Page MenuHomeVyOS Platform

OpenVPN server with TAP interface, client didn’t see network
Confirmed, NormalPublicBUG

Description

Hello, i’m trying to move configuration from 1.2 to 1.4 and can’t understand why client didn’t see LAN.

show interfaces openvpn vtun94 
 device-type tap
 local-port 9001
 mode server
 persistent-tunnel
 protocol udp
 server {
     client-ip-pool {
         start 10.1.4.240
         stop 10.1.4.245
     }
     push-route 10.1.5.0/24 {
         metric 1
     }
     push-route 10.2.4.0/24 {
         metric 1
     }
     push-route 10.3.4.0/24 {
         metric 1
     }
     subnet 10.1.4.0/24
     topology subnet
 }
tls {
     ca-certificate DCin
     certificate DCinSrv
     dh-params DCin-DH
 }
 use-lzo-compression
show interfaces bridge br94 
 address 10.1.4.1/24
 aging 300
 hello-time 2
 ip {
     disable-arp-filter
 }
 max-age 20
 member {
     interface eth0.94 {
     }
     interface vtun94 {
     }
 }
 priority 0
show interfaces ethernet eth0 vif 94
 description Brn-DCin-94

And with this config client get IP 10.1.4.240, can ping 10.1.4.1, can ping other IPs that should be routed (10.1.5.0/24, 10.2.4.0/24, 10.3.4.0/24), BUT can’t ping IPs in 10.1.4.0/24 LAN.

Why? What’s wrong with it? When i open tcpdump on 10.1.4.251 and starts pinging from OVPN client 10.1.4.240 LAN IP (10.1.4.251), i got:

sudo tcpdump -i eth0.94 -vvv  icmp
tcpdump: listening on eth0.94, link-type EN10MB (Ethernet), capture size 262144 bytes
07:41:09.249736 IP (tos 0x0, ttl 63, id 36782, offset 0, flags [none], proto ICMP (1), length 60)
    10.1.4.240 > 10.1.4.251: ICMP echo request, id 1, seq 648, length 40

and zero reply’s…

sudo arp -a
....
? (10.1.4.240) at <incomplete> on eth0.94
....
sudo cat /run/openvpn/vtun94.conf

ifconfig-pool 10.1.4.2 10.1.4.253 -- WHY?
ifconfig-pool 10.1.4.240 10.1.4.245

On 1.2 VyOS there was:

openvpn-option "--server-bridge 10.1.4.1 255.255.255.0 10.1.4.240 10.1.4.250"

Nov 24 16:02:28 r1-brn openvpn-vtun94[232736]: Options error: --server and --server-bridge cannot be used together

In OpenVPN documentation:

For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows:

mode server
tls-server

ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
push "route-gateway 10.8.0.4"

There is –server-bridge nogw and there is no server 10.1.4.0 255.255.255.0 nopool

ae31c52635677361b97ba257b31b39c4475476bf.png (185×728 px, 4 KB)

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202111072034
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

hexes triaged this task as High priority.Dec 7 2021, 1:22 PM
hexes changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
hexes changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).

@hexes Do I understand correctly that when you set this option you get logs "Options error"?
openvpn-option "--server-bridge 10.1.4.1 255.255.255.0 10.1.4.240 10.1.4.250"

Such log is generated by OpenVPN

Nov 24 16:02:28 r1-brn openvpn-vtun94[232736]: Options error: --server and --server-bridge cannot be used together

@Viacheslav Right, if I will write server-bridge, then OpenVPN will write to log error about "cannot be used together"

VyOS 1.3.0-epa3 with config below works good:

interfaces {
    bridge br91 {
        address dhcp
        member {
            interface eth0.91 {
            }
            interface vtun91 {
            }
        }
    }
    ethernet eth0 {
        hw-id 00:50:56:99:6f:63
        vif 91 {
        }
        vif 301 {
            address ISP-IP/24
            description ISP
        }
    }
    loopback lo {
    }
    openvpn vtun91 {
        description KM91
        device-type tap
        local-port 9000
        mode server
        persistent-tunnel
        protocol udp
        server {
            client ra {
                ip 10.1.1.25
            }
            client-ip-pool {
                start 10.1.1.124
                stop 10.1.1.126
            }
            name-server 10.1.5.60
            reject-unconfigured-clients
            subnet 10.1.1.0/24
            topology subnet
        }
        tls {
            ca-cert-file /config/auth/ca.crt
            cert-file /config/auth/central.crt
            dh-file /config/auth/dh.pem
            key-file /config/auth/central.key
            tls-version-min 1.1
        }
    }
}

It generates by openvpn, maybe something new in the new OpenVPN version
So I see only one option - add mode server-bridge

I found that they say not to use such options together openvpn-community

Don't use --server if you are ethernet bridging. Use --server-bridge instead.

