2

So my setup is as follows. I have two home networks and a server standing elsewhere. I'm running OpenVPN as a server, on the server to connect the two home networks into a single big network. Because I wanted everything to work transparently for all users on the home networks, it is a layer 2 brigde. Additionally, the boxes, on the home networks, that run the OpenVPN clients, also run a DHCP-server, so I can configure the the users accordingly.

I use the subnet 192.168.16.1/22, for the whole network, but set up the DHCP pools to 192.168.16.1/23 and 192.168.18.1/23. Just to be able to differentiate it more easily. However, the DHCP servers advertise as netmask of 255.255.255.252.

The gateways are 192.168.16.1 and 192.168.18.1, respectively. The OpenVPN/DHCP boxes are 192.168.17.1 and 192.168.19.1.

The OpenVPN boxes both have one ethernet adapter eth0, connected to their local network, through which they reach their gateway. They have the adapter created by OpenVPN tap0. As well as a virtual bridge adapter br0. eth0 and tap0 are both enslaved by br0, to bridge the local network and the VPN.

The basic setup works like a charm. One problem however is DHCP. Because it is a layer 2 bridge, DHCP is transmitted as well, leading to the DHCP-server for the remote home network replying to requests from users on the local home network.

I tried doing that on the OpenVPN server. As a thought it to be the best place. However, it seems, I'm not able to. Unfortunately, I don't know, if it is my fault (the most likely), or something else.

I'm trying to do it using nft. I'm running a (nearly) up-to-date version of Arch Linux (currently kernel version 4.8.10).

My current config for nft, adapted from [1] and [2], since there is little you can find on nft, looks as follows.

# nft list ruleset
table bridge filter {
    chain input {
        type filter hook input priority -200; policy accept;
        iifname "tap0" udp sport bootps-bootpc counter packets 34 bytes  11569 drop
        iifname "tap0" udp dport bootps-bootpc counter packets 0 bytes 0 drop
    }

    chain forward {
        type filter hook forward priority -200; policy accept;
        iifname "tap0" udp sport bootps-bootpc counter packets 34 bytes 11569 drop
        iifname "tap0" udp dport bootps-bootpc counter packets 0 bytes 0 drop
    }

    chain output {
        type filter hook output priority -200; policy accept;
    }
}

As you can see, some rules were actually triggered. However, the rules are always triggered at the same time, so I guess by the same packet, as well as the packet showing up on the remote home network (identified by its paket size and it being to only DHCP related paket).

Edit: The packets which go through, seem to be broadcasts. Hence, they probably seem to trigger INPUT and FORWARD chain.

I have tried a lot of different other rules, partially using iptables, sometimes using the pre- or postrouting hook of the inet table, but nothing seems to work proberly.

So I'm pretty clueless, what the problem might be. Or what's wrong with my setup or thinking.

[1] http://www.linksysinfo.org/index.php?threads/block-dhcp-over-bridged-vpn.68790/#post-231073

[2] http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_Bridged_VPN_Between_Two_Routers

0xC0000022L
  • 6,819
  • 10
  • 50
  • 82
DerFlob
  • 86
  • 7
  • The main issue you have is that you have two separate IP subnets in a single broadcast domain. What is the exact problem you expect to have when you use a routed setup between the networks? – Tero Kilkanen Dec 11 '16 at 14:44
  • Are you **really** running kernel *3.8.10* as you state? Aren't you **really** running kernel *4.8.10* (which, by the way, is not the newest kernel avaible, 4.8.12 is)? Also, I do not understand why you quote the two references above when neither uses *nft*. Have you tried using *ebtables* instead? – MariusMatutiae Dec 11 '16 at 17:11
  • @TeroKilkanen: They are not in two seperate subnets. All clients are configured to be in the subnet 192.168.16.1/22 (netmask 255.255.252.0). Only the DHCP pool is restricted to /23 subnets. Sorry, that may have been ambigous/unclear. – DerFlob Dec 12 '16 at 00:40
  • @MariusMatutiae: Sorry, yes, I'm running 4.8.10, I misread. And I quote those references, because you can't find much using nftables, since it is still very new. Also nftables is supposed to replace iptables/ebtables/arptables. Hence I said, I adapted from there. – DerFlob Dec 12 '16 at 00:44
  • Actually I got that part, but wrote my comment in incorrect way. There should be a single DHCP server in a broadcast domain, otherwise it simply doesn't work correctly. So, if you want to have two DHCP servers, you should have two subnets, and route between them. – Tero Kilkanen Dec 12 '16 at 05:21
  • @TeroKilkanen: The reason why I wanted to have two DHCP-servers is, so that both home networks can still work independent of each other. The reason why I want a layer 2 vpn, is so that the Windows neighbourhood discovery and everything still works. And to my understanding it doesn't work with a layer 3 vpn. (At least, that was what I think I found, when I first implemented the vpn quite awhile ago.) Anyway, reasonable setup or not, I'd still like to know, why those packets go through, even though the shouldn't, to the best of my knowledge. – DerFlob Dec 12 '16 at 12:04
  • the issue is a typo when translating \[1\]: the forward hook should have `oifname "tap0"`. Not sure it's really worth an answer. – A.B Feb 23 '20 at 19:16

0 Answers0