TAP Device Not Initialised Properly In Bridged VPN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,

we moved from a WRT1900 using DD-WRT to a WRT3200ACM using OpenWrt (19.07.5 r11257-5090152ae3). An OpenVPN server worked without problems on the WRT1900 in bridged mode. I took the config over to OpenWRT and removed management and and the up/down scripts (which may be the problem).
In OpenWrt the tap device is created and can be found in /sys/class/net. Unfortunately, it probably does not get initialised properly, since it does not occur in ifconfig. VPN connections are established successfully, but the server does not send anything, the corresponding log entries look like this:
ClientName/***.***.***.***:37586 write to TUN/TAP : I/O error (code=5)

A similar VPN server using a tun device works with OpenWRT without problems, i. e. the tun device is created, initialised and occurs in ifconfig.

Any help is much appreciated.

OpenVPN Configuration 
dh /etc/openvpn/af/dh.pem
ca /etc/openvpn/af/ca.crt
cert /etc/openvpn/af/cert.pem
key /etc/openvpn/af/key.pem
keepalive 10 120
verb 5
mute 3
syslog
log /var/log/openvpn.af.log
status /tmp/openvpn/status.af.log 5
status-version 2
script-security 2
port 1194
proto udp4
cipher aes-256-cbc
auth sha256
client-config-dir /etc/openvpn/af/ccd
comp-lzo adaptive
ifconfig-pool-persist /tmp/openvpn/ip-pool
client-to-client
fast-io
mtu-disc yes
server-bridge 192.168.32.1 255.255.252.0 192.168.34.3 192.168.34.250
dev tap1
tls-auth /etc/openvpn/af/ta.key 0
crl-verify /etc/openvpn/af/ca.crl
push "dhcp-option DNS 192.168.32.1"
push "dhcp-option WINS 192.168.32.45"
push "route 192.168.32.0 255.255.252.0"
Network 
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0f:f3a5:7ad5::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.32.1/22'
	option delegate '0'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option delegate '0'
	option type 'bridge'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
Firewall 
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	list device 'tap+'
	list device 'tun+'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option name 'OpenVPN'
	option target 'ACCEPT'
	option dest_port '1194'
	list proto 'udp'
	option family 'ipv4'
2

You have pasted the firewall configuration in the network section.
Also fix the first post and use preformatted text (the </> button) for the configuration files.

2 Likes
3 
uci set network.lan.ifname="eth0.1 tap1"
uci commit network
/etc/init.d/network restart
1 Like
4

Thank you very much, this solves the problem.

Does ifname support a wildcard syntax, e. g tap+ like the firewall zones?

5

I've tested tap, tap+, tap* but none of them work.

1 Like
6

Thanks again for your help and testing.

As suspected, the up/down scripts provide the corresponding behaviour in DD-WRT. They also work for a generic approach in OpenWrt:

route-up.sh 
#!/bin/sh
brctl addif br-lan $dev
ifconfig $dev 0.0.0.0 up
route-down.sh 
#!/bin/sh
brctl delif br-lan $dev
ifconfig $dev down

Do not forget to set the executable bit for the script files and set the script security appropriately for OpenVPN. Note that the device will not be displayed as part of the interface br-lan in Luci – obviously it is not part of /etc/config/network. brctl show will show the real situation.

7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.