OpenVPN and ethernet bridging: Proper setup?

Kernels & Hardware, configuring network, installing services

OpenVPN and ethernet bridging: Proper setup?

Postby cheetah2003 » 2018-07-19 19:06

Deleted my previous post about managed vs. unmanaged network settings. Nothing to do with my issue. It actually turns out to be more issues with an apparent network misconfiguration. Cutting out my VPN and bridging router, the network issues disappeared.

So I guess I'll get some ideas from you guys on how to do this right, cuz I'm not doing it right, and while it tends to work most of the time, issues like the one I posted about previously (a local machine appearing to refuse all connections.) are becoming a headache I need to resolve once and for all.

The setup: 3 distinct network locations, we'll call them "Home" "Cloud" and "Work", with an OpenVPN spanning the three physical locations to form a 'LAN.' I am using OpenVPN and ethernet bridging (bridge-tools.) I opted for full ethernet bridge because I never could get routed VPN to work with my unusual setup.

The locations: "Home" consists of 3 "computers", one is virtualized. Basically a file sever, a Windows desktop and a virtual machine 'router' running on the file server that serves as the gateway. "Work" is the same setup, though there are more machines behind the gateway (again, its a virtual machine), "Cloud" is just one system (AWS) which runs the OpenVPN server. "Home" and "Work" connect to the "Cloud" machine and that's how everything inter-connects.

The issues: Routing is the biggest issue. I have time and again run into routing issues. There are two private networks: 10.0.0.0/24 and 10.0.1.0/24. The first spans all three locations, while the latter is only at "Work." I've kludged the routing tables to mostly work (ie route between 10.0.0.0/24 and 10.0.1.0/24 without issue) but every now and then, issues pop up, like the one I was having with a "Work" local machine, pulling a 10.0.1.0/24 network address behaving strangely (refusing connections, but responding to ping, very weird.)

Configuration: OpenVPN in ethernet bridging (tap devices), "Cloud" runs the server, "home" and "work" are clients. The tap device has it's own ip address (10.0.0.0/24 network), while the "Cloud" machine maintains a separate private network (192.168.0.0/24) to connect to cloud infrastructure. The "Cloud" machine is configured as full gateway, with masquarade enabled to allow connections over the VPN to set the "Cloud" machine as default gateway, or client machines can use local network infrastructure to find a route to the internet (I alter it as needed, sometimes it's helpful to appear to be coming from the Cloud machine's IP)

I know the configuration I've laid out is pretty abstract, I just don't want to give out too many gritty details. Everything is fairly simple really. I choose ethernet bridging as to not have to assign IP addresses to every tap device, and I don't. There's only one tap device (the cloud machine) that has an IP address. The two client machines bridge their local ethernet port to the tap device and share that IP. Where I really run into issues is routes between the two private networks, 10.0.0.0/24 and 10.0.1.0/24, I've done things on both client gateways like 'route add -net 10.0.0.0/24 dev br0' and 'route add -net 10.0.1.0/24 dev br0' to force things onto the bridge, and it works.. some of the time. That's really the biggest headache, most of the time it seems to work, except when it doesn't and it's super mysterious what has gone wrong. Like for example, on the "Work" network, I have a server here I'm setting up for a friend, so I plugged it into the local network (10.0.1.0/24), it pulls DHCP and seems happy, responds to ping, but connection refused to any service. It's like the TCP are going to the wrong machine but UDP goes to the right one? I dunno I'm not even sure how to diagnose this issue.

My Thinking and routes: So I configured both my gateway machines pretty much the same. 2 network adapters, one is connected to internet, the other to the local network. Then a tap device and OpenVPN client, then bridge utils to bridge the local network NIC and tap device. Then I assign an IP to the newly created bridge device. tap and eth remain with no addresses.
Then I have this route 'route add -net 10.0.1.0/24 dev br0', my thinking being, if a packet bound for 10.0.1.0/24 is received, rather than pushing it to default route, it'll go over the VPN with that entry. On the other end I do the same thing, except with the other network, 10.0.0.0/24. But that's definitely not what is happening, at least not all of the time. LAN machines use this 'gateway' as their default, so the gateway can decide if it's a LAN IP, use the bridge, if it's internet, use internet. Same layout on both ends. The machine in the middle (ie Cloud) is the only machine that binds an IP to it's tap device, and the tap device sits alone on that machine, rather than being bridged to another NIC, because there's no 'local' network on the Cloud machine, just the internet and the OpenVPN and it's tap device.

So if anyone could offer me some advice on how to set this up better, and have it work 100% of the time rather than sometimes work sometimes not work, I'd be super appreciative. Any tips really would be great.
cheetah2003
 
Posts: 2
Joined: 2018-07-19 16:26

Re: OpenVPN and ethernet bridging: Proper setup?

Postby cheetah2003 » 2018-07-19 19:24

A little visualization may help others help me:

"Home" Gateway:
eth0 \__br0 10.0.0.0/24
tap0 /
eth1 -> internet
Routes: eth1 default
-net 10.0.0.0/24 dev br0
-net 10.0.1.0/24 dev br0

"Work" Gateway
eth0 \__ br0 10.0.1.0/24
tap0 /
eth1 -> internet
Routes: eth1 default
-net 10.0.0.0/24 dev br0
-net 10.0.1.0/24 dev br0

"Cloud" OpenVPN Server
eth0 -> internet
tap0 -> 10.0.0.0/24
Routes: eth0 default
-net 10.0.0.0/24 dev tap0
-net 10.0.1.0/24 dev tap0

All gateways have ip forwarding and NAT enabled.
cheetah2003
 
Posts: 2
Joined: 2018-07-19 16:26

Re: OpenVPN and ethernet bridging: Proper setup?

Postby arzgi » 2018-07-20 08:00

Could you post a summary? The graphics you made does not show any issue, and the text is so long.... Any error messages?
arzgi
 
Posts: 282
Joined: 2008-02-21 17:03
Location: Finland


Return to System configuration

Who is online

Users browsing this forum: SavoyRoad, w4kh and 3 guests

fashionable