OpenVPN bridged client can contact local router, but not other hosts

Question

I have an OpenVPN Server running on Ubuntu 16.04.1. I have set this up as a TAP/Bridging server and added bridging configuration to my /etc/network/interfaces file. My client is a Windows 10 laptop.

My client connects to the server without issue, and can access the router web interface on the remote network using its local ip address. I've also monitored the TAP interface on the client using Wireshark, and can see broadcast messages being routed through from other hosts on the remote network. I am however unable to ping or initiate any sort of network communication with these hosts, including the server itself. Additionally, the server is unable to ping the client using the allocated ip.

I'm totally stuck and have no idea why my client can talk to the router and use its internet connection, but I'm invisible to all other devices on the network. What have I missed?

Any help greatly appreciated.

Configurations:

Remote Network

subnet = 192.168.100.0/24
router ip = 192.168.100.1
router dhcp range = 192.168.100.100 - 192.168.100.199
OpenVPN server ip = 192.168.100.10

Server

/etc/network/interfaces

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
    address 192.168.100.10
    netmask 255.255.255.0
    gateway 192.168.100.1
    network 192.168.100.0
    dns-nameservers 8.8.8.8 8.8.4.4
    bridge_ports enp3s0

iface enp3s0 inet manual
    up ip link set $IFACE up promisc on
    down ifconfig $IFACE down

/etc/openvpn/server.conf

port 1194
proto tcp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
topology subnet
server-bridge 192.168.100.1 255.255.255.0 192.168.100.200 192.168.100.210
push "route 192.168.100.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
log-append  openvpn.log
verb 6
up "/etc/openvpn/up.sh br0 enp3s0"
script-security 3

/etc/openvpn/up.sh

#!/bin/sh

BR=$1
ETHDEV=$2
TAPDEV=$3

/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV

/etc/sysctl.conf

net.ipv4.ip_forward=1

iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Client

C:\Program Files\OpenVPN\config\client.ovpn

dev tap
proto tcp
remote my-public-ip-address 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
comp-lzo
verb 3

Ping results

# Remote router
ping 192.168.100.1

Pinging 192.168.100.1 with 32 bytes of data:
Reply from 192.168.100.1: bytes=32 time=108ms TTL=64
Reply from 192.168.100.1: bytes=32 time=32ms TTL=64

# OpenVPN Server
ping 192.168.100.10

Pinging 192.168.100.10 with 32 bytes of data:
Reply from 192.168.100.200: Destination host unreachable.

score 0 · Accepted Answer · answered Mar 17 '17 at 03:32

Well, I feel pretty silly. Turns out in server.conf the line

server-bridge 192.168.100.1 255.255.255.0 192.168.100.200 192.168.100.210

should read

server-bridge 192.168.100.10 255.255.255.0 192.168.100.200 192.168.100.210

i.e. The first argument is the server IP address, not the gateway address which is what I had.