Need help with creating bridged VPN (TAP)

[ErAzOr]

Hi,

I'd like to integrate my parent's LAN to my own LAN by OpenVPN TAP (bridged).
Goal is, that each client of my parent's LAN is able to access all Clients on my own LAN and vice versa.

With all advantages and disadvantages in mind I have selected TAP as protocoll, because in my optinion it's the best solution for my needs.

To realize this, I already have set my parent's and my LAN to the same subnet (10.0.1.0).
For detail confirguration, see my picture. My parents will get 10.0.1.151-10.0.1.200 from DHCP and I get 10.0.1.100-10.0.1.150 from DHCP. See Picture for details:

As you can see, I run OpenVPN Server on my router (with Asusmerlin). My parents run OpenVPN Client on a Raspberry Pi (because the Router doesn't support OpenVPN).

So this is my first question: Is it generally possible to access all Clients on my parent's LAN over Raspberry Pi as OpenVPN client? Or will I just get access to the Raspberry Pi?

I set up OpenVPN on my router as following:

config.ovpn (I haven't changed anything manually):

# Automatically generated configuration
daemon
server-bridge
push "route 0.0.0.0 255.255.255.255 net_gateway"
proto udp
port 1194
dev tap21
comp-lzo adaptive
keepalive 15 60
verb 3
client-config-dir ccd
client-to-client
duplicate-cn
push "dhcp-option DNS 10.0.1.2"
push "route-gateway 10.0.1.2"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up updown.sh
down updown.sh
status-version 2
status status 10

client.ovpn (also haven't changed anything manually):

client
dev tap
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
proto udp
remote mytopsecrethost 1194
float
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
resolv-retry infinite
nobind

(certificate part hidden)


When I now connect from OpenVPN Client (Raspberry Pi) to my OpenVPN Server, everything seemd fine, as I get:

Mon May 30 13:35:00 2016 TUN/TAP device tap0 opened
Mon May 30 13:35:00 2016 Initialization Sequence Completed

output of ifconfig:

eth0      Link encap:Ethernet  Hardware Adresse b8:27:eb:cf:d7:06
          inet Adresse:10.0.1.61  Bcast:10.0.1.255  Maske:255.255.255.0
          inet6-Adresse: fe80::d3c9:b44c:f1db:d70e/64 Gültigkeitsbereich:Verbind                                                                                        ung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:15199 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7405 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:4069419 (3.8 MiB)  TX bytes:662675 (647.1 KiB)

lo        Link encap:Lokale Schleife
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX packets:5048 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5048 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:437738 (427.4 KiB)  TX bytes:437738 (427.4 KiB)

tap0      Link encap:Ethernet  Hardware Adresse be:f1:d2:1d:4b:54
          inet Adresse:10.0.1.134  Bcast:10.0.1.255  Maske:255.255.255.0
          inet6-Adresse: fe80::68a9:d390:ec06:7b25/64 Gültigkeitsbereich:Verbind                                                                                        ung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:15 errors:0 dropped:5 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:100
          RX bytes:1655 (1.6 KiB)  TX bytes:7563 (7.3 KiB)

wlan0     Link encap:Ethernet  Hardware Adresse b8:27:eb:9a:82:53
          inet6-Adresse: fe80::ba27:ebff:fe9a:8253/64 Gültigkeitsbereich:Verbind                                                                                        ung
          UP BROADCAST MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:0 (0.0 B)  TX bytes:6464 (6.3 KiB)

I now expect i can ping 10.0.1.2 (my OpenVPN Server). But that's not possible:

ping 10.0.1.2
PING 10.0.1.2 (10.0.1.2) 56(84) bytes of data.
From 10.0.1.61 icmp_seq=1 Destination Host Unreachable

And from the other side I'm not able to ping 10.0.1.61 or even 10.0.1.134. But why? Is there anything I did wrong?

Hopefully anyone can help me

Thank you

 

[ErAzOr]

ok i think I figured it out. I had to create a bridge interface on the client.
Now I can ping my clients from my parents to and vice versa

 

[Yiannis]

ok i think I figured it out. I had to create a bridge interface on the client.
Now I can ping my clients from my parents to and vice versa

how did you do that?

 

[ErAzOr]

basically you need to create a bridge in /etc/network/interfaces e.g. like this:

iface br0 inet dhcp
    bridge_ports eth0
    bridge_waitport 0    # no delay before a port becomes available
    bridge_fd 0        # no forwarding delay

After that, create two scripts:
/etc/openvpn/up.sh:

#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV

and
/etc/openvpn/down.sh:

#!/bin/sh
BR=$1
DEV=$2
/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

at least add following lines in your client.conf:

up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
script-security 3

Don't forget to set chmod +x to /etc/openvpn/up.sh and /etc/openvpn/down.sh

But I still have a problem. When my OpenVPN Server has lost internet connection, the VPN client won't automatically reconnect when Server is available again. Need further investigation.

 

[elorimer]

I am interested in how you come out. I tried something like this between an 87U on a 25/5 connection and a 66U on a 50/5 connection, in the hopes that I could get two Tivos to talk. They need a TAP interface for the level 2 communications, and I found it also needed a TCP rather than a UDP. They would, kinda, but the lag would bump them out, so I abandoned the exercise. I might try again in a year based on what you learn.

A couple of other things:

1. It would be a little helpful to see in your diagram where the internet connections are. Is that with the router, or the Pi?
2. On the client side, do you not want internet traffic to go outside of the VPN? If your upstream connection on one side is limited, like mine, you might be wasting bandwidth.
3. I found I need the second server to be a TUN interface, so that my android devices could do a VPN connection from airports, etc. It also helps because then you can change the settings on one server or the other to experiment with settings. (Mine are a thousand miles away from each other).
4. I'm curious what people think of this same subnet/two DHCP servers in two ranges does, or if it should be set up differently.