Hello all.
I have a clearos 7, in gateway mode (DNS,DHCP,webproxy,openvpn on the same server).
My goal is to give to my users the same IP address even if they are connected through openvpn connection from home (they have reserved IP's on the DNS server). I understand that can be done using bridge network.
My configuration is something like this:
br0 (bridge) - 192.168.0.1/17, with gateway (clearos server) = 192.168.0.1
eth0 (internal LAN); eth1 (external), tap0 (openvpn); eth & tap0 are connected to br0
My clients are in the 192.168.101.x/24 network.
server config file:
port 1194
proto udp
topology subnet
dev tap0
tls-server
ca ...
cert ....
key ...
dh ....
server-bridge 192.168.0.1 255.255.128.0 192.168.101.160 192.168.101.190
keepalive 10 120
mute 50
user nobody
group nobody
comp-lzo
#multihome
mssfix
persist-key
persist-tun
ifconfig-pool-persist ipp.txt 120
status /var/lib/openvpn/openvpn-status.log
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verb 4
client-config-dir /etc/openvpn/staticclients
client-to-client
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
duplicate-cn
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN xyz.com"
push "dhcp-option WINS 192.168.0.1"
push "route 0.0.0.0 0.0.0.0 192.168.0.1"
push "redirect-gateway def1"
push "block-outside-dns"
#push "route-metric 2"
script-security 2
cipher AES-256-CBC
reneg-sec 14400
In /etc/openvpn/staticclients location i create folder for my test user and i put: ifconfig-push 192.168.101.12 255.255.128.0
Clients always (they use windonw OS) can connected to the openvpn server and the routes seems to be corrected. Internet can't be reached and he not have access to the LAN network.
On the log files i see a lot of "Nov 01 09:13:49 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #16738 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.8 45
0.0.0.0 0.0.0.0 192.168.0.1 192.168.101.12 259
0.0.0.0 128.0.0.0 192.168.0.1 192.168.101.12 259
Searching after information about the subject i found this statement:
"Regarding Layer 2 bridging
Static IP address assignment in Layer 2 mode is done by setting the IP address on the virtual network adapter of the client system."
What does he mean by that?
It's there a possibility to make this configuration running correctly?
Thank very much!
I have a clearos 7, in gateway mode (DNS,DHCP,webproxy,openvpn on the same server).
My goal is to give to my users the same IP address even if they are connected through openvpn connection from home (they have reserved IP's on the DNS server). I understand that can be done using bridge network.
My configuration is something like this:
br0 (bridge) - 192.168.0.1/17, with gateway (clearos server) = 192.168.0.1
eth0 (internal LAN); eth1 (external), tap0 (openvpn); eth & tap0 are connected to br0
My clients are in the 192.168.101.x/24 network.
server config file:
port 1194
proto udp
topology subnet
dev tap0
tls-server
ca ...
cert ....
key ...
dh ....
server-bridge 192.168.0.1 255.255.128.0 192.168.101.160 192.168.101.190
keepalive 10 120
mute 50
user nobody
group nobody
comp-lzo
#multihome
mssfix
persist-key
persist-tun
ifconfig-pool-persist ipp.txt 120
status /var/lib/openvpn/openvpn-status.log
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verb 4
client-config-dir /etc/openvpn/staticclients
client-to-client
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
duplicate-cn
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN xyz.com"
push "dhcp-option WINS 192.168.0.1"
push "route 0.0.0.0 0.0.0.0 192.168.0.1"
push "redirect-gateway def1"
push "block-outside-dns"
#push "route-metric 2"
script-security 2
cipher AES-256-CBC
reneg-sec 14400
In /etc/openvpn/staticclients location i create folder for my test user and i put: ifconfig-push 192.168.101.12 255.255.128.0
Clients always (they use windonw OS) can connected to the openvpn server and the routes seems to be corrected. Internet can't be reached and he not have access to the LAN network.
On the log files i see a lot of "Nov 01 09:13:49 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #16738 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.8 45
0.0.0.0 0.0.0.0 192.168.0.1 192.168.101.12 259
0.0.0.0 128.0.0.0 192.168.0.1 192.168.101.12 259
Searching after information about the subject i found this statement:
"Regarding Layer 2 bridging
Static IP address assignment in Layer 2 mode is done by setting the IP address on the virtual network adapter of the client system."
What does he mean by that?
It's there a possibility to make this configuration running correctly?
Thank very much!
In OpenVPN
Share this post:
Responses (5)
-
Accepted Answer
-
Accepted Answer
I used how to's found on this on this website (about network bridge) and adjust with other stuff found with google search.
This error means something ?
"On the log files i see a lot of "Nov 01 09:13:49 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #16738 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
thank you. -
Accepted Answer
-
Accepted Answer
Thank for the reply.
I know about the very bad LAN subnet but will be change in the future ....
client config is:
remote xyz 1194
dev tap
proto udp
resolv-retry infinite
nobind
persist-key
;persist-tun
ca ....pem
cert ....pem
key .....pem
ns-cert-type server
comp-lzo
verb 3
auth-user-pass
auth-nocache
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
block-outside-dns
cipher AES-256-CBC
reneg-sec 14400
script-security 2
What do you mean with "Do you also need to make adjustments to the client to use a tap adaptor?"
Thank you -
Accepted Answer
You are way beyond my knowledge here, but note you have a very bad LAN subnet for OpenVPN. Really you need to avoid 192.168.0.0/24 and 192.168.1.0/24 as that will often be the subnet of the roadwarrior.
Do you also need to make adjustments to the client to use a tap adaptor?
Note that these changes would be better done on an alternative port. Planned changes in ClearOS may break this config.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »