Losing access to RUT360 after connecting it to OpenVPN server Part 2

Maciej · September 8, 2023, 1:22pm

Unfortunately my last topic was closed (sorry, holiday - Losing access to RUT360 after connecting it to OpenVPN server) and I’m still trying to figure it out.
As AndzejJ suggested, I did bridge tap with eth0 and use the

`logread-f’

command during the connection phase. The SSH connection was broken after this part:

Thu Sep  7 13:34:35 2023 daemon.warn openvpn(Sterbit)[13845]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: TCP/UDP: Preserving recently used remote address: [AF_INET]85.221.216.110:1199
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: Attempting to establish TCP connection with [AF_INET]85.221.216.110:1199 [nonblock]
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: TCP connection established with [AF_INET]85.221.216.110:1199
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: TCP_CLIENT link local: (not bound)
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: TCP_CLIENT link remote: [AF_INET]85.221.216.110:1199
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: TLS: Initial packet from [AF_INET]85.221.216.110:1199, sid=09065a2a 4fcfc981
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: VERIFY OK: depth=1, CN=Sterbit
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: VERIFY OK: depth=0, CN=server
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Thu Sep  7 13:34:35 2023 daemon.notice openvpn(Sterbit)[13845]: [server] Peer Connection Initiated with [AF_INET]85.221.216.110:1199
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.3.230,ping 10,ping-restart 60,ifconfig 192.168.3.232 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: OPTIONS IMPORT: route-related options modified
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: OPTIONS IMPORT: peer-id set
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: OPTIONS IMPORT: adjusting link_mtu to 1658
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: OPTIONS IMPORT: data channel crypto options modified
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep  7 13:34:36 2023 daemon.notice openvpn(Sterbit)[13845]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep  7 13:34:37 2023 kern.info kernel: [ 2537.826703] br-lan: port 2(tap_c_Sterbit) entered blocking state
Thu Sep  7 13:34:37 2023 kern.info kernel: [ 2537.833003] br-lan: port 2(tap_c_Sterbit) entered disabled state
Thu Sep  7 13:34:37 2023 kern.info kernel: [ 2537.839687] device tap_c_Sterbit entered promiscuous mode

This part I recovered from logread after disabling the connection and login again via SSH.

Thu Sep  7 13:34:37 2023 kern.info kernel: [ 2537.845627] br-lan: port 2(tap_c_Sterbit) entered blocking state
Thu Sep  7 13:34:37 2023 kern.info kernel: [ 2537.851927] br-lan: port 2(tap_c_Sterbit) entered forwarding state
Thu Sep  7 13:34:37 2023 daemon.notice openvpn(Sterbit)[13845]: TUN/TAP device tap_c_Sterbit opened
Thu Sep  7 13:34:37 2023 daemon.notice openvpn(Sterbit)[13845]: net_iface_mtu_set: mtu 1500 for tap_c_Sterbit
Thu Sep  7 13:34:37 2023 daemon.notice openvpn(Sterbit)[13845]: net_iface_up: set tap_c_Sterbit up
Thu Sep  7 13:34:37 2023 daemon.notice openvpn(Sterbit)[13845]: net_addr_v4_add: 192.168.3.232/24 dev tap_c_Sterbit
Thu Sep  7 13:34:37 2023 daemon.notice openvpn(Sterbit)[13845]: /etc/openvpn/updown.sh tap_c_Sterbit 1500 1586 192.168.3.232 255.255.255.0 init
Thu Sep  7 13:34:37 2023 daemon.notice netifd: Network device 'tap_c_Sterbit' link is up
Thu Sep  7 13:34:37 2023 daemon.notice openvpn(Sterbit)[13845]: Initialization Sequence Completed
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[12781]: exiting on receipt of SIGTERM
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: Connected to system UBus
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: started, version 2.85 cachesize 150
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: UBus support enabled: connected to system bus
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain test
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain onion
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain localhost
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain local
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain invalid
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain bind
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain lan
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: reading /tmp/resolv.conf.d/resolv.conf.auto
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain test
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain onion
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain localhost
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain local
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain invalid
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain bind
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using only locally-known addresses for domain lan
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using nameserver 89.108.195.21#53
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: using nameserver 185.89.185.1#53
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: read /etc/hosts - 4 addresses
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: read /etc/hosts - 4 addresses
Thu Sep  7 13:34:39 2023 daemon.info dnsmasq[20850]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses

