My Environment:
- Host PC is on Windows 11, with VM Ware.
- There is a virtual machine (Ubuntu 22.04.3 LTS) in VM Ware, with bridged virtual network card. Everything with network and Internet works fine on that VM.
- VM has IP 192.168.0.101 in my internal network
- OpenVPN is working in VM, on 1194
- Port forwarding for external 1194 is set up on my router to IP 192.168.0.101 port 1194
- OpenVPN config is:
;local a.b.c.d
port 1194
proto tcp
;proto udp
dev tap1
;dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
topology subnet
;server 192.168.1.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
server-bridge 192.168.0.101 255.255.255.0 192.168.0.10 192.168.0.80
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.0.0 255.255.255.0
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
tls-crypt ta.key
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log
verb 3
;mute 20
;explicit-exit-notify 1
- Bridge is set up by scripts from OpenVPN documentation https://openvpn.net/community-resources/ethernet-bridging/#linuxscript .
When I start OpenVPN without bridge (bridge-start), client (Windows 10 notebook) can connect, but can’t ping internal IPs, for example 192.168.0.101 or 192.168.0.1.
ifconfig of server on that moment is
ens33: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.0.101 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::20c:29ff:feb0:e3db prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b0:e3:db txqueuelen 1000 (Ethernet)
RX packets 253076 bytes 31066696 (31.0 MB)
RX errors 0 dropped 44 overruns 0 frame 0
TX packets 36565 bytes 4552858 (4.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 9652 bytes 9347692 (9.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9652 bytes 9347692 (9.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Client connect log is
2023-08-30 00:11:46 NOTE: --user option is not implemented on Windows
2023-08-30 00:11:46 NOTE: --group option is not implemented on Windows
2023-08-30 00:11:46 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
2023-08-30 00:11:46 Note: dev-type not tun, disabling data channel offload.
2023-08-30 00:11:46 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-08-30 00:11:46 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-08-30 00:11:46 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-08-30 00:11:46 DCO version: v0
2023-08-30 00:11:46 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-08-30 00:11:46 Need hold release from management interface, waiting...
2023-08-30 00:11:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:64082
2023-08-30 00:11:46 MANAGEMENT: CMD 'state on'
2023-08-30 00:11:46 MANAGEMENT: CMD 'log on all'
2023-08-30 00:11:46 MANAGEMENT: CMD 'echo on all'
2023-08-30 00:11:46 MANAGEMENT: CMD 'bytecount 5'
2023-08-30 00:11:46 MANAGEMENT: CMD 'state'
2023-08-30 00:11:46 MANAGEMENT: CMD 'hold off'
2023-08-30 00:11:46 MANAGEMENT: CMD 'hold release'
2023-08-30 00:11:46 MANAGEMENT: >STATE:1693343506,RESOLVE,,,,,,
2023-08-30 00:11:47 TCP/UDP: Preserving recently used remote address: [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-08-30 00:11:47 Attempting to establish TCP connection with [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,TCP_CONNECT,,,,,,
2023-08-30 00:11:47 TCP connection established with [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 TCPv4_CLIENT link local: (not bound)
2023-08-30 00:11:47 TCPv4_CLIENT link remote: [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,WAIT,,,,,,
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,AUTH,,,,,,
2023-08-30 00:11:47 TLS: Initial packet from [AF_INET]178.204.152.65:1194, sid=cbb3d817 e15dfba7
2023-08-30 00:11:47 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-08-30 00:11:47 VERIFY KU OK
2023-08-30 00:11:47 Validating certificate extended key usage
2023-08-30 00:11:47 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-08-30 00:11:47 VERIFY EKU OK
2023-08-30 00:11:47 VERIFY OK: depth=0, CN=server
2023-08-30 00:11:47 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-08-30 00:11:47 [server] Peer Connection Initiated with [AF_INET]178.204.152.65:1194
2023-08-30 00:11:47 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-08-30 00:11:47 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-08-30 00:11:47 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.101,ping 10,ping-restart 120,ifconfig 192.168.0.10 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-08-30 00:11:47 OPTIONS IMPORT: --ifconfig/up options modified
2023-08-30 00:11:47 OPTIONS IMPORT: route-related options modified
2023-08-30 00:11:47 interactive service msg_channel=760
2023-08-30 00:11:47 open_tun
2023-08-30 00:11:47 tap-windows6 device [Local Area Connection] opened
2023-08-30 00:11:47 TAP-Windows Driver Version 9.26
2023-08-30 00:11:47 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.0.10/255.255.255.0 on interface {4E7E51BA-DA46-4527-9AAB-37CD543B55E9} [DHCP-serv: 192.168.0.0, lease-time: 31536000]
2023-08-30 00:11:47 Successful ARP Flush on interface [12] {4E7E51BA-DA46-4527-9AAB-37CD543B55E9}
2023-08-30 00:11:47 MANAGEMENT: >STATE:1693343507,ASSIGN_IP,,192.168.0.10,,,,
2023-08-30 00:11:47 IPv4 MTU set to 1500 on interface 12 using service
2023-08-30 00:11:47 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2023-08-30 00:11:47 Timers: ping 10, ping-restart 120
2023-08-30 00:11:52 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
2023-08-30 00:11:52 Initialization Sequence Completed
2023-08-30 00:11:52 MANAGEMENT: >STATE:1693343512,CONNECTED,SUCCESS,192.168.0.10,178.204.152.65,1194,192.168.8.102,64083
Routes from client in that moment:
