VPNs beyond the router are not working

I tried both Openconnect and l2tp/IPsec. The VPNs connect, and I can ping the Vyos VM., but I can’t get to other devices on the LAN. It looks like the router is not ARPing for the VPN client, so devices on the LAN subnet are not finding the client…

Sniffing the LAN side on the router with TCPdump. In this case, the VPN client is, the router is, and another VM is running at The ping from the VPN client is getting out on the LAN, and the VM at .20 is hearing it. The VM at .20 sends out a who-has request that never gets answered…

13:46:21.744875 IP > []( ICMP echo request, id 45628, seq 0, length 64 13:46:21.745145 ARP, Request who-has tell, length 28
13:46:22.751916 IP > []( ICMP echo request, id 45628, seq 1, length 64
13:46:22.764430 ARP, Request who-has tell, length 28
13:46:23.753250 IP > []( ICMP echo request, id 45628, seq 2, length 64
13:46:23.788554 ARP, Request who-has tell, length 28
13:46:24.754572 IP > []( ICMP echo request, id 45628, seq 3, length 64
13:46:25.761567 IP > []( ICMP echo request, id 45628, seq 4, length 64
13:46:25.761789 ARP, Request who-has tell, length 28
21 packets captured
21 packets received by filter

I should follow up that this is a rolling release.
$ show version
Version: VyOS 1.4-rolling-202209090217
Release train: sagitta

Built by: autobuild@vyos.net
Built on: Fri 09 Sep 2022 02:17 UTC
Build UUID: 98de53cd-c1f9-464e-8d1f-96174bc6fc12
Build commit ID: 9f0ab18e71ee1d

Architecture: x86_64
Boot via: installed image
System type: KVM guest

Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: 7e723611-902f-4d87-b4f1-939cdddf30d6

Without the config I guess that you tried to create one big subnet, the VM thinks it can get to the VPN cliënt through the local LAN since it is the same subnet. So, it starts ARPing instead of sending traffic to the router.

The VPN client probably has a PtP connection so it knows it has to send the packets to the router.

You either have to put the VPN client in a different subnet, or do some proxyarp trickery on the LAN side.

Does both ends (past the VPN endpoints) know how to get to the other side (IE is the routing tables for the device know to communicate to the routers for going across the VPN).

If you network is something like. the below… Does the Computer know to communicate to Router A to reach the network for the Server?

Computer → Router A → Internet → Router B → Server

The client is getting, an address from the LAN that the Vyos router is on. It also has the route entry of to know how to get to that LAN prefix on the Vyos router. You can see in the TCP dump that it is trying to reach another device on the same VLAN at A packet is getting to from, and the device is asking a “who-has” to add it to it’s ARP table but the Vyos box is not responding. If it did, the box would be able to reach the VPN client at

Here is an example of a successful connection on a UI Edgerouter…
16:22:21.240048 IP > Flags [SEW], seq 3993998026, win 65535, options [mss 1240,nop,wscale 6,nop,nop,TS val 2836621081 ecr 0,sackOK,eol], length 0
16:22:21.240245 ARP, Request who-has tell, length 46
16:22:21.732566 ARP, Reply is-at 74:ac:b9:d4:00:13 (oui Unknown), length 28
16:22:21.732690 IP > Flags [S.E], seq 127563325, ack 3993998027, win 28960, options [mss 1460,sackOK,TS val 3847088517 ecr 2836621081,nop,wscale 7], length 0

In this case the LAN subnet is 100.64.4/24. The EdgeOS router is at The VPN client got The device the VPN client is tying to SSH into is You can see the VPN client start the SSH TCP session with in the first packet captured. The sends out a who-has and there is a is-at reply that 74:ac:b9:d4:00:13. This is the MAC address that is used on the LAN interface on the Edgerouter. So both and have the same MAC address. After the “is-at” packet goes out, the SSH session starts.

Vyos is not sending out the is-at packet telling devices where to find the VPN client.


It’s not up to the router to be responding for ARP questions within the same subnet. Hence, you need proxyarp.

Yes… A workaround for this bug I did was to create a bridge interface with a separate subnet and assign VPN clients out of it. This works as it avoids the whole ARP process. So long as the devices the VPN client is trying to reach have a default route to the Vyos router, then that works in trying to reach the devices on the LAN side.

So I wouldn’t say this is “fixed” as the bug still exists.

So why does this work on the Edgerouter that is configured exactly the same way as the Vyos router? Why does the ER respond with the ARP request for the VPN client and the Vyos box does not?

I was on my phone before, but looking at your description and what happens on the capture is exactly what proxyarp does. If you do something like:
set interfaces ethernet eth1 ip enable-proxy-arp
your problem will probably go away. Just replace eth1 with the LAN interface.

The edgerouter probably enables proxyarp by default in this setup.

@roedie That did it! Thanks much.

Yes. My EdgeOS config does not have the enable-proxy-arp in it. So I guess it defaults to this.

With this, I would consider this closed.

Thanks again

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.