As for current settings, firewall

config defaults '1'
	option syn_flood '1'
	option output 'ACCEPT'
	option flow_offloading '0'
	option drop_invalid '0'
	option input 'REJECT'
	option auto_helper '0'
	option forward 'REJECT'

config zone '2'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '0'
	option mtu_fix '0'
	option network 'wlan lan'

config zone '3'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 mob1s1a1'

config forwarding '4'
	option src 'lan'
	option dest 'wan'

config rule '5'
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option priority '1'
	option enabled '1'

config rule '6'
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option priority '2'
	option enabled '1'

config rule '7'
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option priority '3'
	option enabled '1'

config rule '8'
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option priority '4'
	option enabled '1'

config rule '9'
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option priority '5'
	option enabled '1'

config rule '10'
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option priority '6'
	option enabled '1'

config rule '11'
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option priority '7'
	option enabled '1'

config rule '12'
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option priority '8'
	option enabled '1'

config rule '13'
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option priority '9'
	option enabled '1'

config include '14'
	option path '/etc/firewall.user'

config rule '15'
	option dest_port '22'
	option proto 'tcp'
	option name 'Enable_SSH_WAN'
	option target 'ACCEPT'
	option src 'wan'
	option priority '10'
	option enabled '1'

config rule '16'
	option dest_port '80'
	option proto 'tcp'
	option name 'Enable_HTTP_WAN'
	option target 'ACCEPT'
	option src 'wan'
	option priority '11'
	option enabled '1'

config rule '17'
	option dest_port '443'
	option proto 'tcp'
	option name 'Enable_HTTPS_WAN'
	option target 'ACCEPT'
	option src 'wan'
	option priority '12'
	option enabled '1'

config rule '18'
	option dest_port '4200-4220'
	option proto 'tcp'
	option name 'Enable_CLI_WAN'
	option target 'ACCEPT'
	option src 'wan'
	option priority '13'
	option enabled '1'

config include 'pscan'
	option port_scan '0'
	option type 'script'
	option path '/etc/port-scan-prevention.sh'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule '22'
	option src 'wan'
	option name 'Allow-openvpn-traffic'
	option target 'ACCEPT'
	option vpn_type 'openvpn'
	option proto 'tcp udp'
	option family 'ipv4'
	option dest_port '1199'

config zone '23'
	option name 'openvpn'
	option device 'tun_+'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '0'
	option mtu_fix '0'
	option forward 'ACCEPT'

config forwarding '24'
	option dest 'lan'
	option src 'openvpn'

config forwarding '25'
	option dest 'openvpn'
	option src 'lan'

Network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd38:a2d6:3c62::/48'

config interface 'lan'
	option proto 'static'
	option type 'bridge'
	option netmask '255.255.255.0'
	option metric '1'
	option ip6assign '60'
	option ipaddr '192.168.3.1'
	option stp '0'
	option ifname 'eth0 tap_c_Sterbit'
	option delegate '0'
	option force_link '0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option metric '2'
	option disabled '1'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'
	option metric '3'
	option disabled '1'

config interface 'mob1s1a1'
	option proto 'wwan'
	option modem '1-1'
	option metric '4'
	option sim '1'
	option dhcpv6 '0'
	option pdptype 'ip'
	option method 'nat'
	option auth 'none'
	option force_apn '-1'
	option apn 'internet'
	option pdp '1'
	option auto_apn '0'
	option pref_apn '568'

config interface 'wlan'
	option metric '5'
	option ipaddr '192.168.89.1'
	option netmask '255.255.255.0'
	option delegate '1'
	option force_link '0'
	option proto 'static'

What is more, now I have access to the device during the whole process thanks to WiFi.
I also tried with a newer version of OpenVPN server (2.6) but I’m still getting the same results. The connection is established “correctly” and I can access the devices connected to the RUT via LAN port through the OpenVPN connection from another client, but no luck with accessing the RUT itself.

Do you have any idea how to solve this issue?

Regards,
Maciej.

AndzejJ · September 12, 2023, 6:05am

Hello,

I assume theres something with bridging / arp. Could you please share the output of ‘ip neigh’ commands on both devices? Also, ifconfig where br-lan, eth0, and tap0 interfaces are seen.

Also, have you tried the configuration without the server-bridge option?

