Gateway gets stripped from DHCP Reply through OpenVPN tunnel

networking dhcp vpn openvpn openwrt

I have a bridged OpenVPN setup. This is my server config:

port 1194
proto udp
dev tap0

ca      /etc/openvpn/easy-rsa/keys/ca.crt
cert    /etc/openvpn/easy-rsa/keys/server.crt
key     /etc/openvpn/easy-rsa/keys/server.key
dh      /etc/openvpn/easy-rsa/keys/dh2048.pem

# brtctl upscript
script-security 2
up /etc/openvpn/up.sh

tls-server
server-bridge

keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

The server is running on a Debian machine running in network A, the client is running on a OpenWRT router in network B. On network A, the tap0 interface is bridged with the local network, containing a DHCP server and a gateway to the internet. On network B, the tap0 interface is bridged with a separate network without DHCP-server or internet access. The idea is that the OpenVPN tunnel provides internet access for network B.

In this setup, the OpenVPN server doesn't allocate IP addresses for use by the clients. Instead, it just lets the DHCP server in the local network deal with that. This works because this is a bridged (TAP), not routed (TUN) setup.

So, DHCP does work over the tunnel. The clients on network B's side get their IP addresses directly from the DHCP server on network A's side. The problem is that it looks like the default gateway gets stripped from the DHCP reply, because it is empty on the machines on network B.

For example, this is what I get on a Windows client connected to network B:

Ethernet adapter Ethernet:

   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.2.123(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : vrijdag 25 juli 2014 22:49:38
   Lease Expires . . . . . . . . . . : zaterdag 26 juli 2014 10:49:38
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

I found this: https://community.openvpn.net/openvpn/ticket/312#comment:3

This suggests that this is documented behavior, but I don't know how to disable this. I tried using the directive route-nopull on the client-side, but it doesn't appear to have any effect.

Also, I can't use redirect-gateway directives since I need to get the gateway right on the machines bridged with the OpenVPN client's tap0 adapter, not on the OpenVPN client itself.

My client-side config as follows:

config openvpn sample_client
    option enabled 1

    option client 1

    option dev tap

    option proto udp

    list remote "server.com 1194"

    option resolv_retry infinite

    option nobind 1

    option persist_key 1
    option persist_tun 1

    option ca /etc/openvpn/ca.crt
    option cert /etc/openvpn/client.crt
    option key /etc/openvpn/client.key

    option ns_cert_type server

    option comp_lzo yes

    option verb 3

    option route-nopull 1

Keep in mind that is in OpenWRT's UCI format.

EDIT:

Just found this in the logs:

daemon.notice openvpn(sample_client)[5062]: Extracted DHCP router address: 192.168.2.1

This is exactly the behavior I want to disable.

Also found this:

If --server-bridge is used without any parameters, it will enable a DHCP-proxy mode, where connecting OpenVPN clients will receive an IP address for their TAP adapter from the DHCP server running on the OpenVPN server-side LAN. Note that only clients that support the binding of a DHCP client with the TAP adapter (such as Windows) can support this mode. The optional nogw flag (advanced) indicates that gateway information should not be pushed to the client.

Interesting. I did not set nogw. Could it be that is is implicitly set or something? Can I 'unset' it explicitly?

EDIT: Found this: https://forums.openvpn.net/topic13494.html
Someone with the same problem, thread from a year ago. No answers.


Solution 1:

According to OpenVPN documentation
server-bridge is a shortcut expression for

mode server
tls-server
push "route-gateway dhcp"

and

server-bridge nogw is a shortcut expression for

mode server
tls-server

Interestingly push "route-gateway dhcp" activates a DHCP-proxy that stripes out the default gateway option in DHCP response from the original DHCP server. This can be seen in OpenVPN log
daemon.notice openvpn[4879]: Extracted DHCP router address: a.b.c.d

Your solution would be to use server-bridge nogw and the DHCP response contains the default route option again.

Solution 2:

Just had this problem myself and found this, without a useful solution. After a few hours i figured it out!

Just use this:

mode server

tls-server

and remove:

server-bridge

And the DHCP will pass directly to the client!

Related

Difference between /dev/udp and netcat
Connect to RDS from EC2 instance -- both inside VPC
Zabbix - service restart
btrfs Integrity and Stress Testing
On IPv6 linux router, autoconf and accept router advertisements for single interface
Amazon AWS IAM Policy for single VPC Subnet
Serve a custom 404 page generated by PHP
Nginx/Apache: set HSTS only if X-Forwarded-Proto is https
Rename a GlusterFS Peer
How to see which asp.net application in a pool is using the most memory
Dovecot namespace prefix relation to underlying Maildir structure
Mount unix samba 4 share to osx client without mangled file names