Menu
▾
▴
[Openvpn-users] routed works but I get 'No Route to Host' on bridged mode
|
From: Mike J. <je...@gm...> - 2014-05-26 22:46:08
|
Hello all!
I first tried getting help on this issue on the forum, but I didn't
manage to work it out.
My goal is to use the Internet to play games that require LAN broadcasts
(e.g. Startcraft 1). I've managed to setup OpenVPN in routed mode (going
the CA way) but I still haven't nailed the bridged mode.
I want to show you the whole process that I follow with the hope that
someone will spot what I'm doing wrong.
Since I'm including configs, the logs, a script, and command output,
this post is quite verbose. I'll divide into parts:
A. The setup
B. The config files
C. The procedure
D. The log files
A. The setup
------------
The server in my home is a Slackware Linux 14.1 box. The client in my
home is a WinXP SP3 box. My friends run WinXP, Win7, and Win8, but lets
first focus on making this work inside my home.
The client has a static IP 10.0.0.2. The server has a static IP
10.0.0.3. The gateway has a static IP 10.0.0.1. The gateway is a
Technicolor TG582n modem/router given by my ISP.
The gateway is instructed to run DHCP for any computer in my LAN that
doesn't have a static IP. The DHCP range is 10.0.0.30 to 10.0.0.60.
I'm running OpenVPN 2.3.2 with OpenSSL 1.0.1g on the Linux box. This
version of OpenSSL takes care of the Heartbleed bug. I'm running OpenVPN
2.3.4 on the WinXP PC.
The OpenVPN server is instructed to give IPs in the range of 10.0.0.31
to 10.0.0.60.
B. The config files
-------------------
The bridge start script:
#!/bin/bash
br="br0"
tap="tap0"
eth="eth0"
eth_ip="10.0.0.3"
eth_netmask="255.255.255.0"
eth_broadcast="10.0.0.255"
gateway="10.0.0.1"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $gateway
The server config:
local 10.0.0.3
cd /etc/openvpn
proto udp
port 40096
verb 3
log-append /var/log/openvpn.log
daemon
dev tap0
server-bridge 10.0.0.3 255.255.255.0 10.0.0.61 10.0.0.90
client-to-client
cipher AES-256-CBC
ca certs/ca.crt
dh dh.pem
cert certs/server.crt
key keys/server.key
user nobody
group nobody
The client config:
client
dev tap
proto udp
remote 10.0.0.3 40096
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
verb 3
remote-cert-tls server
C. The procecedure
------------------
1. On the server machine, I run the bridge creation script and I get no
error message. Doing 'ifconfig -a' I get this:
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.3 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::280:48ff:fe32:3ba prefixlen 64 scopeid 0x20<link>
ether 00:80:48:32:03:ba txqueuelen 0 (Ethernet)
RX packets 10785 bytes 1094444 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15221 bytes 8491934 (8.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::280:48ff:fe32:3ba prefixlen 64 scopeid 0x20<link>
ether 00:80:48:32:03:ba txqueuelen 1000 (Ethernet)
RX packets 20031464 bytes 11185127460 (10.4 GiB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 21275133 bytes 8457239430 (7.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 21739 bytes 2238472 (2.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21739 bytes 2238472 (2.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::1c43:89ff:fe1e:fc4c prefixlen 64 scopeid 0x20<link>
ether 1e:43:89:1e:fc:4c txqueuelen 100 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 1429 (1.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2. On WinXP, I bridge the OpenVPN TAP adapter with the Ethernet adapter.
I end up with a bridge that has IP 10.0.0.30. That's the first address
in the DHCP range, by the way.
3. I run the OpenVPN client. I immediately get a notification that a
cable is unplugged, but after a few seconds it seems that I'm connected
again. Doing 'ipconfig' on cmd.exe shows:
Ethernet adapter Network Bridge (Network Bridge) 4:
Connection specific DNS Suffix ...: lan
IP Addres ........................: 10.0.0.30
Subnet Mask ......................: 255.255.255.0
Default Gateway ..................: 10.0.0.1
However... I can't reach any destination! I can't ping any website, and
what's more, I can't even ping my gateway!