Kind Regards,

Maciej · September 12, 2023, 8:59am

Hi,

ifconfig look like this

br-lan    Link encap:Ethernet  HWaddr 00:1E:42:3D:F9:D9
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:42ff:fe3d:f9d9/64 Scope:Link
          inet6 addr: fd38:a2d6:3c62::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1112 (1.0 KiB)

eth0      Link encap:Ethernet  HWaddr 00:1E:42:3D:F9:D9
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:267 errors:0 dropped:267 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:86508 (84.4 KiB)  TX bytes:1112 (1.0 KiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:57 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5264 (5.1 KiB)  TX bytes:5264 (5.1 KiB)

tap0      Link encap:Ethernet  HWaddr 2A:6C:1E:69:55:7E
          inet addr:192.168.3.232  Bcast:0.0.0.0  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:196 (196.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:1E:42:3D:F9:DB
          inet addr:192.168.89.1  Bcast:192.168.89.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:42ff:fe3d:f9db/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2195 errors:0 dropped:157 overruns:0 frame:0
          TX packets:2271 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:297561 (290.5 KiB)  TX bytes:783263 (764.9 KiB)

wwan0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:100.113.81.113  P-t-P:100.113.81.113  Mask:255.255.255.255
          inet6 addr: fe80::45a4:787d:c053:9d36/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:612 errors:0 dropped:0 overruns:0 frame:0
          TX packets:666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:75598 (73.8 KiB)  TX bytes:67932 (66.3 KiB)

As for ip neigh, here is the RUT360 freshly after connecting to OpenVPN server

192.168.89.110 dev wlan0 lladdr a8:93:4a:6e:d8:17 REACHABLE
fe80::8dd2:9c2e:558b:f842 dev br-lan lladdr 00:ff:da:42:ea:19 STALE
fe80::ad22:ef90:76f8:145a dev wlan0 lladdr a8:93:4a:6e:d8:17 STALE

And here after pinging the other connected client via RUT360 SSH with command ping 192.168.3.233 -I br-lan and the device connected directly to RUT360 LAN port with command ping 192.168.3.10 -I br-lan

192.168.3.10 dev br-lan lladdr 28:63:36:b9:06:ae REACHABLE
192.168.3.233 dev br-lan lladdr 00:ff:da:42:ea:19 STALE
192.168.89.110 dev wlan0 lladdr a8:93:4a:6e:d8:17 REACHABLE
fe80::8dd2:9c2e:558b:f842 dev br-lan lladdr 00:ff:da:42:ea:19 STALE
fe80::ad22:ef90:76f8:145a dev wlan0 lladdr a8:93:4a:6e:d8:17 STALE

As for the second client, I’m running Windows so I used Get-NetNeighbor -AddressFamily IPv4
command

