Connected, but can't see anything on LAN

Got a problem with Viscosity or need help? Ask here!

clecol

Posts: 3
Joined: Wed Feb 01, 2012 5:43 am

Post by clecol » Wed Feb 01, 2012 5:48 am
Like the subject says. I'm able to open a bridged (tap) connection to my openvpn server, but I can't see any of the devices on the lan subnet that I'm connected to...I assume it's a routing issue. In my Viscosity connection preferences, I have "send all traffic over vpn connection" checked, I have the default gateway as the vpn lan's gateway (192.168.66.1) and a route of:

192.168.66.0 255.255.255.0 192.168.66.1

Maybe it's a server configuration issue? Any thoughts?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Feb 01, 2012 7:36 pm
Hi clecol,

Firstly check that the bridging is correctly setup and working on your OpenVPN server (this is by far the most common reason for it to not work). You should also check things like the firewall to check that they are correctly allowing traffic through. See if you can ping the server's internal IP address. If you can ping the server, but not other computers on your LAN, then it means there is problem with your bridge.

You should also check that Viscosity is correctly getting an IP address (either from the OpenVPN server, or a DHCP server on your LAN network). To do this, check the Details window and see what the IP address is. If you are ending up with a self-assigned IP, or the IP address is taking awhile to be detected, then it's possible OpenVPN may be trying to add the routes before the VPN connection is ready. If this is the case, it can be easily fixed by adding the command "route-delay 20" (no quotes) to the commands section under the Advanced tab (when editing your connection).

If you're still stuck, please post a copy of your OpenVPN log, and your routing table while connected. To display your routing table, open up Command Prompt from the Start menu, and type "route print" (no quotes).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

clecol

Posts: 3
Joined: Wed Feb 01, 2012 5:43 am

Post by clecol » Thu Feb 02, 2012 4:28 am
Thanks for the reply James. I had set to subscribe to this thread but never got an email when you replied? Weird. Anyway, I can ping the server's remote LAN IP but no one else on the remote subnet. Viscosity is getting a proper IP address from the "server-bridge" directive in my server conf. I have IPV4 forwarding turned on the server.The code to bring up the bridge that I'm running before bringing up openvpn is:
Code: Select all
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0-eth1"
eth_ip="192.168.66.49"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.66.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br

brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

ifconfig br0 up
ifconfig tap0 up
route add default gw 192.168.66.1
My Viscosity log doesn't really show anything unusual:
Code: Select all
Feb 01 12:06:02: Viscosity 1.3.5 (1120)
Feb 01 12:06:02: Checking reachability status of connection...
Feb 01 12:06:04: Connection is reachable. Starting connection attempt.
Feb 01 12:06:04: OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Jan  4 2012
Feb 01 12:06:07: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb 01 12:06:07: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Feb 01 12:06:07: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Feb 01 12:06:07: LZO compression initialized
Feb 01 12:06:07: Attempting to establish TCP connection with 173.163.44.9:1194
Feb 01 12:06:10: TCP connection established with 173.163.44.9:1194
Feb 01 12:06:10: TCPv4_CLIENT link local: [undef]
Feb 01 12:06:10: TCPv4_CLIENT link remote: 173.163.44.9:1194
Feb 01 12:06:17: [aaim_server] Peer Connection Initiated with 173.163.44.9:1194
Feb 01 12:06:19: TAP-WIN32 device [Work] opened: \\.\Global\{C1538601-586E-48FB-8152-4BCDEFFA1CB4}.tap
Feb 01 12:06:19: Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.66.200/255.255.255.0 on interface {C1538601-586E-48FB-8152-4BCDEFFA1CB4} [DHCP-serv: 192.168.66.0, lease-time: 31536000]
Feb 01 12:06:19: Successful ARP Flush on interface [20] {C1538601-586E-48FB-8152-4BCDEFFA1CB4}
Feb 01 12:06:24: Initialization Sequence Completed
and lastly, here's my server conf:
Code: Select all
port 1194
proto tcp
dev tap
ca aaim_ca.crt
cert aaim_server.crt
key aaim_server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.66.49 255.255.255.0 192.168.66.200 192.168.66.210
push "route 192.168.66.0 255.255.255.0"
duplicate-cn
keepalive 10 120
tls-auth aaim_tls.key 0
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 6

clecol

Posts: 3
Joined: Wed Feb 01, 2012 5:43 am

Post by clecol » Thu Feb 02, 2012 8:10 am
whenever i change my server bridge directive in my conf to not specify an ip address, i get a random address not on my remote lan at all (I think IP's starting with 169 usually can't connect to dhcp). I'm really confused as to what's going on at this point

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Feb 03, 2012 2:42 am
Hi clecol,

It definitely sounds like your server's bridge is not functioning. A few comments:
I have IPV4 forwarding turned on the server.
IP forwarding is usually used for NAT (routing), and generally isn't necessary for a bridged setup.
eth="eth0-eth1"
This worries me a bit - can you do that? You might only be able to specify a single interface (not that I've ever tried one way or the other).
dev tap
This should be tap0 rather than just tap, as you want to ensure it uses the interface created by your bridge script.
i get a random address not on my remote lan at all (I think IP's starting with 169 usually can't connect to dhcp). I'm really confused as to what's going on at this point
This is known as a self-assigned IP address. Your computer will automatically assign one after awhile if it is unable to contact a DHCP server for an IP address (and doesn't already have one statically assigned).

I'd recommend recreating your bridge from scratch using the instructions listed in the following guide. Even though it's written for Ubuntu, it applies to most Linux distros.
https://help.ubuntu.com/community/OpenVPN

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
5 posts Page 1 of 1