C:Windowssystem32>route print
===========================================================================
Interface List
17...a0 48 1c 11 ee 19 ......Realtek PCIe FE Family Controller
10...........................Wintun Userspace Tunnel
12...00 ff 4e 7e 51 ba ......TAP-Windows Adapter V9
24...........................OpenVPN Data Channel Offload
15...ae 15 a2 5c 31 dc ......Microsoft Wi-Fi Direct Virtual Adapter
7...ac 15 a2 5c 31 dc ......Microsoft Wi-Fi Direct Virtual Adapter #2
20...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
6...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
23...ac 15 a2 5c 31 dc ......TP-Link Wireless MU-MIMO USB Adapter
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.8.1 192.168.8.102 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.0.0 255.255.255.0 On-link 192.168.0.10 281
192.168.0.10 255.255.255.255 On-link 192.168.0.10 281
192.168.0.255 255.255.255.255 On-link 192.168.0.10 281
192.168.8.0 255.255.255.0 On-link 192.168.8.102 311
192.168.8.102 255.255.255.255 On-link 192.168.8.102 311
192.168.8.255 255.255.255.255 On-link 192.168.8.102 311
192.168.137.0 255.255.255.0 On-link 192.168.137.1 291
192.168.137.1 255.255.255.255 On-link 192.168.137.1 291
192.168.137.255 255.255.255.255 On-link 192.168.137.1 291
192.168.159.0 255.255.255.0 On-link 192.168.159.1 291
192.168.159.1 255.255.255.255 On-link 192.168.159.1 291
192.168.159.255 255.255.255.255 On-link 192.168.159.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.137.1 291
224.0.0.0 240.0.0.0 On-link 192.168.159.1 291
224.0.0.0 240.0.0.0 On-link 192.168.0.10 281
224.0.0.0 240.0.0.0 On-link 192.168.8.102 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.137.1 291
255.255.255.255 255.255.255.255 On-link 192.168.159.1 291
255.255.255.255 255.255.255.255 On-link 192.168.0.10 281
255.255.255.255 255.255.255.255 On-link 192.168.8.102 311
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
23 71 ::/0 fe80::80fe:5cff:fe1a:6b7e
1 331 ::1/128 On-link
20 291 fe80::/64 On-link
6 291 fe80::/64 On-link
12 281 fe80::/64 On-link
23 311 fe80::/64 On-link
20 291 fe80::4c1d:375c:cbea:5ad7/128
On-link
12 281 fe80::5544:4ad8:c313:3fa1/128
On-link
23 311 fe80::cd04:f255:5713:496b/128
On-link
6 291 fe80::e8d0:ed33:cc54:3fb0/128
On-link
1 331 ff00::/8 On-link
20 291 ff00::/8 On-link
6 291 ff00::/8 On-link
12 281 ff00::/8 On-link
23 311 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:Windowssystem32>
bridge-start script in my case is
#!/bin/bash
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap1"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="ens33"
eth_ip="192.168.0.101"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
But when I enable bridge with
sudo systemctl stop openvpn@server
sudo ./bridge-start
sudo systemctl start openvpn@server
my client unable to connect to my OpenVPN server.
ifconfig of server on that moment is
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.101 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::6063:77ff:fed1:c82c prefixlen 64 scopeid 0x20<link>
ether 62:63:77:d1:c8:2c txqueuelen 1000 (Ethernet)
RX packets 699 bytes 65111 (65.1 KB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 264 bytes 26276 (26.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::20c:29ff:feb0:e3db prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b0:e3:db txqueuelen 1000 (Ethernet)
RX packets 266676 bytes 32685829 (32.6 MB)
RX errors 0 dropped 47 overruns 0 frame 0
TX packets 38148 bytes 4725224 (4.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 9652 bytes 9347692 (9.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9652 bytes 9347692 (9.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap1: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::f064:fdff:fe0b:edde prefixlen 64 scopeid 0x20<link>
ether f2:64:fd:0b:ed:de txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 33 bytes 13177 (13.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
and client stuck on
2023-08-30 00:20:27 NOTE: --user option is not implemented on Windows
2023-08-30 00:20:27 NOTE: --group option is not implemented on Windows
2023-08-30 00:20:27 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
2023-08-30 00:20:27 Note: dev-type not tun, disabling data channel offload.
2023-08-30 00:20:27 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-08-30 00:20:27 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-08-30 00:20:27 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-08-30 00:20:27 DCO version: v0
2023-08-30 00:20:27 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-08-30 00:20:27 Need hold release from management interface, waiting...
2023-08-30 00:20:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49309
2023-08-30 00:20:27 MANAGEMENT: CMD 'state on'
2023-08-30 00:20:27 MANAGEMENT: CMD 'log on all'
2023-08-30 00:20:27 MANAGEMENT: CMD 'echo on all'
2023-08-30 00:20:27 MANAGEMENT: CMD 'bytecount 5'
2023-08-30 00:20:27 MANAGEMENT: CMD 'state'
2023-08-30 00:20:27 MANAGEMENT: CMD 'hold off'
2023-08-30 00:20:27 MANAGEMENT: CMD 'hold release'
2023-08-30 00:20:27 MANAGEMENT: >STATE:1693344027,RESOLVE,,,,,,
2023-08-30 00:20:28 TCP/UDP: Preserving recently used remote address: [AF_INET]178.204.152.65:1194
2023-08-30 00:20:28 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-08-30 00:20:28 Attempting to establish TCP connection with [AF_INET]178.204.152.65:1194
2023-08-30 00:20:28 MANAGEMENT: >STATE:1693344028,TCP_CONNECT,,,,,,
Looks like I set it up by documentation, but with enabled bridge client unable to connect to OpenVPN. Tell me please what I am missing?