ifIndex IPAddress                                          LinkLayerAddress      State       PolicyStore
------- ---------                                          ----------------      -----       -----------
17      255.255.255.255                                    FF-FF-FF-FF-FF-FF     Permanent   ActiveStore
17      239.255.255.255                                    01-00-5E-7F-FF-FF     Permanent   ActiveStore
17      239.255.255.250                                    01-00-5E-7F-FF-FA     Permanent   ActiveStore
17      224.0.0.252                                        01-00-5E-00-00-FC     Permanent   ActiveStore
17      224.0.0.251                                        01-00-5E-00-00-FB     Permanent   ActiveStore
17      224.0.0.22                                         01-00-5E-00-00-16     Permanent   ActiveStore
17      192.168.56.255                                     FF-FF-FF-FF-FF-FF     Permanent   ActiveStore
27      255.255.255.255                                    FF-FF-FF-FF-FF-FF     Permanent   ActiveStore
27      239.255.255.255                                    01-00-5E-7F-FF-FF     Permanent   ActiveStore
27      239.255.255.250                                    01-00-5E-7F-FF-FA     Permanent   ActiveStore
27      224.0.0.252                                        01-00-5E-00-00-FC     Permanent   ActiveStore
27      224.0.0.251                                        01-00-5E-00-00-FB     Permanent   ActiveStore
27      224.0.0.22                                         01-00-5E-00-00-16     Permanent   ActiveStore
26      239.255.255.255                                    01-00-5E-7F-FF-FF     Permanent   ActiveStore
26      239.255.255.250                                    01-00-5E-7F-FF-FA     Permanent   ActiveStore
26      224.0.1.1                                          01-00-5E-00-01-01     Permanent   ActiveStore
26      224.0.0.252                                        01-00-5E-00-00-FC     Permanent   ActiveStore
26      224.0.0.251                                        01-00-5E-00-00-FB     Permanent   ActiveStore
26      224.0.0.22                                         01-00-5E-00-00-16     Permanent   ActiveStore
4       239.255.255.255                                    01-00-5E-7F-FF-FF     Permanent   ActiveStore
4       239.255.255.250                                    01-00-5E-7F-FF-FA     Permanent   ActiveStore
4       224.0.1.1                                          01-00-5E-00-01-01     Permanent   ActiveStore
4       224.0.0.252                                        01-00-5E-00-00-FC     Permanent   ActiveStore
4       224.0.0.251                                        01-00-5E-00-00-FB     Permanent   ActiveStore
4       224.0.0.22                                         01-00-5E-00-00-16     Permanent   ActiveStore
3       239.255.255.255                                    01-00-5E-7F-FF-FF     Permanent   ActiveStore
3       239.255.255.250                                    01-00-5E-7F-FF-FA     Permanent   ActiveStore
3       224.0.1.1                                          01-00-5E-00-01-01     Permanent   ActiveStore
3       224.0.0.252                                        01-00-5E-00-00-FC     Permanent   ActiveStore
3       224.0.0.251                                        01-00-5E-00-00-FB     Permanent   ActiveStore
3       224.0.0.22                                         01-00-5E-00-00-16     Permanent   ActiveStore
23      239.255.255.255                                                          Permanent   ActiveStore
23      239.255.255.250                                                          Permanent   ActiveStore
23      224.0.1.1                                                                Permanent   ActiveStore
23      224.0.0.252                                                              Permanent   ActiveStore
23      224.0.0.251                                                              Permanent   ActiveStore
23      224.0.0.22                                                               Permanent   ActiveStore
14      239.255.255.255                                    01-00-5E-7F-FF-FF     Permanent   ActiveStore
14      239.255.255.250                                    01-00-5E-7F-FF-FA     Permanent   ActiveStore
14      224.0.1.1                                          01-00-5E-00-01-01     Permanent   ActiveStore
14      224.0.0.252                                        01-00-5E-00-00-FC     Permanent   ActiveStore
14      224.0.0.251                                        01-00-5E-00-00-FB     Permanent   ActiveStore
14      224.0.0.22                                         01-00-5E-00-00-16     Permanent   ActiveStore
29      239.255.255.255                                                          Permanent   ActiveStore
29      239.255.255.250                                                          Permanent   ActiveStore
29      224.0.1.1                                                                Permanent   ActiveStore
29      224.0.0.252                                                              Permanent   ActiveStore
29      224.0.0.251                                                              Permanent   ActiveStore
29      224.0.0.22                                                               Permanent   ActiveStore
21      239.255.255.255                                    01-00-5E-7F-FF-FF     Permanent   ActiveStore
21      239.255.255.250                                    01-00-5E-7F-FF-FA     Permanent   ActiveStore
21      224.0.0.252                                        01-00-5E-00-00-FC     Permanent   ActiveStore
21      224.0.0.251                                        01-00-5E-00-00-FB     Permanent   ActiveStore
21      224.0.0.22                                         01-00-5E-00-00-16     Permanent   ActiveStore
21      192.168.3.255                                      FF-FF-FF-FF-FF-FF     Permanent   ActiveStore
21      192.168.3.233                                      00-00-00-00-00-00     Unreachable ActiveStore
21      192.168.3.232                                      00-00-00-00-00-00     Unreachable ActiveStore
21      192.168.3.231                                      00-00-00-00-00-00     Unreachable ActiveStore
21      192.168.3.230                                      00-00-00-00-00-00     Unreachable ActiveStore
21      192.168.3.10                                       28-63-36-B9-06-AE     Stale       ActiveStore
21      192.168.3.1                                        00-00-00-00-00-00     Unreachable ActiveStore
21      192.168.3.0                                        00-00-00-00-00-00     Unreachable ActiveStore
28      255.255.255.255                                    FF-FF-FF-FF-FF-FF     Permanent   ActiveStore
28      239.255.255.250                                    01-00-5E-7F-FF-FA     Permanent   ActiveStore
28      224.0.0.252                                        01-00-5E-00-00-FC     Permanent   ActiveStore
28      224.0.0.251                                        01-00-5E-00-00-FB     Permanent   ActiveStore
28      224.0.0.22                                         01-00-5E-00-00-16     Permanent   ActiveStore
28      192.168.89.255                                     FF-FF-FF-FF-FF-FF     Permanent   ActiveStore
28      192.168.89.1                                       00-1E-42-3D-F9-DB     Reachable   ActiveStore
28      192.168.5.30                                       00-00-00-00-00-00     Unreachable ActiveStore
28      192.168.5.3                                        00-00-00-00-00-00     Unreachable ActiveStore
28      192.168.5.1                                        00-00-00-00-00-00     Unreachable ActiveStore
24      255.255.255.255                                    FF-FF-FF-FF-FF-FF     Permanent   ActiveStore
24      239.255.255.250                                    01-00-5E-7F-FF-FA     Permanent   ActiveStore
24      224.0.0.252                                        01-00-5E-00-00-FC     Permanent   ActiveStore
24      224.0.0.251                                        01-00-5E-00-00-FB     Permanent   ActiveStore
24      224.0.0.22                                         01-00-5E-00-00-16     Permanent   ActiveStore
24      192.168.3.255                                      FF-FF-FF-FF-FF-FF     Permanent   ActiveStore
24      192.168.3.233                                      00-00-00-00-00-00     Unreachable ActiveStore
24      192.168.3.232                                      00-00-00-00-00-00     Unreachable ActiveStore
24      192.168.3.231                                      00-00-00-00-00-00     Unreachable ActiveStore
24      192.168.3.230                                      00-00-00-00-00-00     Unreachable ActiveStore
24      192.168.3.10                                       28-63-36-B9-06-AE     Stale       ActiveStore
24      192.168.3.1                                        2A-6C-1E-69-55-7E     Stale       ActiveStore
24      192.168.3.0                                        00-00-00-00-00-00     Unreachable ActiveStore
1       239.255.255.255                                                          Permanent   ActiveStore
1       239.255.255.250                                                          Permanent   ActiveStore
1       224.0.1.1                                                                Permanent   ActiveStore
1       224.0.0.252                                                              Permanent   ActiveStore
1       224.0.0.251                                                              Permanent   ActiveStore
1       224.0.0.22                                                               Permanent   ActiveStore
1       127.255.255.255                                                          Permanent   ActiveStore