D. The log files
----------------
(I'm not indenting the logs as I think this makes them less readable.)
Client log:
Tue May 27 01:23:29 2014 OpenVPN 2.3.4 i686-w64-mingw32 [SSL (OpenSSL)]
[LZO] [PKCS11] [IPv6] built on May 2 2014
Tue May 27 01:23:29 2014 library versions: OpenSSL 1.0.1g 7 Apr 2014,
LZO 2.05
Tue May 27 01:23:29 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue May 27 01:23:29 2014 UDPv4 link local: [undef]
Tue May 27 01:23:29 2014 UDPv4 link remote: [AF_INET]10.0.0.3:40096
Tue May 27 01:23:29 2014 TLS: Initial packet from
[AF_INET]10.0.0.3:40096, sid=9da5a03a 5d9b52bb
Tue May 27 01:23:29 2014 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue May 27 01:23:29 2014 Validating certificate key usage
Tue May 27 01:23:29 2014 ++ Certificate has key usage 00a0, expects 00a0
Tue May 27 01:23:29 2014 VERIFY KU OK
Tue May 27 01:23:29 2014 Validating certificate extended key usage
Tue May 27 01:23:29 2014 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server Authentication
Tue May 27 01:23:29 2014 VERIFY EKU OK
Tue May 27 01:23:29 2014 VERIFY OK: depth=0, CN=server
Tue May 27 01:23:29 2014 Data Channel Encrypt: Cipher 'AES-256-CBC'
initialized with 256 bit key
Tue May 27 01:23:29 2014 Data Channel Encrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Tue May 27 01:23:29 2014 Data Channel Decrypt: Cipher 'AES-256-CBC'
initialized with 256 bit key
Tue May 27 01:23:29 2014 Data Channel Decrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Tue May 27 01:23:29 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Tue May 27 01:23:29 2014 [server] Peer Connection Initiated with
[AF_INET]10.0.0.3:40096
Tue May 27 01:23:31 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue May 27 01:23:31 2014 PUSH: Received control message:
'PUSH_REPLY,route-gateway 10.0.0.3,ifconfig 10.0.0.61 255.255.255.0'
Tue May 27 01:23:31 2014 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 27 01:23:31 2014 OPTIONS IMPORT: route-related options modified
Tue May 27 01:23:31 2014 WARNING: --remote address [10.0.0.3] conflicts
with --ifconfig subnet [10.0.0.61, 255.255.255.0] -- local and remote
addresses cannot be inside of the --ifconfig subnet. (silence this
warning with --ifconfig-nowarn)
Tue May 27 01:23:31 2014 do_ifconfig, tt->ipv6=0,
tt->did_ifconfig_ipv6_setup=0
Tue May 27 01:23:31 2014 open_tun, tt->ipv6=0
Tue May 27 01:23:31 2014 TAP-WIN32 device [Local Area Connection 3]
opened: \\.\Global\{0EFE1862-6230-4648-A1CE-C9A674C212D1}.tap
Tue May 27 01:23:31 2014 NOTE: could not get adapter index for
{0EFE1862-6230-4648-A1CE-C9A674C212D1}
Tue May 27 01:23:31 2014 TAP-Windows Driver Version 9.9
Tue May 27 01:23:31 2014 Notified TAP-Windows driver to set a DHCP
IP/netmask of 10.0.0.61/255.255.255.0 on interface
{0EFE1862-6230-4648-A1CE-C9A674C212D1} [DHCP-serv: 10.0.0.0, lease-time:
31536000]
Tue May 27 01:23:36 2014 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Tue May 27 01:23:36 2014 Initialization Sequence Completed
Tue May 27 01:23:43 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:45 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:45 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:47 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:48 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:49 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:50 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:50 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:51 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:52 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:53 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:53 