I've set up an OpenVPN server on a machine with a private IP address of 10.0.0.13. The gateway is at 10.0.0.2, and it hands out 10.0.0.* addresses to other machines on the network. The VPN is set up with bridging. My /etc/network/interfaces file looks like this:
# Bring these interfaces up automatically
auto lo br0
# The loopback network interface
iface lo inet loopback
# The bridge connection
iface br0 inet static
address 10.0.0.13
bridge_ports eth0
bridge_stp on
broadcast 10.0.0.255
gateway 10.0.0.2
netmask 255.255.255.0
network 10.0.0.0
# The primary network interface
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
The server config file (/etc/openvpn/server.conf) looks like this:
port 1194
proto udp
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
ca ca.crt
cert VPNserver.crt
key VPNserver.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.0.0.13 255.255.255.0 10.0.0.200 10.0.0.219
push "route 10.0.0.2 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
tls-auth ta.key 0
comp-lzo
max-clients 20
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
crl-verify crl.pem
I think server-bridge and the line below it might be in need of adjustment. Is OpenVPN supposed to be creating a subnet for itself and for connecting clients? At first I was under the impression I could just have OpenVPN assign IP addresses in the same subnet as long as they were outside the router's DHCP range; now I'm not so sure.
Anyway, here are the symptoms of the current config. The client machine (which lives in a 10.6.0.0 network — you'll see this in the output to follow) is able to connect, but only the IP of the OpenVPN server is pingable and I can't browse the web. I'm connecting from a Linux CLI; here's some of the output I get which leads me to believe that routing is the problem. I've bolded the output that seems relevant to me.
Fri Jun 3 12:54:51 2011 [VPNserver] Peer Connection Initiated with [AF_INET]SERVER.PUBLIC.IP.ADDRESS:1194
Fri Jun 3 12:54:53 2011 SENT CONTROL [VPNserver]: 'PUSH_REQUEST' (status=1)
Fri Jun 3 12:54:53 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.2 255.255.255.0,redirect-gateway def1 bypass-dhcp,route-gateway 10.0.0.13,ping 10,ping-restart 120,ifconfig 10.0.0.201 255.255.255.0'
Fri Jun 3 12:54:53 2011 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jun 3 12:54:53 2011 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jun 3 12:54:53 2011 OPTIONS IMPORT: route options modified
Fri Jun 3 12:54:53 2011 OPTIONS IMPORT: route-related options modified
Fri Jun 3 12:54:53 2011 ROUTE default_gateway=10.6.0.1
Fri Jun 3 12:54:53 2011 TUN/TAP device tap0 opened
Fri Jun 3 12:54:53 2011 TUN/TAP TX queue length set to 100
Fri Jun 3 12:54:53 2011 /sbin/ifconfig tap0 10.0.0.201 netmask 255.255.255.0 mtu 1500 broadcast 10.0.0.255
Fri Jun 3 12:54:53 2011 /sbin/route add -net SERVER.PUBLIC.IP.ADDRESS netmask 255.255.255.255 gw 10.6.0.1
**SIOCADDRT: File exists
Fri Jun 3 12:54:53 2011 ERROR: Linux route add command failed: external program exited with error status: 7**
Fri Jun 3 12:54:53 2011 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.0.0.13
Fri Jun 3 12:54:53 2011 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.0.0.13
**Fri Jun 3 12:54:53 2011 /sbin/route add -net 10.0.0.2 netmask 255.255.255.0 gw 10.0.0.13
route: netmask doesn't match route address**
Usage: route [-nNvee] [-FC] [<AF>] List kernel routing tables
route [-v] [-FC] {add|del|flush} ... Modify routing table for AF.
route {-h|--help} [<AF>] Detailed usage syntax for specified AF.
route {-V|--version} Display version/author and exit.
-v, --verbose be verbose
-n, --numeric don't resolve names
-e, --extend display other/more information
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB
<AF>=Use '-A <af>' or '--<af>'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)
**Fri Jun 3 12:54:53 2011 ERROR: Linux route add command failed: external program exited with error status: 4**
Fri Jun 3 12:54:53 2011 GID set to nogroup
Fri Jun 3 12:54:53 2011 UID set to nobody
Fri Jun 3 12:54:53 2011 Initialization Sequence Completed
So I guess I'm looking to:
- Make these errors go away
- Be able to access machines other than the OpenVPN server on the 10.0.0.0 network
- Route all traffic (web browsing, etc) through the VPN
Best Answer
If you are bridging, then you probably shouldn't be pushing any routes.