Lastly, I don’t see a point in running this configuration without the server-bridge option, as from what I understand in TAP mode this command is required.
What is more, I have practically the same OpenVPN server configurations running fine with on an older Racom Midge device and two Mikrotik devices.

Nevertheless, I’m sure that with your help we will figure it out

Best regards,
Maciej.

AndzejJ · September 13, 2023, 9:53am

Hello,

Server-bridge can be used in TAP mode to assign IP addresses from the server. It is not ‘necessary’ and depends on your requirements. You can find configuration examples on our wiki page here and here. This option is not present in the WebUI so it might be tricky.

Could you try tcpdump (tcpdump -i tap0 icmp) and check if RUT360 replies to the pings?
If not, try deleting arp entries associated with server’s MAC on RUT360, and add an entry manually.

ip neigh del <serverIP>  dev br-lan lladdr <serverMAC>
ip neigh add <serverIP> dev tap0 lladdr <serverMAC>

Similarly, you can check ARP entries on your server and try deleting failed/stale/incomplete ones and try entering them manually.

Kind Regards,

Maciej · September 14, 2023, 1:56pm

Hello,

we are getting somewhere! I left the server config alone and tried messing with whose arp entries on RUT360 side.
After reboot and connecting to OpenVPN arp returns:

IP address       HW type     Flags       HW address            Mask     Device
192.168.89.110   0x1         0x2         a8:93:4a:6e:d8:17     *        wlan0

Ping to the device connected directly to LAN port on RUT360 through the OpenVPN goes fine and the arp list remains the same as above.
After trying to ping the RUT360 through OpenVPN (with no valid response) the arp list changes. Device 192.168.3.232 is the client that I’m pinging from.

IP address       HW type     Flags       HW address            Mask     Device
192.168.89.110   0x1         0x2         a8:93:4a:6e:d8:17     *        wlan0
192.168.3.232    0x1         0x0         00:00:00:00:00:00     *        tap0
192.168.3.232    0x1         0x2         00:ff:da:42:ea:19     *        br-lan

The solution is to delete tap0 definition of the client and add it manually with proper MAC using commands you proposed:

ip neigh del 192.168.3.232 dev tap0
ip neigh add 192.168.3.232 dev tap0 lladdr 00:ff:da:42:ea:19

It gets me here:

IP address       HW type     Flags       HW address            Mask     Device
192.168.89.110   0x1         0x2         a8:93:4a:6e:d8:17     *        wlan0
192.168.3.232    0x1         0x6         00:ff:da:42:ea:19     *        tap0
192.168.3.232    0x1         0x2         00:ff:da:42:ea:19     *        br-lan

After those two commands RUT360 replies on ping and I can access it’s WWW GUI.

