailed usage syntax for specified AF.  
   route {-V|--version}                  Display version/author and exit.  

  -v, --verbose            be verbose  
  -n, --numeric            don't resolve names  
  -e, --extend             display other/more information  
  -F, --fib                display Forwarding Information Base (default)  
  -C, --cache              display routing cache instead of FIB  

  <AF>=Use '-A <af>' or '--<af>'; default: inet  
  List of possible address families (which support routing):  
   inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)  
   netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)  
   x25 (CCITT X.25)  
**Fri Jun  3 12:54:53 2011 ERROR: Linux route add command failed: external program exited with error status: 4**  
Fri Jun  3 12:54:53 2011 GID set to nogroup  
Fri Jun  3 12:54:53 2011 UID set to nobody  
Fri Jun  3 12:54:53 2011 Initialization Sequence Completed

So I guess I'm looking to:

  1. Make these errors go away
  2. Be able to access machines other than the OpenVPN server on the 10.0.0.0 network
  3. Route all traffic (web browsing, etc) through the VPN

Best Answer

If you are bridging, then you probably shouldn't be pushing any routes.

Related Topic