Ubuntu – Ubuntu 17.10 – OpenVPN TAP – Help

netplannetwork-bridgenetworkingopenvpnvpn

I am desperate at this point. I have been trying to configure a bridge networking on Ubuntu 17.10 and it has been hell. I can’t find any documents online to assist with install. All of the ones I have found are written for 16.04 and below. Can someone please help me. With this Net plan implementation instead of interfaces everything seems to be a headache. Below are my configurations.

Info:

router: 10.0.1.1
ip address 10.0.1.100
network 10.0.1.0
gateway 10.0.1.1
dns: 10.0.1.1
netmask 255.255.255.0

admin@SKYNET:~$ cat /etc/netplan/01-netcfg.yaml
This file describes the network interfaces available on your system
For more information, see netplan(5).

network:
version: 2
renderer: networkd
ethernets:
enp0s31f6:
dhcp4: yes
bridges:
br0:
interfaces: [enp0s31f6]
dhcp4: true
optional: true

admin@SKYNET:~$ cat /etc/openvpn/server.conf
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.0.1.100 255.255.255.0 10.0.1.230 10.0.1.254
push "route 10.0.1.0 255.255.255.0 10.0.1.1"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.0.1.1"
client-to-client
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

admin@SKYNET:~$ cat /etc/openvpn/easy-rsa/keys/client.ovpn
client
dev tap
proto udp
remote 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3

I followed the steps from this page on the Ubuntu help wiki but the Prepare interface config for bridging on server step doesn’t seem to work since interfaces isn't there any more. Not sure how to bring tap0 up/down. I seem to be having a routing issue when the clients connect.

[admin@SKYNET:~$ ifconfig br0
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.1.100 netmask 255.255.255.0 broadcast 10.0.1.255
inet6 fe80::c96:daff:feda:65b8 prefixlen 64 scopeid 0x20
ether 0e:96:da:da:65:b8 txqueuelen 1000 (Ethernet)
RX packets 1327461 bytes 2776343355 (2.7 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 953269 bytes 1907343180 (1.9 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[admin@SKYNET:~$ ifconfig tap0
tap0: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 0a:82:dd:10:85:4d txqueuelen 100 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Also I added the firewall rules

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

What am I doing wrong?

Best Answer

  • You don't want to configure addresses on both the bridge and the physical interface, which is what happens when you have dhcp4: true set in both places. To match the configuration described in https://help.ubuntu.com/lts/serverguide/openvpn.html.en#openvpn-advanced-config, your netplan yaml should look like:

    $ cat /etc/netplan/01-netcfg.yaml # This file describes the network interfaces available on your system # For more information, see netplan(5).

    network: version: 2 renderer: networkd ethernets: enp0s31f6: dhcp4: no bridges: br0: interfaces: [enp0s31f6] dhcp4: no addresses: [10.0.1.100/24] gateway4: 10.0.1.1 nameservers: addresses: [10.0.1.1] Note that this uses static address configuration. DHCP also works, but it does not make sense to have other config files on your system (the openvpn.conf) with statically configured IP information, but use DHCP for the host's network.

    You do not need to declare this interface "optional", which only relates to what other systemd units will wait for this interface to be configured at boot.

    The other portion of the ifupdown config that does not translate to netplan is the 'promisc' command: up ip link set $IFACE up promisc on. To do the equivalent on a system using netplan, ensure that you have the networkd-dispatcher package installed, then install the following script as /usr/lib/networkd-dispatcher/dormant.d/promisc_bridge (owned by root, marked executable):

    #!/bin/sh set -e if [ "$IFACE" = br0 ]; then # no networkd-dispatcher event for 'carrier' on the physical interface ip link set eth0 up promisc on fi

  • Related Question