1

I have the following layout. The OpenVPN client on 192.168.100.100 (Raspbian) is connected to OpenVPN Server/router 192.168.72.72 (Ubuntu) through TAP (bridged connection).

I want to make PC1/PC2 see PC3/PC4 (the opposite is not necessary). How can I achieve this? I've tried to follow several tutorials on the net, but they all are written for TUN (tunneled) OpenVPN connection and do not work in my case.

Network layout

dredkin
  • 51
  • 3
  • What specifically have you tried so far, though? The fundamentals don't change much whether it's a TUN-mode connection or TAP-mode; if anything, "TAP (bridged)" should be practically equivalent to a real Ethernet cable so the VPN could just be ignored. – u1686_grawity Apr 29 '23 at 19:03
  • Yep, I've enabled forwarding on OpenVPN client, then add the route rules as they've described on both router and PC1 (sorry, but it was yesterday and now I just I can't remember exact rules), but with no luck: I just couldn't ping PC3 from anywhere except the OPenVPN client themself. That's why I started to think that VPN part plays the role. – dredkin Apr 29 '23 at 19:52
  • Does PC3 (or its gateway) know routes _back_ to PC1? Have you tried using a packet capture tool to verify whether the "ping" packets aren't reaching PC3 at all, or whether they're in fact arriving and it's only the replies that are disappearing? – u1686_grawity Apr 29 '23 at 20:09
  • I don't remember changing routing on 192.168.72.72. I would be glad if you'd explain how to do it. I guess you are referring to tcpdump - I never used it but could manage to run it if you'd explain what should I look for. – dredkin Apr 29 '23 at 20:14
  • 1
    Either tcpdump or Wireshark or similar would do. Run it on PC3 e.g. with `icmp` as the capture filter (or as the Wireshark display filter) – `tcpdump -n -i eth0 'icmp'` – then ping PC3 from PC1, check whether PC3 sees the incoming packets or not – and whether it attempts to respond or not. – u1686_grawity Apr 29 '23 at 20:20

1 Answers1

1

You're likely asking for Ethernet Bridging, described as:

Ethernet bridging essentially involves combining an ethernet interface with one or more virtual TAP interfaces and bridging them together under the umbrella of a single bridge interface. Ethernet bridges represent the software analog to a physical ethernet switch. The ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple ethernet interfaces (either physical or virtual) on a single machine while sharing a single IP subnet.

By bridging a physical ethernet NIC with an OpenVPN-driven TAP interface at two separate locations, it is possible to logically merge both ethernet networks, as if they were a single ethernet subnet.

The linked OpenVPN article describes the method to use. As this might change in the future, here is just a very short summary.

  • Have the bridge-utils package installed
  • Edit the OpenVPN server configuration file to enable a bridging configuration
  • Set up the Linux firewall to permit the new interfaces
  • The OpenVPN bridge can now be started and stopped using this sequence:
    • run bridge-start
    • run openvpn
    • stop openvpn
    • run bridge-stop

For details, see the article.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • Bad bot. Did you understand the question before posting? – dredkin Apr 29 '23 at 19:28
  • If you think that this doesn't answer the question, please explain why. – harrymc Apr 29 '23 at 19:44
  • What interfaces and on what PC do you propose to bridge and how should it help routing between two LANs? – dredkin Apr 29 '23 at 19:58
  • 1
    If your schema is correct, the OpenVPN client is the bridge. You will need to ensure that the new consolidated super-network uses coherent IP addresses in the range of `192.168.100.x` and as many other adaptations as required. The schema seems to say that there is a direct connection between the OpenVPN client and both networks. I hope that this is correct, since otherwise I would have recommended using [Tailscale](https://tailscale.com/). – harrymc Apr 29 '23 at 20:05
  • I am sorry, but I don't want to route all my traffic through VPN (what will inevitably happen if I will bridge both networks). I guess you understand why. – dredkin Apr 29 '23 at 20:09
  • The computers will route through their gateways. Ensuring that each computer uses the right gateway for his network segment is part of the adaptations I mentioned. – harrymc Apr 29 '23 at 20:14
  • You've mentioned only a link to OpenVPN documentation. And I still cannot understand how bridging Ethernet and TAP interfaces could help. What IP would this bridged interface have? how would other clients know that it can route packets to 182.168.72.x LAN? – dredkin Apr 29 '23 at 20:25
  • Bridging the two networks into one will let you access all the computers. The IPs are for you to define, by defining the combined network into one at `192.168.100.x` and setting the two DHCP servers each to serve a sub-range inside it, or just assign static IPs. Ethernet bridging will take care of the connections, once you have followed the instructions. – harrymc Apr 29 '23 at 20:38
  • I'm not saying that you won't have to mount some learning curve, and you might need to search and perhaps post more questions here, but Ethernet bridging is the most likely solution. You will need to acquire some networking knowledge since you're dealing here with a networking problem. – harrymc Apr 29 '23 at 20:40
  • Oh, so you suggest to reformat completely both networks? Yes, this time I understood your point, but I am afraid it is impossible right now. First, I must say that I have to choose 192.168.72.x as a target segment, not 192.168.100.x. But Also I have to divide this network in two parts, and modify borh DHCP servers to assign IPs from every one from his segments. I guess It might work, though I am still not sure, but needs too much work in 192.168.72.x segment to reassign existing IPs. – dredkin Apr 29 '23 at 20:47
  • OK. let's suppose I've done it. Still don't understand how e.g. PC1 will understand where to route the traffic: through router or through OpenVPN client? – dredkin Apr 29 '23 at 20:52
  • @dredkin: If both LANs (plus the VPN tunnel) were bridged into a single large subnet, PC1 would not need to know anything – traffic to addresses in its own subnet is not routed "through" anything at all, it is local by definition. Just like PC1→PC2 is already routed directly, _not_ through the the router, the same would apply to PC1→PC3. – u1686_grawity Apr 29 '23 at 21:04
  • @user1686 but if both segments are united, it would mean they have both the same broadcasts, so how would I separate DHCP servers? Doesn't it mean that I have to have only one, which would make all the LAN1 segment to fail if OPenVPN connection is broken? – dredkin Apr 29 '23 at 21:07
  • @dredkin: That's the problem, you wouldn't separate them properly. Unless you set one of them to _only_ issue leases to "known" hosts (by MAC or Client-ID), and the other to _not_ issue leases to hosts belonging to the other side, making sure to manually update both lists whenever a new device appears. – u1686_grawity Apr 29 '23 at 21:10
  • @dredkin: Alternatively... it _is_ actually possible to filter packets at bridge level, e.g. you could configure the "OpenVPN client" system to drop DHCP broadcasts from all bridge-ports (either special nftables rules, or the older "ebtables"). Less ugly than the previous suggestion, although still a bit fundamentally ugly IMO. – u1686_grawity Apr 29 '23 at 21:12
  • @user1686 Yeah, I'd prefer to stick to the routing solution. – dredkin Apr 29 '23 at 21:16