Tested configuration:

vyos@r11-roll# sudo cat  /run/openvpn/vtun94.conf 
### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# 
#

verb 3
dev-type tap
dev vtun94
persist-key
proto udp
multihome
lport 9001
persist-tun

#
# OpenVPN Server mode
#
server-bridge 10.1.4.1 255.255.255.0 10.1.4.240 10.1.4.250
tls-server
topology subnet
#server 10.1.4.0 255.255.255.0 nopool
push "route 10.1.5.0 255.255.255.0"
push "route 10.2.4.0 255.255.255.0"
push "route 10.3.4.0 255.255.255.0"
#ifconfig-pool 10.1.4.2 10.1.4.253 

keepalive 10 600
management /run/openvpn/openvpn-mgmt-intf unix


# TLS options
ca /run/openvpn/vtun94_ca.pem
cert /run/openvpn/vtun94_cert.pem
key /run/openvpn/vtun94_cert.key
dh /run/openvpn/vtun94_dh.pem

# Encryption options

The server was replaced with server-bridge
And "ifconfig-pool" commented b.c

openvpn-vtun94[150935]: Options error: --server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly

Hello @Viacheslav, thanks for reply, so, if you'll bridge vtun94 and eth0.94 to br94 will it work in L2 level?
Did you push this update to nightbuild?

syncer lowered the priority of this task from High to Low.Jul 11 2023, 12:34 PM
syncer moved this task from Need Triage to Backlog on the VyOS 1.4 Sagitta board.

@hexes Could you recheck/update if it is still the bug?

fernando changed the task status from Needs testing to Confirmed.Wed, Jul 3, 5:20 PM
fernando subscribed.

I've checked this bug , it's still present the vesion 1.4./1.5 and the 1.3.x , this problem is related to the update of the new version (openvpn) where the syntax to create a tunnel tap (layer2) is changed , this command allow to transport frame and it's needed when you want to bridge a vtun :

1.4:

set interfaces bridge br304 address '10.10.0.1/24'
set interfaces bridge br304 aging '300'
set interfaces bridge br304 description 'BRTEST'
set interfaces bridge br304 max-age '20'
set interfaces bridge br304 member interface eth2.304
set interfaces bridge br304 member interface vtun10
set interfaces ethernet eth1 address '172.16.100.1/24'

set interfaces ethernet eth2 vif 304

set interfaces openvpn vtun10 device-type 'tap'
set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha256'
set interfaces openvpn vtun10 local-host '172.16.100.1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server max-connections '250'
set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-certificate 'openvpn_vtun10_1'
set interfaces openvpn vtun10 tls certificate 'openvpn_vtun10'
set interfaces openvpn vtun10 tls dh-params 'openvpn_vtun10'
set interfaces openvpn vtun10 use-lzo-compression

this mode server need to change to server-bridge add the client-pool that we assign our connection:

#
# OpenVPN Server mode
#
server-bridge 10.10.0.1 255.255.255.0 10.10.0.10 10.10.0.250
tls-server
topology subnet

connections

vyos@openvpn-server:~$ sudo dpkg -l | grep openvpn
ii  openvpn                              2.6.3-1+deb12u2                  amd64        virtual private network daemon
ii  openvpn-auth-ldap                    2.0.4-3                          amd64        OpenVPN LDAP authentication module
ii  openvpn-auth-radius                  2.1-8                            amd64        OpenVPN RADIUS authentication module
ii  openvpn-dco                          0.2.20231117                     amd64        OpenVPN Data Channel Offload
ii  openvpn-otp                          1.0-4-g47f8ccf                   amd64        OpenVPN OTP Authentication support.

icmp from our LAN to the openvpn client : 

vyos@openvpn-server:~$ sudo tcpdump -nvi any icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:39:08.050792 ethertype IPv4, IP (tos 0x0, ttl 64, id 49928, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.0.200 > 10.10.0.10: ICMP echo request, id 2698, seq 1, length 64
15:39:08.050792 IP (tos 0x0, ttl 64, id 49928, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.0.200 > 10.10.0.10: ICMP echo request, id 2698, seq 1, length 64
15:39:08.050822 IP (tos 0x0, ttl 64, id 49928, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.0.200 > 10.10.0.10: ICMP echo request, id 2698, seq 1, length 64
15:39:08.051371 IP (tos 0x0, ttl 64, id 46211, offset 0, flags [none], proto ICMP (1), length 84)
    10.10.0.10 > 10.10.0.200: ICMP echo reply, id 2698, seq 1, length 64
15:39:08.051375 IP (tos 0x0, ttl 64, id 46211, offset 0, flags [none], proto ICMP (1), length 84)
    10.10.0.10 > 10.10.0.200: ICMP echo reply, id 2698, seq 1, length 64
fernando raised the priority of this task from Low to Normal.Wed, Jul 3, 5:28 PM