Now the question is why isn’t it done automatically? Is there an error in configuration on my side or is it a feature that I don’t understand?

PS: ifconfig just in case

br-lan    Link encap:Ethernet  HWaddr 00:1E:42:3D:F9:D9
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fd38:a2d6:3c62::1/60 Scope:Global
          inet6 addr: fe80::21e:42ff:fe3d:f9d9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:285 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:41186 (40.2 KiB)  TX bytes:1302 (1.2 KiB)

eth0      Link encap:Ethernet  HWaddr 00:1E:42:3D:F9:D9
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:179 errors:0 dropped:171 overruns:0 frame:0
          TX packets:277 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:55954 (54.6 KiB)  TX bytes:45398 (44.3 KiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:40 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3828 (3.7 KiB)  TX bytes:3828 (3.7 KiB)

tap0      Link encap:Ethernet  HWaddr B2:65:0E:E5:A7:62
          inet addr:192.168.3.233  Bcast:0.0.0.0  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:291 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:45570 (44.5 KiB)  TX bytes:1560 (1.5 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:1E:42:3D:F9:DB
          inet addr:192.168.89.1  Bcast:192.168.89.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:42ff:fe3d:f9db/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:702 errors:0 dropped:93 overruns:0 frame:0
          TX packets:661 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:92654 (90.4 KiB)  TX bytes:117190 (114.4 KiB)

wwan0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:100.107.120.124  P-t-P:100.107.120.124  Mask:255.255.255.255
          inet6 addr: fe80::138a:8771:b535:89b5/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:502 errors:0 dropped:0 overruns:0 frame:0
          TX packets:514 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:91883 (89.7 KiB)  TX bytes:46522 (45.4 KiB)

Best regards,
Maciej.

AndzejJ · September 19, 2023, 6:41am

Hello,

Can’t say for sure, but it may be related to the fact that both br-lan and tap0 interfaces get an IP address. For testing, could you try swapping to UDP (remove ‘proto tcp’) and try replacing server-bridge with two following lines on the server config?:

mode server
tls-server

You should be able to access both, the RUT and the LAN network.

Kind Regerds,

Maciej · September 19, 2023, 8:46am

Hello,

you were right, it works
The server config file look like this:

#server-bridge 192.168.3.230 255.255.255.0 192.168.3.232 192.168.3.238
#proto tcp-server
mode server
tls-server
client-config-dir /openvpn/SterbitVPN_6/ccd/

As you can see, in order for other clients to work properly, it seams that I have to assign IP addresses using client-config-dir option.

As for the ifconfig:

br-lan    Link encap:Ethernet  HWaddr 00:1E:42:3D:F9:D9
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:42ff:fe3d:f9d9/64 Scope:Link
          inet6 addr: fd38:a2d6:3c62::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1092 (1.0 KiB)

eth0      Link encap:Ethernet  HWaddr 00:1E:42:3D:F9:D9
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44 errors:0 dropped:44 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14256 (13.9 KiB)  TX bytes:1092 (1.0 KiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:28 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2756 (2.6 KiB)  TX bytes:2756 (2.6 KiB)

tap0      Link encap:Ethernet  HWaddr 42:21:8E:F2:2B:33
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:1E:42:3D:F9:DB
          inet addr:192.168.89.1  Bcast:192.168.89.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:42ff:fe3d:f9db/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:628 errors:0 dropped:3 overruns:0 frame:0
          TX packets:642 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:64001 (62.5 KiB)  TX bytes:78789 (76.9 KiB)

wwan0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:100.70.241.176  P-t-P:100.70.241.176  Mask:255.255.255.255
          inet6 addr: fe80::ed77:8432:5f18:c4b4/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:75 errors:0 dropped:0 overruns:0 frame:0
          TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12620 (12.3 KiB)  TX bytes:12543 (12.2 KiB)

Arp command returns:

192.168.3.251    0x1         0x2         00:ff:da:42:ea:19     *        br-lan
192.168.89.110   0x1         0x2         a8:93:4a:6e:d8:17     *        wlan0

My remaining question is, are you going to change anything in the behavior of your devices while using OpenVPN server with server-bridge option enabled? As I mentioned before, your device is the only one in my experience (quite limited, to be honest) that does have a “problem” with this kind of config.

Best regards,
Maciej.

system · September 23, 2023, 1:23pm

This topic was automatically closed after 15 days. New replies are no longer allowed.