Losing internet access when creating ethernet bridge for OpenVPN

3

1

I'm trying to set up an ethernet bridge with OpenVPN. I create my bridge using this script I got from the setup guide on openvpn.org, modified slightly to work on Arch Linux. 

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.202"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
#brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ip link set dev $t promisc on
done

ip link set dev $eth promisc on

#ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

This works except the server loses its internet connection immediately after running the script until I reboot. I am still able to connect on the client, and routing all data through the vpn with push "redirect-gateway def1" seems to work - if I try to ping google.com on the client, I get a message from the server saying that it can't be reached. What am I doing wrong?

EDIT:
I removed the bridge to eth0 as suggested in this question. I also commented out ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast. Everything now seems to work, except for the fact that I can't ping the client from the server.

When I do a traceroute to google.com, it goes through 192.168.1.109 before going through my router. This address is in my vpn routing tables, so does this mean the traffic is going through the VPN? Another problem could be that the client I have been testing with is on the same local network as the server. Could this be causing problems? With an ethernet bridge, are computers on the local network still able to access clients even if they are not connected to the network? I'll try testing it from another network and update this with my findings.

EDIT 2:

Here's what the routing tables look like on the server: 

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
0.0.0.0         192.168.1.2     0.0.0.0         UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.1.109   127.0.0.1       255.255.255.255 UGH       0 0          0 lo

Lily Hahn

Posted 2013-12-30T00:26:37.440

Reputation: 1 215

Maybe it is too late, but did you solve the problem, if yes, may be I can help, because I had exactly the same problem before. – Mohammed Noureldin – 2017-07-17T00:29:21.373

Answers

3

When you do bridging with OpenVPN, you'll junction your existing eth0 and tap0 into a bridge br0. This is the right thing to do if you want OpenVPN clients to be part of the same network eth0 is in and allow broadcast traffic to traverse.

When the eth0 and tap0 are in a bridge, they are now like ports on a switch, their individual IPs don't matter anymore. You lose internet connection because br0 has no IP now.

br0 is now your NIC and it now needs an IP, either through DHCP or manually assigned. Try dhclient -v br0.

If you don't have a DHCP server running you need to set one up, just for br0 (it's possible to tell isc-dhcp-server to only give out IPs on interface br0 and not your eth0).

LawrenceC

Posted 2013-12-30T00:26:37.440

Reputation: 63 487

What if I assigned an IP to br0 with ifconfig and the machine is still unreachable? – user0800 – 2019-10-24T15:06:11.483

Asked: 2013-12-30T00:26:37.440

Viewed: 4 967 times

Active: 2014-01-18T17:12:16.900