openvpn - tap - vyatta doesn't reply on ARP


#1

Hi

I have a (somewhat) working TAP configuration I use with Tunnelblick on the Mac OS X Yosemite.
I used viscosity before and everything was fine. After switching to Tunnelblick I could get either no IP or no DNS Setup.
With some help from the guys from Tunnelblick, I changed the --push route-gateway 10.2.2.1" ito “–push route-gateway dhcp” and now I get an IP from the home network and corrct DNS setup in /etc/resolv.conf

I can access all ressources at the remote network, but I can’t get further out to the internet.

I did some debugging and found out that the VPN Client (10.2.2.150) ist ARPing for the remote address but never get’s a reply from the vyatta’s br0 interface.

Am I missing something here?

tshark output:

adieball@vyattahome# tshark -i br0 host 10.2.2.150
Capturing on br0
  0.000000 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 10.2.2.2?  Tell 10.2.2.150
  0.000208 Vmware_95:52:fe -> 0e:4c:94:d2:7f:d9 ARP 10.2.2.2 is at 00:50:56:95:52:fe
  0.024039   10.2.2.150 -> 10.2.2.2     DNS Standard query A notify5.dropbox.com
  0.063219     10.2.2.2 -> 10.2.2.150   DNS Standard query response CNAME 5.notify.dropbox.com A 108.160.170.39 A 108.160.169.45 A 108.160.169.48 A 108.160.169.170 A 108.160.169.176 A 108.160.170.38
  3.877692 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
 12.651783 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 13.657780 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 14.661512 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 15.664311 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 16.667577 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 17.123926   10.2.2.150 -> 255.255.255.255 UDP Source port: 17500  Destination port: 17500
 17.124462   10.2.2.150 -> 10.2.2.255   UDP Source port: 17500  Destination port: 17500
 28.095367   10.2.2.150 -> 10.2.2.2     DNS Standard query A 5.notify.dropbox.com
 28.127796     10.2.2.2 -> 10.2.2.150   DNS Standard query response A 108.160.169.45 A 108.160.169.48 A 108.160.169.170 A 108.160.169.176 A 108.160.170.38 A 108.160.170.39
 28.152391 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.170.39?  Tell 10.2.2.150
 28.797885 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
 29.161074 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.170.39?  Tell 10.2.2.150
 29.445266 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.64?  Tell 10.2.2.150
 29.797451 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
 30.165513 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.170.39?  Tell 10.2.2.150
 30.800301 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
 31.173528 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.170.39?  Tell 10.2.2.150
 31.805755 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
 32.177336 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.170.39?  Tell 10.2.2.150
 38.157868 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.169.45?  Tell 10.2.2.150
 39.164341 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.169.45?  Tell 10.2.2.150
 40.167766 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.169.45?  Tell 10.2.2.150
 41.172456 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.169.45?  Tell 10.2.2.150
 41.709453   10.2.2.150 -> 10.2.2.2     DNS Standard query PTR 12.232.172.17.in-addr.arpa
 41.709863     10.2.2.2 -> 10.2.2.150   DNS Standard query response, No such name
 42.179354 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.169.45?  Tell 10.2.2.150
 43.182422 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.169.45?  Tell 10.2.2.150
 45.186562 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.169.45?  Tell 10.2.2.150
 46.650165 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 47.177450   10.2.2.150 -> 255.255.255.255 UDP Source port: 17500  Destination port: 17500
 47.177993   10.2.2.150 -> 10.2.2.255   UDP Source port: 17500  Destination port: 17500
 47.660052 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 48.662192 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 49.663127 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 50.664866 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 61.174246   10.2.2.150 -> 10.2.2.2     DNS Standard query A notify5.dropbox.com
 61.206532     10.2.2.2 -> 10.2.2.150   DNS Standard query response CNAME 5.notify.dropbox.com A 108.160.169.48 A 108.160.169.170 A 108.160.169.176 A 108.160.170.38 A 108.160.170.39 A 108.160.169.45
 61.230751 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.169.45?  Tell 10.2.2.150
 61.526321 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.64?  Tell 10.2.2.150
 62.237879 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 108.160.169.45?  Tell 10.2.2.150
 63.880764 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
 76.649091 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 77.221402   10.2.2.150 -> 255.255.255.255 UDP Source port: 17500  Destination port: 17500
 77.222822   10.2.2.150 -> 10.2.2.255   UDP Source port: 17500  Destination port: 17500
 77.655237 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 78.653640 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 79.655113 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 80.658375 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 81.171.205.50?  Tell 10.2.2.150
 88.826402 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
 89.832262 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
 90.835642 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
 91.837567 0e:4c:94:d2:7f:d9 -> Broadcast    ARP Who has 17.110.245.10?  Tell 10.2.2.150
^C57 packets captured
[edit]
adieball@vyattahome# 

My config (the relevat parts)

interfaces {
     bridge br0 {
         address 10.2.2.1/24
         address 2001:470:6d:363::1/64
         aging 300
         dhcpv6-options {
             parameters-only
         }
         hello-time 2
         ipv6 {
             dup-addr-detect-transmits 1
             router-advert {
                 cur-hop-limit 64
                 default-preference high
                 link-mtu 1280
                 managed-flag false
                 max-interval 600
                 other-config-flag true
                 prefix 2001:470:6d:363::/64 {
                     autonomous-flag true
                     on-link-flag true
                     valid-lifetime 2592000
                 }
                 reachable-time 0
                 retrans-timer 0
                 send-advert true
             }
         }
         max-age 20
         priority 0
         stp false
     }
     ethernet eth0 {
         bridge-group {
             bridge br0
         }
         description "Internal Network"
         dhcpv6-options {
             parameters-only
         }
         duplex auto
         hw-id 00:50:56:89:81:8b
         smp_affinity auto
         speed auto
     }



openvpn vtun1 {
         bridge-group {
             bridge br0
         }
         description "Incoming OpenVPN Bridge"
         device-type tap
         local-port 443
         mode server
         openvpn-option "--push redirect-gateway def1"
         openvpn-option "--push route-delay 10"
         openvpn-option "--cert /config/auth/ca/keys/adieball.dvrdns.org.crt"
         openvpn-option "--key /config/auth/ca/keys/adieball.dvrdns.org.key"
         openvpn-option --duplicate-cn
         openvpn-option --comp-lzo
         openvpn-option --tcp-nodelay
         openvpn-option "--push dhcp-option DOMAIN f0rd42.net"
         openvpn-option "--push dhcp-option DNS 10.2.2.2"
         openvpn-option "--push route-gateway dhcp"
         protocol tcp-passive
         server {
             subnet 10.2.2.0/24
         }
         tls {
             ca-cert-file /config/auth/ca/keys/ca.crt
             cert-file /config/auth/ca/keys/adieball.dvrdns.org.crt
             crl-file /config/auth/ca/keys/crl.pem
             dh-file /config/auth/ca/keys/dh1024.pem
             key-file /config/auth/ca/keys/adieball.dvrdns.org.key
         }

thanks a lot in advance