Page MenuHomeVyOS Platform
Create Task
Maniphest T4025

OpenVPN server with TAP interface, client didn’t see network
Open, LowPublicBUG
Actions

Description

Hello, i’m trying to move configuration from 1.2 to 1.4 and can’t understand why client didn’t see LAN.

show interfaces openvpn vtun94 
 device-type tap
 local-port 9001
 mode server
 persistent-tunnel
 protocol udp
 server {
     client-ip-pool {
         start 10.1.4.240
         stop 10.1.4.245
     }
     push-route 10.1.5.0/24 {
         metric 1
     }
     push-route 10.2.4.0/24 {
         metric 1
     }
     push-route 10.3.4.0/24 {
         metric 1
     }
     subnet 10.1.4.0/24
     topology subnet
 }
tls {
     ca-certificate DCin
     certificate DCinSrv
     dh-params DCin-DH
 }
 use-lzo-compression
show interfaces bridge br94 
 address 10.1.4.1/24
 aging 300
 hello-time 2
 ip {
     disable-arp-filter
 }
 max-age 20
 member {
     interface eth0.94 {
     }
     interface vtun94 {
     }
 }
 priority 0
show interfaces ethernet eth0 vif 94
 description Brn-DCin-94

And with this config client get IP 10.1.4.240, can ping 10.1.4.1, can ping other IPs that should be routed (10.1.5.0/24, 10.2.4.0/24, 10.3.4.0/24), BUT can’t ping IPs in 10.1.4.0/24 LAN.

Why? What’s wrong with it? When i open tcpdump on 10.1.4.251 and starts pinging from OVPN client 10.1.4.240 LAN IP (10.1.4.251), i got:

sudo tcpdump -i eth0.94 -vvv  icmp
tcpdump: listening on eth0.94, link-type EN10MB (Ethernet), capture size 262144 bytes
07:41:09.249736 IP (tos 0x0, ttl 63, id 36782, offset 0, flags [none], proto ICMP (1), length 60)
    10.1.4.240 > 10.1.4.251: ICMP echo request, id 1, seq 648, length 40

and zero reply’s…

sudo arp -a
....
? (10.1.4.240) at <incomplete> on eth0.94
....
sudo cat /run/openvpn/vtun94.conf

ifconfig-pool 10.1.4.2 10.1.4.253 -- WHY?
ifconfig-pool 10.1.4.240 10.1.4.245

On 1.2 VyOS there was:

openvpn-option "--server-bridge 10.1.4.1 255.255.255.0 10.1.4.240 10.1.4.250"

Nov 24 16:02:28 r1-brn openvpn-vtun94[232736]: Options error: --server and --server-bridge cannot be used together

In OpenVPN documentation:

For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows:

mode server
tls-server

ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
push "route-gateway 10.8.0.4"

There is –server-bridge nogw and there is no server 10.1.4.0 255.255.255.0 nopool

ae31c52635677361b97ba257b31b39c4475476bf.png (185×728 px, 4 KB)

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202111072034
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

hexes created this task.Nov 29 2021, 7:00 AM
pasik added a subscriber: pasik.Nov 29 2021, 5:50 PM
hexes triaged this task as High priority.Dec 7 2021, 1:22 PM
hexes changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
hexes changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
hexes added a comment.Dec 9 2021, 10:32 AM

Anyone?

Viacheslav added a subscriber: Viacheslav.EditedDec 9 2021, 12:46 PM

@hexes Do I understand correctly that when you set this option you get logs "Options error"?
openvpn-option "--server-bridge 10.1.4.1 255.255.255.0 10.1.4.240 10.1.4.250"

Such log is generated by OpenVPN

Nov 24 16:02:28 r1-brn openvpn-vtun94[232736]: Options error: --server and --server-bridge cannot be used together
hexes added a comment.Dec 10 2021, 5:34 AM

@Viacheslav Right, if I will write server-bridge, then OpenVPN will write to log error about "cannot be used together"

hexes added a comment.Dec 22 2021, 8:06 AM

VyOS 1.3.0-epa3 with config below works good:

interfaces {
    bridge br91 {
        address dhcp
        member {
            interface eth0.91 {
            }
            interface vtun91 {
            }
        }
    }
    ethernet eth0 {
        hw-id 00:50:56:99:6f:63
        vif 91 {
        }
        vif 301 {
            address ISP-IP/24
            description ISP
        }
    }
    loopback lo {
    }
    openvpn vtun91 {
        description KM91
        device-type tap
        local-port 9000
        mode server
        persistent-tunnel
        protocol udp
        server {
            client ra {
                ip 10.1.1.25
            }
            client-ip-pool {
                start 10.1.1.124
                stop 10.1.1.126
            }
            name-server 10.1.5.60
            reject-unconfigured-clients
            subnet 10.1.1.0/24
            topology subnet
        }
        tls {
            ca-cert-file /config/auth/ca.crt
            cert-file /config/auth/central.crt
            dh-file /config/auth/dh.pem
            key-file /config/auth/central.key
            tls-version-min 1.1
        }
    }
}
hexes added a subscriber: vyatta-openvpn.Dec 27 2021, 3:34 AM
hexes added a comment.Jan 13 2022, 3:56 AM

Any updates? No one?

Viacheslav added a comment.EditedJan 13 2022, 11:02 PM

It generates by openvpn, maybe something new in the new OpenVPN version
So I see only one option - add mode server-bridge

I found that they say not to use such options together openvpn-community

Don't use --server if you are ethernet bridging. Use --server-bridge instead.

Tested configuration:

vyos@r11-roll# sudo cat  /run/openvpn/vtun94.conf 
### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# 
#

verb 3
dev-type tap
dev vtun94
persist-key
proto udp
multihome
lport 9001
persist-tun

#
# OpenVPN Server mode
#
server-bridge 10.1.4.1 255.255.255.0 10.1.4.240 10.1.4.250
tls-server
topology subnet
#server 10.1.4.0 255.255.255.0 nopool
push "route 10.1.5.0 255.255.255.0"
push "route 10.2.4.0 255.255.255.0"
push "route 10.3.4.0 255.255.255.0"
#ifconfig-pool 10.1.4.2 10.1.4.253 

keepalive 10 600
management /run/openvpn/openvpn-mgmt-intf unix


# TLS options
ca /run/openvpn/vtun94_ca.pem
cert /run/openvpn/vtun94_cert.pem
key /run/openvpn/vtun94_cert.key
dh /run/openvpn/vtun94_dh.pem

# Encryption options

The server was replaced with server-bridge
And "ifconfig-pool" commented b.c

openvpn-vtun94[150935]: Options error: --server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly
hexes added a comment.Jan 19 2022, 3:39 AM

Hello @Viacheslav, thanks for reply, so, if you'll bridge vtun94 and eth0.94 to br94 will it work in L2 level?
Did you push this update to nightbuild?

syncer lowered the priority of this task from High to Low.Jul 11 2023, 12:34 PM
syncer moved this task from Need Triage to Backlog on the VyOS 1.4 Sagitta board.
dmbaturin added a project: Restricted Project.Feb 15 2024, 12:52 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.Feb 15 2024, 3:05 PM
Viacheslav added a comment.Feb 16 2024, 12:34 PM

@hexes Could you recheck/update if it is still the bug?