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:54 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:54 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:54 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:55 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:55 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:57 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:57 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:57 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Tue May 27 01:23:57 2014 write UDPv4: No Route to Host (WSAEHOSTUNREACH)
(code=10065)
Server log:
Tue May 27 01:19:04 2014 OpenVPN 2.3.2 i486-slackware-linux-gnu [SSL
(OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Oct 12 2013
Tue May 27 01:19:04 2014 WARNING: you are using user/group/chroot/setcon
without persist-tun -- this may cause restarts to fail
Tue May 27 01:19:04 2014 WARNING: you are using user/group/chroot/setcon
without persist-key -- this may cause restarts to fail
Tue May 27 01:19:04 2014 NOTE: when bridging your LAN adapter with the
TAP adapter, note that the new bridge adapter will often take on its own
IP address that is different from what the LAN adapter was previously set to
Tue May 27 01:19:04 2014 WARNING: --keepalive option is missing from
server config
Tue May 27 01:19:04 2014 Diffie-Hellman initialized with 2048 bit key
Tue May 27 01:19:04 2014 Socket Buffers: R=[180224->131072]
S=[180224->131072]
Tue May 27 01:19:04 2014 TUN/TAP device tap0 opened
Tue May 27 01:19:04 2014 TUN/TAP TX queue length set to 100
Tue May 27 01:19:04 2014 GID set to nobody
Tue May 27 01:19:04 2014 UID set to nobody
Tue May 27 01:19:04 2014 UDPv4 link local (bound): [AF_INET]10.0.0.3:40096
Tue May 27 01:19:04 2014 UDPv4 link remote: [undef]
Tue May 27 01:19:04 2014 MULTI: multi_init called, r=256 v=256
Tue May 27 01:19:04 2014 IFCONFIG POOL: base=10.0.0.61 size=30, ipv6=0
Tue May 27 01:19:04 2014 Initialization Sequence Completed
Tue May 27 01:24:34 2014 10.0.0.30:2497 TLS: Initial packet from
[AF_INET]10.0.0.30:2497, sid=d16b903d bc4f728c
Tue May 27 01:24:35 2014 10.0.0.30:2497 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue May 27 01:24:35 2014 10.0.0.30:2497 VERIFY OK: depth=0, CN=JohnDesktop
Tue May 27 01:24:35 2014 10.0.0.30:2497 Data Channel Encrypt: Cipher
'AES-256-CBC' initialized with 256 bit key
Tue May 27 01:24:35 2014 10.0.0.30:2497 Data Channel Encrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Tue May 27 01:24:35 2014 10.0.0.30:2497 Data Channel Decrypt: Cipher
'AES-256-CBC' initialized with 256 bit key
Tue May 27 01:24:35 2014 10.0.0.30:2497 Data Channel Decrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Tue May 27 01:24:35 2014 10.0.0.30:2497 Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue May 27 01:24:35 2014 10.0.0.30:2497 [JohnDesktop] Peer Connection
Initiated with [AF_INET]10.0.0.30:2497
Tue May 27 01:24:35 2014 JohnDesktop/10.0.0.30:2497 MULTI_sva: pool
returned IPv4=10.0.0.61, IPv6=(Not enabled)
Tue May 27 01:24:36 2014 JohnDesktop/10.0.0.30:2497 PUSH: Received
control message: 'PUSH_REQUEST'
Tue May 27 01:24:36 2014 JohnDesktop/10.0.0.30:2497 send_push_reply():
safe_cap=940
Tue May 27 01:24:36 2014 JohnDesktop/10.0.0.30:2497 SENT CONTROL
[JohnDesktop]: 'PUSH_REPLY,route-gateway 10.0.0.3,ifconfig 10.0.0.61
255.255.255.0' (status=1)
Tue May 27 01:24:37 2014 JohnDesktop/10.0.0.30:2497 MULTI: Learn:
00:ff:0e:fe:18:62 -> JohnDesktop/10.0.0.30:2497
Tue May 27 01:25:03 2014 JohnDesktop/10.0.0.30:2497 MULTI: Learn:
02:ff:0e:fe:18:62 -> JohnDesktop/10.0.0.30:2497
|
