Bridged networking, what changes on OpenWrt device?

Knogle · March 10, 2020, 12:48am

Ahoy friends.
Currently i got 2 seperate networks, one in my home country, and one in anothe country where i currently am.
Here i'm using an OpenWRT device with LAN devices connected to it. I don't know if it's necessary to turn off DHCP or something, but well.
At home i use a virtual machine as ethernet bridge as well, and it seems to be possible to establish a connection.
Here i got the log.

I followed this tutorial https://www.emaculation.com/doku.php/bridged_openvpn_server_setup


Mon Mar  9 22:16:29 2020 daemon.notice openvpn(client)[2255]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Mar  9 22:16:29 2020 daemon.notice openvpn(client)[2255]: UDP link local (bound): [AF_INET][undef]:1194
Mon Mar  9 22:16:29 2020 daemon.notice openvpn(client)[2255]: UDP link remote: [AF_INET]78.35.90.26:1194
Mon Mar  9 22:16:30 2020 daemon.notice netifd: wan (2222): udhcpc: sending discover
Mon Mar  9 22:16:30 2020 daemon.notice openvpn(client)[2255]: TLS: Initial packet from [AF_INET]78.35.90.26:1194, sid=1c5ca244 ebda0fa9
Mon Mar  9 22:16:30 2020 daemon.notice openvpn(client)[2255]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=OpenVPN-CA, ??=EasyRSA, emailAddress=me@myhost.mydomain
Mon Mar  9 22:16:30 2020 daemon.notice openvpn(client)[2255]: Validating certificate key usage
Mon Mar  9 22:16:30 2020 daemon.notice openvpn(client)[2255]: VERIFY KU OK
Mon Mar  9 22:16:30 2020 daemon.notice openvpn(client)[2255]: Validating certificate extended key usage
Mon Mar  9 22:16:30 2020 daemon.notice openvpn(client)[2255]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Mar  9 22:16:30 2020 daemon.notice openvpn(client)[2255]: VERIFY EKU OK
Mon Mar  9 22:16:30 2020 daemon.notice openvpn(client)[2255]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, ??=EasyRSA, emailAddress=me@myhost.mydomain
Mon Mar  9 22:16:31 2020 daemon.err openvpn(client)[2255]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]78.35.90.26:1194 [1]
Mon Mar  9 22:16:31 2020 daemon.err openvpn(client)[2255]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]78.35.90.26:1194 [1]
Mon Mar  9 22:16:31 2020 daemon.notice openvpn(client)[2255]: Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key
Mon Mar  9 22:16:31 2020 daemon.notice openvpn(client)[2255]: [server] Peer Connection Initiated with [AF_INET]78.35.90.26:1194
Mon Mar  9 22:16:32 2020 daemon.notice openvpn(client)[2255]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Mar  9 22:19:35 2020 daemon.info dnsmasq-dhcp[2598]: DHCPDISCOVER(br-lan) 192.168.1.180 54:ee:75:42:0e:b4
Mon Mar  9 22:19:35 2020 daemon.info dnsmasq-dhcp[2598]: DHCPOFFER(br-lan) 192.168.2.179 54:ee:75:42:0e:b4
Mon Mar  9 22:19:35 2020 daemon.info dnsmasq-dhcp[2598]: DHCPREQUEST(br-lan) 192.168.2.179 54:ee:75:42:0e:b4
Mon Mar  9 22:19:35 2020 daemon.info dnsmasq-dhcp[2598]: DHCPACK(br-lan) 192.168.2.179 54:ee:75:42:0e:b4 workstation

My server.conf file

port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
remote-cert-tls client
server-bridge 192.168.2.1 255.255.255.0 192.168.2.181 192.168.2.190
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-GCM
compress lz4-v2
push "compress lz4-v2"
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

My client.ovpn

client
dev tap0
proto udp
remote unix-supremacy.org 1194
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/joe.crt
key /etc/openvpn/joe.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
compress lz4-v2
verb 3

My router does send some notifications about new devices, but nothing i can really use.
I can't ping them, i can't access anything in my network, is there something i'm missing?

My OpenWRT Router (Remote network) currently has DHCP enabled, and it seems like the network traffic is not being send through the tunnel.
Does someone knows how to help?

Sparks · March 10, 2020, 8:58am

Something has happened to your config snippets, all the newlines/breaks are gone. Can you edit your post and put those into </> code blocks?

Can you elaborate on why you think dhcp is an issue?

Are both devices openwrt, or only one end of the vpn you’re setting up?

Knogle · March 10, 2020, 11:23am

Alright, fixed it!
Only one of the devices is OpenWRT, it's the OpenVPN client one, part of the remote network.
The OpenWRT device is connected using WiFI to the internet, and i have set up a LAN--> WiFI Bridge in order to bridge them into my target network.
OpenVPN server is a Debian machine, having a network bridge as well.

Sparks · March 10, 2020, 11:37am

Are you following a tutorial? If so please paste the link.

If not, take a look at openwrt wiki page. Try the steps under testing and troubleshooting, and confirm back with the results.

Knogle · March 10, 2020, 11:43am

Yes, i followed this tutorial.
https://www.emaculation.com/doku.php/bridged_openvpn_server_setup

Sparks · March 10, 2020, 9:13pm

Glad to hear you figured this one out.

Could you summarize what the root cause was, and what you did to resolve it. And then mark that new reply as ‘solved’ so others can find it.

Knogle · March 10, 2020, 9:14pm

Unfortunately i did not resolve it yet.
But enough to open up a new question.

Now i try routing instead of bridging.