Forums

Resolved
0 votes
Hello all.

I have a clearos 7, in gateway mode (DNS,DHCP,webproxy,openvpn on the same server).
My goal is to give to my users the same IP address even if they are connected through openvpn connection from home (they have reserved IP's on the DNS server). I understand that can be done using bridge network.
My configuration is something like this:
br0 (bridge) - 192.168.0.1/17, with gateway (clearos server) = 192.168.0.1
eth0 (internal LAN); eth1 (external), tap0 (openvpn); eth & tap0 are connected to br0
My clients are in the 192.168.101.x/24 network.

server config file:
port 1194
proto udp
topology subnet
dev tap0
tls-server
ca ...
cert ....
key ...
dh ....
server-bridge 192.168.0.1 255.255.128.0 192.168.101.160 192.168.101.190
keepalive 10 120
mute 50
user nobody
group nobody
comp-lzo
#multihome
mssfix
persist-key
persist-tun
ifconfig-pool-persist ipp.txt 120
status /var/lib/openvpn/openvpn-status.log
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verb 4
client-config-dir /etc/openvpn/staticclients
client-to-client
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
duplicate-cn
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN xyz.com"
push "dhcp-option WINS 192.168.0.1"
push "route 0.0.0.0 0.0.0.0 192.168.0.1"
push "redirect-gateway def1"
push "block-outside-dns"
#push "route-metric 2"
script-security 2
cipher AES-256-CBC
reneg-sec 14400

In /etc/openvpn/staticclients location i create folder for my test user and i put: ifconfig-push 192.168.101.12 255.255.128.0
Clients always (they use windonw OS) can connected to the openvpn server and the routes seems to be corrected. Internet can't be reached and he not have access to the LAN network.
On the log files i see a lot of "Nov 01 09:13:49 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #16738 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.8 45
0.0.0.0 0.0.0.0 192.168.0.1 192.168.101.12 259
0.0.0.0 128.0.0.0 192.168.0.1 192.168.101.12 259
Searching after information about the subject i found this statement:
"Regarding Layer 2 bridging
Static IP address assignment in Layer 2 mode is done by setting the IP address on the virtual network adapter of the client system."
What does he mean by that?

It's there a possibility to make this configuration running correctly?
Thank very much!
In OpenVPN
Friday, November 01 2019, 08:27 AM
Share this post:
Responses (5)
  • Accepted Answer

    Friday, November 01 2019, 12:18 PM - #Permalink
    Resolved
    0 votes
    I've no idea about the error. I understand the bridge setup in ClearOS but know nothing about the openvpn set up. I was hoping you would link to it.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, November 01 2019, 11:25 AM - #Permalink
    Resolved
    0 votes
    I used how to's found on this on this website (about network bridge) and adjust with other stuff found with google search.
    This error means something ?
    "On the log files i see a lot of "Nov 01 09:13:49 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #16738 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
    thank you.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, November 01 2019, 10:30 AM - #Permalink
    Resolved
    0 votes
    It looks like you have already made the adjustment to the ovpn file.
    Are you following a HowTo?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, November 01 2019, 09:55 AM - #Permalink
    Resolved
    0 votes
    Thank for the reply.
    I know about the very bad LAN subnet but will be change in the future ....
    client config is:
    remote xyz 1194
    dev tap
    proto udp
    resolv-retry infinite
    nobind
    persist-key
    ;persist-tun
    ca ....pem
    cert ....pem
    key .....pem
    ns-cert-type server
    comp-lzo
    verb 3
    auth-user-pass
    auth-nocache
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    block-outside-dns
    cipher AES-256-CBC
    reneg-sec 14400
    script-security 2

    What do you mean with "Do you also need to make adjustments to the client to use a tap adaptor?"
    Thank you
    The reply is currently minimized Show
  • Accepted Answer

    Friday, November 01 2019, 09:21 AM - #Permalink
    Resolved
    0 votes
    You are way beyond my knowledge here, but note you have a very bad LAN subnet for OpenVPN. Really you need to avoid 192.168.0.0/24 and 192.168.1.0/24 as that will often be the subnet of the roadwarrior.

    Do you also need to make adjustments to the client to use a tap adaptor?

    Note that these changes would be better done on an alternative port. Planned changes in ClearOS may break this config.
    The reply is currently minimized Show
Your Reply